Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Mar 27, 2024

In a digital dark side of ‘TheMoon’, researchers illuminated a cyber siege on small routers and IoT devices, turning over 40,000 into unwitting minions across 88 nations to fuel a shadowy web of cybercrime. This updated version of the TheMoon malware targets EOL routers and IoT devices. Following in the footsteps of global allies, Finnish authorities attributed the March 2021 attack on the country’s parliament to the China-linked group APT31, identifying one suspect.

A new vulnerability has been identified in Microsoft Edge. Leveraging a private API meant for marketing, threat actors could commandeer browsing experiences, silently installing potent extensions. However, a patch has been released.

Top Breaches Reported in the Last 24 Hours

The Big Issue faces a big issue

The Big Issue, a U.K street newspaper supporting homeless people, was hit by a cyberattack. The attack, claimed by the Qilin ransomware gang, allegedly compromised 550GB of data, including files related to commercial and personnel operations. The company is working with experts to investigate and restore systems, while ensuring magazine distribution continues.

APT31 behind March 2021 attack on Finnish Parliament

The Finnish Police attributed the March 2021 parliament attack to the China-linked group APT31, identifying one suspect. The investigation revealed a complex criminal infrastructure used by nation-state actors, and international collaboration was crucial in the investigation. The U.S. government announced sanctions against alleged APT31 members and a tech company used in cyber operations. The U.K, Australia, and New Zealand also accused APT31 of cyber intrusions.

Top Malware Reported in the Last 24 Hours

TheMoon ensnares 40,000 botnets

The Black Lotus Labs team at Lumen Technologies discovered a long-term campaign targeting end-of-life small home/office routers and IoT devices using an updated version of the "TheMoon" malware. The campaign has resulted in over 40,000 infected bots from 88 countries, being used to power the Faceless proxy service, which facilitates cybercriminal activities. The infection process for victim proxy devices involves a series of steps, including setting up iptable rules, contacting NTP servers, and communicating with a C2 server to download subsequent modules.

Chinese APTs targeted ASEAN summit

Chinese APT groups launched a cyberespionage campaign targeting ASEAN organizations with malware. Two separate APT groups are responsible for the campaign, including the well-known threat actor Stately Taurus. The cyberattack involved two malicious packages, one of which was created specifically for the ASEAN-Australia Special Summit. The full extent of the campaign and the potential involvement of other actors are still under investigation.

Top Vulnerabilities Reported in the Last 24 Hours

New campaign exploits Ray framework bug

The ShadowRay hacking campaign targets an unpatched vulnerability in the popular open-source AI framework Ray. The attacks have been ongoing since September 5, 2023, affecting sectors such as education, cryptocurrency, and biopharma. Anyscale, the developer of Ray, disclosed several vulnerabilities but did not fix a critical flaw, CVE-2023-48022, due to a lack of authentication. This has led to active exploitation by hackers, resulting in the potential leakage of sensitive data and the hijacking of computing power from thousands of compromised companies.

17,000 Exchange servers vulnerable in Germany

The German national cybersecurity authority found 17,000 Microsoft Exchange servers in Germany exposed online and vulnerable to critical security flaws, affecting various institutions and businesses. Approximately 37% of Exchange servers in Germany are severely vulnerable, with many still using outdated versions and not applying available security updates in a timely manner. Many of these servers belong to institutions such as schools, medical facilities, and local governments.

Rockwell Automation warns about 10 flaws

Rockwell Automation published three new security advisories regarding vulnerabilities in its FactoryTalk, PowerFlex, and Arena Simulation products. The Arena Simulation software has six vulnerabilities, including five high-severity arbitrary code execution flaws and one medium-severity information disclosure and denial-of-service (DoS) issue. Exploitation of the Arena Simulation vulnerabilities requires users to open malicious files. The PowerFlex product vulnerabilities are three high-severity DoS flaws with no patches available yet. The FactoryTalk View ME product has a medium-severity vulnerability that allows remote restarting of the PanelView Plus 7 terminal without security protections.

New vulnerability in Microsoft Edge

Guardio Labs discovered a vulnerability (CVE-2024-21388) in Microsoft Edge that allowed covert installation of browser extensions with broad permissions without user knowledge. The vulnerability exploited a private API (edgeMarketingPagePrivate) intended for marketing purposes. Adversaries could misuse this vulnerability to install malicious extensions or extensions with higher privileges without the user's knowledge. Microsoft released a security fix in version 121.0.2277.98.

Top Scams Reported in the Last 24 Hours

Payroll scam hits State Department employees

The U.S. State Department warned current and former employees of a fraudulent scheme targeting workers' payroll accounts through phishing, email account takeovers, and social engineering. Cybercriminals initially targeted annuity accounts by creating similar-looking email addresses and requesting changes to internal deposit information. Phishing attempts involved realistic-looking communications to retrieve login data for Employee Express accounts, exposing victims' systems to malware.

Trezor hacked to spread offensive messages

The well-known cryptocurrency wallet manufacturer, Trezor, had its Twitter account hacked by scammers who posed as credible entities and used fake Calendly links to compromise the account. Despite the security breach, Trezor assured customers that their hardware wallets and products remained secure. Trezor quickly deleted the unauthorized tweets and posted a warning to its 205,000 followers.

Related Threat Briefings