Cyware Daily Threat Intelligence
Daily Threat Briefing • June 27, 2023
Hundreds of banking institutions from the U.S., the U.K, and the DACH region are being targeted in an ongoing malvertising campaign that uses a new Android banking trojan dubbed Anatsa. It can harvest sensitive financial information, including account credentials, credit card details, and payment information. Meanwhile, Google Chrome has been found to contain multiple vulnerabilities, with the most critical one posing a risk of arbitrary code execution. Thankfully, there’s no mention of the exploitation of these vulnerabilities.
Moving on. Researchers have found a technique for dodging security offered by Endpoint Detection and Response (EDR) and other security products. Using this, an attacker can execute malicious code on compromised systems without being detected.
Top Breaches Reported in the Last 24 Hours
Five new victims of MOVEit
The Clop ransomware group has listed five new victims on its dark web leak site as a result of MOVEit attacks.**** These are Schneider Electric, Siemens Energy, Werum (Körber Pharma), UCLA, and Abbvie. The group exploited a highly sensitive SQL injection vulnerability discovered in MOVEit Transfer, a product used by thousands of enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads.
Texas city suffers major breach
The website pertaining to the City of Fort Worth, Texas was targeted by a cybercriminal group known as SiegedSec. The attackers reportedly stole several gigabytes of data and posted it online. A quick review of the leaked files revealed that traffic data, email exchange between city employees and contractors, along with the files containing the names, work phone numbers, and email addresses of Fort Worth's employees, have been impacted.
Top Malware Reported in the Last 24 Hours
New Android banking trojan
Security researchers stumbled across a new mobile malware campaign targeting online banking customers in the U.S., the U.K, Germany, Austria, and Switzerland. The campaign, active since March 2023, utilizes the Anatsa Android banking trojan embedded within apps posing as PDF scanners, QR code scanners, and fitness tracking apps, among others. The malware has already amassed over 30,000 installations and targets approximately 600 financial apps globally.
Top Vulnerabilities Reported in the Last 24 Hours
Multiple bugs addressed for Chrome 114
Google has released critical updates for Chrome 114 that address a total of four vulnerabilities, with three of them classified as high-severity bugs. The most severe among them is a type confusion issue, identified as CVE-2023-3420, in Chrome’s V8 JavaScript rendering engine. Another is CVE-2023-3421, a use-after-free vulnerability in Media. The third is again a use-after-free flaw tracked as CVE-2023-3422 in Guest View. An attacker could exploit the bugs to potentially carry out arbitrary code execution attacks.
New technique bypass critical security checks
Cybersecurity firm Security Joes discovered a process injection technique called Mockingjay that could allow threat actors to evade detection by EDR and other security products. The method leverages legitimate DLLs containing RWX (read, write, execute) sections. What makes it a unique approach is that it avoids using Windows API calls, setting special permissions, memory allocation, or thread creation, thereby sidestepping common detection techniques.