Cyware Daily Threat Intelligence

Daily Threat Briefing • Mar 5, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Mar 5, 2024
New malware families captured the attention of security researchers in the last 24 hours. One of them is a backdoor named ToddleShark that exploits ScreenConnect flaws to steal information from targeted systems. The new malware is a creation of the North Korea-based Kimsuky group. Another new malware in the line is a banking trojan named CHAVECLOAK. It uses Smishing, phishing emails, and compromised websites to steal banking information from Brazilian users. A Golang variant of GhostLocker ransomware, named GhostLocker 2.0, also grabbed the headlines for being used in double extortion attacks launched by GhostSec and Stormous threat actors.
In other updates, security patches for flaws impacting TeamCity servers and a Hikivision security tool are out. Customers are advised to apply the recommended patches to stay safe.
Employees' NTLM hashes stolen
Hundreds of organizations worldwide were targeted with emails aimed at stealing their employees’ Windows NTLM authentication hashes. The attacks, attributed to the TA577 threat actor, leveraged the unique email thread hijacking technique. The stolen NTLM hashes were used further to perform account hijacks.
Semiconductor companies breached
The South Korean National Intelligence Service revealed that North Korean attackers used living-off-the-land techniques to breach at least two South Korean microchip manufacturers. The attackers breached servers used for managing business documents, thereby stealing product design drawings and facility site photos. One of these incidents occurred in December 2023 and the other in February 2024.
Russian Ministry of Defense hacked
The Main Intelligence Directorate of Ukraine's Ministry of Defense claimed to have stolen sensitive documents by hacking into the servers of the Russian Ministry of Defense (Minoborony). The documents include reports and directives circulated among over 2,000 structural units, details of the software used by the Ministry to encrypt data, and information belonging to the Deputy Minister of Defense.
Update on Iowa’s Utility Attack
Muscatine Power and Water, a utility company in Iowa, disclosed that the information of nearly 37,000 people was affected in a January ransomware attack. The hackers had gained unauthorized access to SSNs and CPNI of individuals after infiltrating its corporate network environment.
Top Malware Reported in the Last 24 Hours
CHAVECLOAK trojan spotted
Researchers warned about a new banking trojan, named CHAVECLOAK, that uses Smishing, phishing emails, and compromised websites to infect Brazilian banking users. The malware targets Windows devices and accesses online banking platforms to steal banking credentials and financial information. In one such campaign, the attackers used phishing emails disguised as legitimate bank communications to trick users into downloading the malware.
New ToddleShark malware found
The North Korean APT group Kimsuky was found exploiting ConnectWise ScreenConnect flaws (CVE-2024-1708 and CVE-2024-1709) to deploy a new ToddleShark malware on targeted systems. The malware, believed to be a variant of BabyShark and ReconShark backdoors, is capable of gathering a wide range of system information such as hostname, user accounts, network configurations, installed security software, and current network connections.
GhostLocker 2.0 discovered
Ransomware cybercrime gangs GhostSec and Stormous have teamed up to launch widespread double extortion attacks using a new Golang version of GhostLocker ransomware. Named GhostLocker 2.0, the ransomware encrypts files on a victim's machine using the file extension .ghost before dropping and opening a ransom note. Technology companies, universities, manufacturing, transportation, and government organizations across Lebanon, Israel, South Africa, Turkey, Egypt, India, Vietnam, and Thailand are on the target list for these attacks.
Morris II AI worm
Researchers developed a computer worm, named Morris II, that uses adversarial self-replicating prompts to trick Generative AI applications into potentially spreading malware and stealing personal data. The prompts can be used for stealing information, spreading spam, poisoning models, and more.
Flaws in the TeamCity server fixed
JetBrains released patches for two authentication bypass vulnerabilities impacting its TeamCity CI/CD server. Tracked as CVE-2024-27198 and CVE-2024-27199, the flaws impacted the web component of TeamCity. If exploited, the flaws could enable attackers to bypass authentication checks and gain administrative control over a server.
Flaws in Ethercat plugin addressed
Ethercat, a plugin used by the Zeek network security monitoring tool, was found to be impacted by several vulnerabilities that threat actors could leverage in attacks aimed at ICS environments. These vulnerabilities, tracked as CVE-2023-7244, CVE-2023-7243 and CVE-2023-7242, could be exploited by sending specially crafted packets over a network monitored by Zeek. Security patches have been issued to address the vulnerabilities.
Hikivision issues security patches
Chinese video surveillance equipment manufacturer Hikvision issued security patches for two flaws impacting its HikCentral Professional security management system. One of these is CVE-2024-25063, a high-severity flaw that could lead to unauthorized access to certain URLs. The second flaw, CVE-2024-25064, has a medium severity rating and requires authentication to be exploited. Customers are advised to apply the available patches as soon as possible to stay safe.