Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Mar 7, 2024

A stealthy attack campaign aimed at Windows and Android devices recently came under the radar of researchers, despite being active since December 2023. The campaign leverages popular online meeting platforms as a lure to spread SpyNote on Android systems and NjRAT and DCRat on Windows systems. In another significant threat, researchers have developed a web-based PLC malware that can launch Stuxnet-like attacks against critical infrastructure industries, without requiring physical access to OT and ICS environments.

In other updates, the CISA updated its KEV catalog, informing federal agencies about the wide exploitation of flaws impacting Pixel phones and Sunhillo software. In a similar situation, Apple also issued an advisory, urging iPhone and iPad users to apply security patches owing to the active exploitation of two zero-day flaws.

Top Breaches Reported in the Last 24 Hours

Fidelity’s update on stolen data

Fidelity Investments Life Insurance disclosed that attackers acquired information about 28,268 customers in a ransomware attack on Infosys’ US subsidiary, Infosys Mccamish Systems. The information includes names, SSNs, states of residence, bank accounts, routing numbers, dates of birth, and credit card numbers of individuals. While the LockBit group had previously claimed responsibility for attacks, it remains unclear as to how attackers gained access to the network and how much data was stolen.

Mr. Green Gaming suffers a data breach

A data breach at Mr. Green Gaming affected the personal information, such as dates of birth, email addresses, geographic locations, addresses, and usernames, of around 27,000 users. The incident came to light after the information was circulated on the dark web. The breach was attributed to the unauthorized access of an inactive administrator account.

FINTRAC affected in a cyberattack

Canada’s financial intelligence agency FINTRAC was forced to pull off its corporate systems following a cyber incident that occurred over the weekend. While the nature of the incident is not disclosed, the agency revealed that its intelligence or classified systems were unaffected.

Vietnamese financial entity targeted

An attack campaign aimed at a Vietnamese financial entity was attributed to a new threat group named Lotus Bane. The exact specifics of the infection chain remain unknown as yet, however, it is found that cybercriminals used methods such as DLL side-loading and data exchange via named pipes to run malicious executables and create remote scheduled tasks for lateral movement.

Top Malware Reported in the Last 24 Hours

RATs distributed in the wild

Zscaler researchers shared details of a new campaign that leveraged online meeting platforms, such as Skype, Google Meet, and Zoom, to spread RATs. While SpyNote is distributed on Android platforms, NjRAT and DCRat are deployed on Windows systems. The ultimate goal of the attack was to steal confidential information, keystrokes, and files from targeted devices.

New WogRAT malware spotted

A new malware dubbed WogRAT was found using the online notepad platform, aNotepad, as a covert channel to target Windows and Linux systems. The Linux version of the malware, which comes in ELF form, shares similarities with the Windows variant. However, it distinguishes itself by utilizing Tiny Shell for routing operations and additional encryption in its communication with the C2 server. The malware has been targeting users in Japan, Singapore, China, Hong Kong, and other Asian countries.

Four new Golang malware discovered

Cado Security Labs identified four new Golang malware that targeted misconfigured servers and exploited an n-day vulnerability (CVE-2022-26134) in Confluence to conduct RCE attacks and infect new hosts. Once initial access was achieved, a series of shell scripts and Linux attack techniques were used to deliver a cryptocurrency miner.

New web-based PLC malware developed

A team of researchers developed a Stuxnet-like malware that can enable attackers to launch catastrophic attacks against OT and ICS in critical infrastructure sectors. Based on IronSpider web-based malware, it can be used to manipulate output signals to actuators, falsify sensor readings, disable safety systems, and execute other actions that could trigger potentially devastating outcomes, including even loss of life.

Top Vulnerabilities Reported in the Last 24 Hours

Apple releases emergency updates

Apple released emergency security updates for two zero-day vulnerabilities (CVE-2024-23225 and CVE-2024-23296) exploited in attacks against iPhones. While the former is a Kernel memory corruption flaw, the latter is an RTKit memory corruption flaw. Attackers with arbitrary kernel read and write capability could exploit the flaws to bypass kernel memory protections. The IT giant addressed the vulnerabilities with the release of iOS 17.4, iPadOS 17.4, iOS 16.76, and iPad 16.7.6.

VMware addresses four flaws

VMware issued patches to address four security vulnerabilities impacting ESXi, Workstation, and Fusion. Two of these vulnerabilities (CVE-2024-22252 and CVE-2024-22253) have a high severity score and are described as use-after-free bugs. Attackers with local administrative privileges on a virtual machine can exploit the issue to execute arbitrary code on targeted systems. The other two addressed vulnerabilities are an out-of-bound write issue (CVE-2024-22254) in ESXi and an information disclosure bug (CVE-2024-22255) in the UHCI USB controller.

CISA updates its KEV catalog

The CISA added flaws impacting Pixel phones (CVE-2023-21237) and Sunhillo software (CVE-2021-36380) to its KEV catalog, indicating the exploitation of these flaws in the wild. While CVE-2023-21237 impacts the Framework component and can be abused to obtain sensitive information from Pixel Android phones, the flaw affecting Sunhillo software can allow attackers to take complete control of targeted systems.

Top Scams Reported in the Last 24 Hours

Credential phishing campaigns observed

Proofpoint observed an increase in credential phishing and fraud campaigns from mid-2023 through 2024. Attributed to the TA4903 threat actors, these campaigns spoofed U.S. government agencies, used bid proposal lures, and leveraged QR codes to trick recipients into handing over their banking details. As part of BEC attacks, the attackers also spoofed various SMBs across industries, including construction, manufacturing, energy, finance, and food and beverage, to ensnare more victims.

Related Threat Briefings