Cyware Daily Threat Intelligence
![Cyware Daily Threat Intelligence - Featured Image](/_next/image?url=https%3A%2F%2Fimages.ctfassets.net%2Fzcd9ovevodsf%2F3Ad2toudEol6oL5rLVDfeP%2F52f623aa4bafa2fd1d3fa999bd76c305%2Fcc71_shutterstock_143470612_1.jpg&w=2048&q=75)
Daily Threat Briefing • Mar 14, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Mar 14, 2024
Cisco issued patches for high-severity vulnerabilities in its IOS RX software to address privilege elevation and DoS flaws, whereas Kubernetes fixed a sensitive flaw allowing RCE with elevated privileges on Windows endpoints. The recently disclosed SmartScreen flaw is under attack from DarkGate malware operators. This flaw allows specially crafted downloaded files to evade SmartScreen warnings, enabling attackers to execute malicious files automatically.
A new tactic of hiding malware has also emerged with adversaries leveraging SVG files to evade detection and deliver harmful payloads. An ongoing campaign was discovered dropping Agent Tesla keylogger and XWorm RAT onto affected systems. In another update, the PixPirate banking trojan made a comeback with a novel hiding technique, posing a challenge to Android security measures.
Massive breach hits 43 million job-seekers
France Travail, formerly known as Pôle Emploi, has disclosed a significant data breach affecting approximately 43 million individuals. Hackers breached the French unemployment agency's systems, stealing personal details of job seekers registered over the past 20 years, including full names, dates of birth, Social Security numbers, and contact information. While bank details and passwords remain unaffected, the breach increases the risk of identity theft and phishing attacks. The agency had suffered another breach last August.
Two-year delay in breach disclosure
A security hole in Ireland's national COVID-19 vaccination portal had exposed the vaccination records of around one million residents. The flaw—in a Salesforce-based system—allowed any registered user to access the health information of others, including vaccination details and internal HSE documents. Despite fixing the issue promptly, the Irish government delayed public disclosure by two years, citing no unauthorized access to the data.
Nissan Oceania exposes data of 100K individuals
Nissan Oceania is sending breach notifications to around 100,000 people in Australia and New Zealand. The breach, which occurred in December 2023, resulted in the theft of government identification documents, including Medicare cards, driving licenses, passports, and tax file numbers, of around 10% of victims. The Akira group claimed to have the stolen data available on its website.
Malware served concealed in SVG files
Cofense Intelligence researchers observed a recent campaign using Scalable Vector Graphic (SVG) files to distribute Agent Tesla keylogger and XWorm RAT malware. This method leverages the SVG format's mathematical descriptions of images to bypass security measures, making it challenging to detect malicious payloads. Security teams have been advised to educate users about the risks associated with opening SVG files and implement robust mitigation strategies.
DarkGate malware exploits SmartScreen bug
The DarkGate malware operation launched a new wave of attacks exploiting a recently patched Windows Defender SmartScreen vulnerability (CVE-2024-21412). Trend Micro analysts have reported that DarkGate operators are leveraging this vulnerability to enhance their malware distribution efforts, targeting traders' systems with the DarkMe malware. The attack involves a complex chain of exploitation, including phishing emails, open redirects, and Windows shortcuts, ultimately leading to the execution of DarkGate malware.
PixPirate returns with new tricks
The latest PixPirate banking trojan for Android employs a new evasion method, remaining active even after its dropper app is removed. It lacks an icon, making it invisible on recent Android versions. Using two apps, downloader and droppee, it steals information and targets the Brazilian Pix payment platform for fraudulent transactions. The droppee app, without a launcher intent, hides on devices while being triggered by the downloader via a service connection.
Cisco addresses high-severity bugs
Cisco released patches for multiple high-severity flaws in its IOS RX software. One critical bug, CVE-2024-20320, affects the SSH feature and could allow attackers to escalate privileges to root. Another flaw, CVE-2024-20318, impacts line cards with Layer 2 services enabled, potentially causing DoS conditions. Additionally, CVE-2024-20327 affects PPPoE termination on ASR 9000 series routers, leading to DoS. Cisco also addressed medium-severity vulnerabilities in IOS XR software.
Kubernetes patches flaws allowing RCE
A high-severity vulnerability in Kubernetes (CVE-2023-5528) could permit RCE with elevated privileges on Windows nodes within a cluster. The flaw, exploitable via malicious YAML files, impacts all versions of kubelet from 1.8.0 onwards. The vulnerability arises from insecure function calls and the lack of user input sanitization, particularly in the Kubernetes volumes feature. Successful exploitation could lead to a complete takeover of Windows nodes.
Legitimate Adobe notifications abused
Fresh campaigns were found using multi-layered phishing techniques, targeting financial, biomedical, HVAC, employment, and professional services sectors. The attackers attempt to deceive recipients through authenticated Adobe notifications, personalized sender domains, company logos, and malicious QR codes. Leveraging authentic Constant Contact domains and image-based phishing techniques further obfuscates detection. The campaign attempts to pull off an advanced fee scam in the end.