Cyware Daily Threat Intelligence

Daily Threat Briefing • Jun 24, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jun 24, 2024
In the shadowy depths of the cyber underworld, the ExCobalt syndicate cast its net over Russian entities with a cunning Golang-based backdoor dubbed GoRed. Its arsenal brims with lethal tools like Spark RAT and privilege escalation exploits, launched through sophisticated supply chain breaches.
Meanwhile, researchers uncovered a malware campaign, dubbed PHANTOM#SPIKE, targeting unsuspecting Pakistani recipients. Disguised within military-themed phishing lures, the RAT binary lurks in password-protected ZIP archives, springing forth from CHM files.
Not to be outdone, hackers are exploiting a vulnerability in PrestaShop's pkfacebook module, deploying card skimmers to siphon credit card data. Despite patch claims, exploitation persists.
Deets on previously-unknown GoRed backdoor
The cybercrime group ExCobalt targeted Russian organizations in various industries using a new Golang-based backdoor called GoRed. The group, believed to be linked to the notorious Cobalt Gang, has been active since at least 2016. The GoRed backdoor supports various features for data collection and communication with C2 servers. ExCobalt utilized a supply chain attack and a range of tools, including Spark RAT and exploits for privilege escalation, highlighting the group's sophisticated and persistent approach to hacking and cyberespionage.
SneakyChef sneaking into government agencies
A Chinese-speaking cyberespionage group known as SneakyChef targeted the ministries of foreign affairs and embassies of at least nine countries across Africa, the Middle East, Europe, and Asia. They use scanned government documents as lures and have been found to use the SugarGh0st and SpiceRAT remote access tools for their operations. The group's aggressive and evolving hacking efforts have been observed, with a focus on gathering information about geopolitical hotspots.
**New PHANTOM#SPIKE campaign unearthed **
The Securonix Threat Research team discovered a stealthy backdoor campaign, known as PHANTOM#SPIKE, targeting Pakistani victims through unsolicited messages. The attackers use military-themed phishing documents to deliver a RAT binary payload via ZIP files with password-protected archives. The payload is hidden within CHM files, allowing for silent code execution. The CHM file contains legitimate-looking content and executes an embedded binary file upon user interaction. The binary payload, written in CSharp, acts as a backdoor, establishing a connection to a C2 server and enabling remote command execution. The attackers also establish persistence and perform general enumeration commands post-exploitation.
Facebook PrestaShop module exploited
Hackers are taking advantage of a vulnerability in the pkfacebook module for PrestaShop to install a card skimmer on e-commerce websites, stealing credit card information. The flaw, known as CVE-2024-36680, allows for SQL injection attacks, and despite claims of a fix, active exploitation is ongoing. Users are advised to upgrade to the latest version of pkfacebook, use pSQL for added security, change default prefixes, and activate WAF rules. The patch availability for the vulnerability is uncertain.
SolarWinds Serv-U bug abused
Threat actors are actively exploiting a recently patched high-severity directory traversal vulnerability in SolarWinds Serv-U, allowing unauthorized access to sensitive files on the host machine. The vulnerability, tracked as CVE-2024-28995, allows attackers to read sensitive files on the host machine. The flaw was disclosed by SolarWinds and addressed in Serv-U 15.4.2 hotfix 2, but exploitation attempts began shortly after the details and PoC were published. The exploitation attempts have shown varying levels of sophistication, with some attackers persistently refining their exploit methods. The attacks primarily targeted credentials, server logs, and Windows configuration settings.