Cyware Daily Threat Intelligence
Daily Threat Briefing • Mar 18, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Mar 18, 2024
Over a dozen GitHub repositories were found serving cracked software that infected hosts with RisePro info-stealer. Repositories used a common download link leading to an installer. In other headlines, a ransomware group scans for servers vulnerable to a directory traversal flaw in the aiohttp Python library. Exploitation attempts spiked since February. Another directory traversal bug was reported in the Fortra FileCatalyst Workflow website portal, which could potentially lead to arbitrary code execution and system compromise.
What else? Security experts stumbled across a new malware strain doing rounds in the cyber world and revealed its potential connection to ObserverStealer. Named AsukaStealer, it comes with enhanced capabilities as compared to its predecessor.
Potential breach affects 2.4 million individuals
New Zealand-based MediaWorks is investigating an alleged security incident after a digital adversary asserted to have stolen the data of just over 2.4 million individuals. The company has not yet publicly confirmed the breach but stated that the claims are related to data from website competition entries. The stolen data reportedly includes personally identifying information such as names, addresses, dates of birth, SSNs, and contact details. Financial details and passwords are believed to be unaffected.
AT &T denies leak involving million of users
AT&T refuted claims that a leaked dataset affecting 71 million individuals originated from its systems, despite evidence suggesting otherwise. The dataset, allegedly from a 2021 breach, contained sensitive information such as names, addresses, social security numbers, and encrypted birth dates. While AT&T continues to deny involvement, customers are advised to remain vigilant against potential phishing attempts.
Fujitsu confirms cyberattack
Japanese technology giant Fujitsu disclosed a cyberattack resulting in the theft of personal and customer information. While the company disconnected affected systems and strengthened monitoring, investigations are ongoing to determine the scope and extent of the breach. Fujitsu has notified relevant authorities and affected individuals, but details regarding the type of malware, specific data stolen, and the number of affected individuals remain undisclosed.
Ransomware attack disrupts Scranton School District
A ransomware attack at Scranton School District, Pennsylvania, prompted IT outages and disruptions to computer systems and services. With the website and Facebook account inaccessible, classes were delayed and students resorted to traditional pencil and paper tasks. The staff was instructed to refrain from using electronic devices. Details regarding the ransomware family and data breach remain undisclosed as investigations continue.
AsukaStealer takes over ObserverStealer
Security researchers reported AsukaStealer, a C++-based malware available being promoted on the dark web. Appears to be the predecessor of ObserverStealer, the malware boasts various capabilities such as deploying payloads, configuring FileGrabber settings, and delivering logs via Telegram. The comparison indicates similarities in their codebase and configuration retrieval methods, with AsukaStealer opting to decrypt data on the server to reduce its digital footprint.
Cracked software spreads RisePro info-stealer
Cybersecurity researchers from G-Data discovered a campaign dubbed gitgub, utilizing at least 13 GitHub repositories to host cracked software to distribute the RisePro info-stealer. The campaign employed a common download link, leading to layered archives unpacked using provided passwords. The final stage unpacked the RisePro loader injecting its payload into system processes, collecting sensitive data, and exfiltrating it to Telegram channels.
Fortra bug allows arbitrary code execution
A PoC surfaced for a critical vulnerability (CVE-2024-25153) in Fortra FileCatalyst Workflow, enabling remote attackers to execute arbitrary code. An attacker can exploit the directory traversal flaw to upload JSP files outside the temporary directory, potentially executing system commands. Last week, Fortra also addressed other vulnerabilities in FileCatalyst Direct 3.8.9 and GoAnywhere MFT 7.4.2.
Criminals target servers vulnerable to aiohttp flaw
The ShadowSyndicate ransomware group was found actively scanning for servers vulnerable to CVE-2024-23334, a directory traversal flaw in the aiohttp Python library. Although a patch was released, exploitation attempts persist, with a recent PoC exploit on GitHub and YouTube tutorials. Cyble's threat analysts have detected exploitation attempts originating from IPs linked to ShadowSyndicate, suggesting potential breaches. Over 44,000 internet-exposed aiohttp instances globally.