Cyware Daily Threat Intelligence
Daily Threat Briefing • Mar 8, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Mar 8, 2024
Remain vigilant when accessing popular video conferencing platforms as security experts have uncovered a new threat involving fake Skype, Google Meet, and Zoom websites. They were found distributing SpyNote, NjRAT, and DCRat malware. Grabbing the headline today is another Go-based info-stealing trojan that is being advertised in underground forums that can steal sensitive data via browsers, cryptocurrency wallets, messengers, and games.
On the bug side, critical vulnerabilities in VMware impacted various parts of the virtualization platform and related tools. Also, a financially driven threat actor is after freshly discovered flaws in Ivanti, Magento, Qlik Sense, and Apache ActiveMQ to obtain user credentials.
Disclosure of Xplain ransomware attack
In a comprehensive report on the data breach at the IT services provider Xplain, the NCSC revealed that the firm was penetrated by the Play ransomware gang. The breach exposed nearly 1.3 million files, and 65,000 documents from the Federal Administration, including classified information and personal data. The report details the extent of the breach, the types of data compromised, and the ongoing investigation and response efforts by the government.
Cyberespionage targets Tibetan festival
A cyberattack linked to the China-aligned Evasive Panda APT group targeted Tibetans worldwide, exploiting the Monlam Festival's website in India. Malicious code added to the site served as a watering-hole attack, while trojanized installers for Windows and macOS were distributed through a compromised software developer's supply chain. The operation includes the deployment of various malicious downloaders and backdoors, including the newly discovered Nightdoor for Windows.
New info-stealer evades sandbox
InQuest analysts shed light on Planet Stealer, a new information-stealing trojan surfacing in underground forums. Implemented in Go, this trojan targets sensitive information from victim hosts, including browser data, cryptocurrency wallets, and messenger credentials. Planet Stealer poses a significant threat with capabilities for sandbox evasion and exfiltration via Telegram.
VMware flaws expose systems to RCE
Critical security issues were detected in various parts of the virtualization platform, management interfaces, and related tools for VMware software, making systems vulnerable to RCE attacks. The vulnerabilities included use-after-free, information disclosure, and out-of-bounds write vulnerabilities. The flaws impact ESXi, Workstation Pro / Player, Fusion Pro / Fusion, and Cloud Foundation, posing significant risks to affected systems.
Actors abuse several 1-Day bugs
Magnet Goblin, a financially motivated threat actor known for exploiting 1-day vulnerabilities, targeted vulnerabilities in Ivanti Connect Secure VPN, Magento, Qlik Sense, and possibly Apache ActiveMQ, deploying custom malware like NerbianRAT and WARPWIRE to compromise systems. Their tactics involve swiftly adapting to newly disclosed vulnerabilities to deploy custom backdoors and credential stealers, aimed at financial gains.
Cisco patches Secure Client bugs
Cisco released fixes to address two high-severity vulnerabilities affecting its Secure Client software. These vulnerabilities, tracked as CVE-2024-20337 and CVE-2024-20338, could potentially allow threat actors to hijack VPN sessions and elevate privileges on affected devices, respectively. The flaws affected various versions of the Secure Client software for Windows, Linux, and macOS.