Cyware Daily Threat Intelligence

Daily Threat Briefing • Mar 7, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Mar 7, 2024
Researchers discovered a targeted cyber campaign whose tactics reportedly align with TeamTNT and WatchDog cybercriminal groups. These attackers are exploiting vulnerabilities in Apache Hadoop, Atlassian Confluence, Docker, and Redis servers to deploy a cryptocurrency miner and Linux reverse shells. Furthermore, operators behind the new Fakext malware campaign launched attacks targeting Latin American banks, with over 35,000 infections seen since November 2023.
Has the BlackCat group planned an exit scam? Well, that’s what the rumors say. Meanwhile, it has halted its operations amidst accusations of selling its source code. In another headline, Facebook Messenger users face a new threat in the form of Python Infostealer that aims to harvest and transmit user credentials.
Belgian Brewery hit by ransomware attack
Belgian brewery Duvel Moortgat was targeted in a ransomware attack, leading to the suspension of production. The attack prompted an immediate halt to production. While the company is well-stocked to handle the disruption, there is uncertainty about when production will resume. Despite the setback, reports suggest that beer pumps are still operational, allowing staff to enjoy beverages during the downtime.
Canada's municipal services disrupted
Hamilton, Canada, continues to grapple with the aftermath of a ransomware attack that has severely impacted government functions. While foundational services are operational, online payment systems are affected, leading to reliance on manual methods. The timeline for recovery remains uncertain, but residents were urged to remain patient.
South St. Paul Public Schools investigates breach
South St. Paul Public Schools informed families of ongoing technical difficulties disrupting online platforms and digital services due to unauthorized activity in the computer network. The district has engaged a cybersecurity firm to investigate and restore systems while ensuring a productive learning environment.
Student and parent data compromised
School District 67 (Okanagan-Skaha) in Penticton and Summerland notified parents of a cyberattack that compromised personal information, including student files, report cards, and possibly health data. The district shut down online services, contacted the police, and initiated an investigation. Concerned individuals are advised to contact the district and take precautionary measures such as changing passwords and monitoring online activity.
Fakext: A browser security threat
Malicious Edge extension Fakext has been threatening browser security by targeting users, primarily in Latin America. With over 35,000 compromised instances, it injects scripts, intercepts data, and presents convincing overlays on banking pages. Users are, ultimately, prompted to download RATs, providing fraudsters with login credentials.
Python Infostealer targets Messenger users
A new threat, dubbed Python Infostealer, was observed targeting Facebook Messenger users and pilfering their credentials. This malware operates stealthily by leveraging legitimate platforms like GitHub and GitLab for its C2 infrastructure. The infection begins with innocuous Messenger messages containing archived files, initiating a two-stage infection process. The stealer comes in three variants, aiming to harvest and exfiltrate user credentials to platforms like Discord, GitHub, and Telegram.
Linux malware targeting vulnerable instances
Researchers have identified a campaign, dubbed Spinning YARN, targeting vulnerable instances of Apache Hadoop, Atlassian Confluence, Docker, and Redis in cloud servers. The attackers deploy a cryptomining tool along with a Linux-based reverse shell for potential future targeting. The campaign involves automated discovery and compromise methods, including deploying multiple unique payloads and rootkits. Initial access is achieved through exploiting vulnerabilities in web-facing services.
BlackCat ransomware group shuts down
The BlackCat ransomware group has announced the shutdown of its operations and the sale of its source code, following allegations of an exit scam. The gang's decision comes after a dispute over a $22 million ransom payment from Change Healthcare, which the gang allegedly failed to share with its affiliates. Cybersecurity experts warn of potential data leaks and emphasize the importance of not giving in to extortion attempts. However, doubts linger over whether BlackCat is truly retiring from ransomware activities.
Critical TeamCity On-Premises flaw needs an update
Hackers are actively exploiting a critical authentication bypass vulnerability (CVE-2024-27198) in TeamCity On-Premises, with hundreds of instances compromised. The vulnerability, rated 9.8 out of 10 in severity, allows attackers to take control of vulnerable servers remotely. A little over 1,700 TeamCity servers are yet to receive the fix, most located in Germany, the U.S., and Russia.
Cisco Small Business Wireless APs vulnerable
Cisco disclosed critical vulnerabilities, CVE-2024-20335 and CVE-2024-20336, in the web-based management interface of its Small Business 100, 300, and 500 Series Wireless Access Points. These flaws could permit authenticated remote attackers to execute command injections and buffer overflow attacks, potentially leading to full compromise of the devices. Since no patches will be provided, users are urged to replace affected devices and transition to newer models.