Cyware Daily Threat Intelligence
Daily Threat Briefing • Mar 4, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Mar 4, 2024
Amid the U.S. court ordering the maker of Pegasus spyware to hand over code to WhatsApp, security experts uncovered new infrastructure allegedly used by the operators of another similar spyware called Predator. It is spread across at least 11 countries. Meanwhile, a study revealed that RA World ransomware actors leveraged compromised domain controllers to launch a multi-stage attack in Latin America. In other headlines, the SocGholish malware masqueraded as fake browser updates to infiltrate WordPress websites via compromised admin accounts.
Additionally, Consumer Reports found critical vulnerabilities in Eken Group Ltd.'s doorbell cameras, sold under various brand names. These flaws could enable unauthorized access to video footage and device control. Major retailers, including Amazon and Walmart, have sold these vulnerable products.
Largest Taiwanese telecom suffers breach
Chunghwa Telecom in Taiwan experienced a data breach, allegedly orchestrated by cybercriminals backed by the Chinese government. The breach resulted in the theft of 1.7TB of government-related information, which was subsequently offered for sale on the dark web. While the Defense Ministry confirmed the breach, it assured that no confidential information was compromised.
American Express reports third-party incident
American Express informed customers about a data breach involving a third-party service provider used by its travel services division. While the breach did not compromise American Express's systems, it resulted in unauthorized access to customers' credit card account numbers, names, and expiration dates. The exact scope of the breach, including the number of affected customers and the timing, remains unclear.
Unveiling RA World Ransomware’s new tactic
Trend Micro uncovered a sophisticated multi-stage attack orchestrated by the RA World ransomware group, targeting healthcare organizations across Latin America. The attack chain involves initial access through compromised domain controllers, lateral movement facilitated by modified Group Policy settings, and deployment of ransomware payloads with anti-AV measures. Leveraging the leaked Babuk ransomware source code, RA World employs extortion tactics to pressure victims into paying the ransom.
SocGholish targets WordPress sites
The Sucuri team detected a surge in SocGholish (fake browser update) attacks on WordPress websites, showcasing compromised admin accounts as the primary point of entry. The malware, injected into legitimate plugins, employs various domain shadowing techniques to serve malicious payloads. Modified plugins, such as woo-title-limit, flex-init-custom-script, and myplugin-custom-script-js, facilitate the injection process, leading to the deployment of SocGholish scripts.
Spyware operations spread across 11 nations
Insikt Group unearthed a new infrastructure used by the operators of the Predator spyware in 11 countries. By analyzing the domains facilitating the spyware's delivery, potential Predator customers were identified in countries like Saudi Arabia, Egypt, and Kazakhstan. Predator grants access to sensitive data and leave minimal traces. The sophisticated spyware is distributed through spoofed websites and an anonymization network, making attribution challenging.
Vulnerable Doorbell cameras pose threats
Consumer Reports uncovered critical vulnerabilities in doorbell cameras manufactured by Eken Group Ltd, sold under various brand names including EKEN and Tuck. Threat actors could exploit flaws to remotely access footage or remotely control the devices. The mobile app used to manage these cameras, Aiwit, is linked to at least 10 other similar products. Thousands of these insecure camera doorbells are sold monthly on major e-commerce platforms.
Phishing attack uses fake login page
The FCC acknowledged falling victim to a phishing operation involving a fake login page resembling Okta's authentication portal. Cloud security firm Lookout uncovered the scheme targeting cryptocurrency exchange employees, including those from Binance and Coinbase. The phishing kit used, dubbed CryptoChameleon, could successfully obtain sensitive data, including usernames, passwords, and photo IDs, impacting "hundreds of victims.”