Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Mar 25, 2024

GitHub developers were hit by a complex supply chain attack. Checkmarx reported that the attackers tampered with popular packages like Colorama—used by over 150 million users—to propagate an info-stealer. It is designed to steal Telegram session data, cryptocurrency wallets, and browser data from compromised systems. Meanwhile, a new ransomware family, called HelloFire, has emerged in the threat landscape. Researchers claim that the ransomware is distributed as a legitimate pen-testing tool to evade detection.

In other notable threats, scammers have been found leveraging the recently launched Search Generative Experience (SGE) feature of Google to redirect visitors to various fake sites that promote fake iPhone giveaways, browser spam subscriptions, and tech support scams.

Top Breaches Reported in the Last 24 Hours

Henry County dealing with an attack

Henry County, Illinois, is dealing with a ransomware attack that disrupted the operations and classes at several colleges and government departments. While the county has begun working on restoring impacted systems and services, the Medusa ransomware group has taken the credit for attacks, giving the county eight days to pay $500,000 in ransom.

Update on HWL****Ebsworth Lawyers’s attack

In a new update, it was revealed that the private data of some of The Star Casino’s gamblers were stolen in a BlackCat ransomware attack on HWL Ebsworth Lawyers, which took place in April last year. The stolen data, which included banking details, passports, and physical addresses, were left exposed on the dark web for three weeks before the law firm obtained a court order to delete it. Furthermore, the casino mentioned that other personal information, such as phone numbers, employment information, physical signatures, credit card details, and medical information, of customers was impacted in the incident.

Top Malware Reported in the Last 24 Hours

New HelloFire ransomware discovered

Researchers have uncovered a new ransomware, named HelloFire, that disguises as legitimate penetration testing activities to trick users. Once executed, the ransomware appends the encrypted files with ‘.afire’ extension and launches a ransom note in a ‘Restore.txt’ file. The encryptor is built as a Windows PE 32bit executable using Visual C++ and has a file size of 49.5KB.

Malvertising campaign distributes new Go loader

Researchers came across a malvertising campaign that employs a new Golang-based loader to deploy the Rhadamanthys stealer via fake PuTTY sites. The campaign is designed to target Linux system administrators and upon execution, the malware stole sensitive data from compromised systems. Reportedly, the new Golang malware loader is being actively distributed and poses a significant threat to organizations and individuals.

Fake Python infrastructure discovered

According to a Checkmarx report, numerous Python developers, including a maintainer of Top.gg, fell victim to information-stealing malware by downloading a malicious clone of the widely-used tool Colorama. The supply chain attack was orchestrated by cloning Colorama, embedding malicious code, and hosting it on a fake mirror domain resembling 'files.pythonhosted.org'. Furthermore, attackers propagated the malware through malicious repositories and hijacked high-profile accounts, including 'editor-syntax' on GitHub, a maintainer of the Top.gg platform for Discord with a community exceeding 170,000 members.

WINELOADER used to target German politicians

Mandiant researchers shared details of a new backdoor malware, named WINELOADER, that was used in a recent campaign to target German politicians with a Christian Democratic Union-themed lure. Attributed to the Russia-based Cozy Bear group, the campaign used phishing emails purporting to be an invite for a dinner reception from the CDU. According to researchers, various features of WINELOADER overlap with several known malware families from APT29 such as BURNTBATTER, MUSKYBEAT, and BEATDROP.

Top Vulnerabilities Reported in the Last 24 Hours

Two zero-day flaws addressed in Firefox

Mozilla issued Firefox browser updates for two zero-day vulnerabilities that were exploited at the Pwn2Own Vancouver 2024 hacking contest. The first vulnerability, tracked as CVE-2024-29943, is an out-of-bounds access flaw that leads to the bypass of range analysis. The second vulnerability (CVE-2024-29944) is a privileged JavaScript execution issue in event handlers, leading to a sandbox escape. The issues are patched in Firefox 124.0.1 and Firefox ESR 115.9.1.

Top Scams Reported in the Last 24 Hours

Google’s SGE redirects visitors to scam sites

Google’s new AI-powered Search Generative Experience (SGE) was found recommending spammy and malicious sites within its conversational responses, making it easier for users to fall for scams. Visitors are redirected to unwanted Chrome extensions, fake iPhone giveaways, browser spam subscriptions, and tech support scams. Based on the domain (.online) used across these sites, it is believed that they are all part of an SEO poisoning campaign. The giveaway scams are used to collect personal information from users, which will be sold to other scammers and direct marketers.

BlockFi customers targeted

Customers of the crypto platform BlockFi were targeted in a phishing email that enabled threat actors to steal millions of dollars in cryptocurrency in just five days. The phishing email impersonated BlockFi’s logo and asked the recipients to withdraw the rest of their balance by clicking on a malicious link. The email came from noreply@everbridge[.]net, which was not flagged as potentially malicious by spam filters.

Related Threat Briefings