Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 20, 2024

In the shadows of cyberspace, a devious malware loader is slinking through phishing campaigns to target Chinese organizations. Named SquidLoader, this threat can thwart both static and dynamic analysis, delivering secondary shellcode payloads with precision.

Simultaneously, the cyber-espionage group UNC3886, linked to China, has been exploiting zero-day vulnerabilities in Fortinet, Ivanti, and VMware devices, infiltrating targets across North America, Southeast Asia, and Oceania. Its sophisticated persistence mechanisms, including rootkits and backdoors, ensure prolonged access and surveillance.

Adding to the digital intrigue, ANSSI has sounded the alarm on Midnight Blizzard, a Russian state-sponsored hacker group, targeting the French Ministry of Foreign Affairs. Using compromised emails from governmental bodies, they attempted network infiltration via phishing campaigns.

Top Malware Reported in the Last 24 Hours

**New SquidLoader malware emerges **

AT&T LevelBlue Labs discovered a new evasive malware loader named SquidLoader that spreads via phishing campaigns targeting Chinese organizations. It uses various techniques to avoid detection and analysis while fetching second-stage shellcode payloads. Techniques include encrypted code segments, pointless unused code, Control Flow Graph obfuscation, debugger detection, and direct syscalls instead of Windows NT APIs. SquidLoader incorporates features designed to thwart static and dynamic analysis to evade detection.

Multiple attack chain deploys Fickle Stealer

Fortinet spotted a new Rust-based malware called Fickle Stealer, targeting Microsoft Windows users. The attack chain consists of three stages: Delivery, Preparatory Work, and Packer and Stealer Payload. The delivery is done through a VBA dropper, VBA downloader, link downloader, and executable downloader. The preparatory work involves scripts that bypass User Account Control, create new tasks, and send messages to a Telegram bot. The Packer disguises Fickle Stealer as a legal executable to avoid static analysis. The Stealer Payload involves anti-analysis techniques and communicates with the server to send stolen information.

Top Vulnerabilities Reported in the Last 24 Hours

Chrome 126 update released

Google released Chrome 126 to address six vulnerabilities, including a high-severity type confusion issue in the V8 script engine (CVE-2024-6100) that was reported by a researcher at the TyphoonPWN 2024 hacking competition. Google also addressed other high-severity flaws: an inappropriate implementation issue in WebAssembly (CVE-2024-6101), an out-of-bounds memory access in Dawn (CVE-2024-6102), and a use-after-free in Dawn (CVE-2024-6103). The tech giant has not shared technical details on the vulnerabilities, but confirmed they are not aware of any attacks exploiting them in the wild.

Can anyone spoof Microsoft employee emails?

A security researcher has discovered a bug that allows anyone to impersonate Microsoft corporate email accounts. This bug has not been patched yet, and Microsoft dismissed the initial report, claiming they couldn't reproduce the issue. The bug only works when sending emails to Outlook accounts, which include a pool of at least 400 million users worldwide. The extent of any malicious exploitation of the bug is unknown.

UNC3886 abuses 0-days in long-term espionage

The China-linked cyber-espionage group UNC3886 has been using zero-day exploits to target Fortinet, Ivanti, and VMware devices, with a focus on entities in North America, Southeast Asia, and Oceania. The group has developed sophisticated persistence mechanisms and evasion tactics, including the use of rootkits and backdoors to maintain access and spy on victims for extended periods. The attackers have also leveraged trusted services like GitHub and Google Drive for C2 communications.

CISA published ICS advisory

The CISA issued an advisory regarding a high-severity vulnerability in an outdated industrial switch made by RAD Data Communications. The vulnerability, identified as CVE-2019-6268, is a path traversal issue. It allows for unauthorized access to sensitive files, posing a risk to ICS and other OT systems. RAD SecFlow-2 has reached its end-of-life, prompting the vendor to recommend customers upgrade to a newer version. The federal agency provided general recommendations to reduce the risk of exploitation, as the impacted product is used worldwide in the communications sector.

Top Scams Reported in the Last 24 Hours

New Midnight Blizzard phishing campaign

ANSSI warned that a Russian state-sponsored hacking group, Midnight Blizzard (aka Cozy Bear and APT29), targeted the French Ministry of Foreign Affairs using compromised emails of government staffers from the Foreign Ministry of Culture and the National Agency for Territorial Cohesion. The group attempted to infiltrate the networks using phishing campaigns, but ANSSI concluded that the hackers were unable to move laterally into government systems. The attacks align with Russian intelligence gathering operations, with phishing campaigns also targeting French embassies in Ukraine and Romania.

Related Threat Briefings