Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing March 30, 2023

Another cunning malware toolkit has been introduced to the cybercrime marketplace. Named AlienFox, it can be leveraged by adversaries to harvest API keys and secrets from popular services, including AWS SES & Microsoft Office 365. Meanwhile, a trojanized version of the 3CX VOIP desktop client has joined the list of threats emerging from rouge software programs. Cybersecurity analysts believe North Korean state-backed actor—tracked as Labyrinth Collima (believed to be a subset of the Lazarus Group)—is responsible for the campaign.

If you’re a QNAP client, do refer to the latest security advisory released by the company. The advisory outlines a much critical Sudo privilege escalation vulnerability. While a fix has been rolled out for some products, some await updates.

Top Breaches Reported in the Last 24 Hours

The (Un)SafeMoon landing

As hackers exploited a flaw in the SafeMoon token liquidity pool's smart contracts, the DeFi platform lost approximately $8.9 million worth of tokens. The smart contract function, which burns tokens, was unwittingly exposed to the public without any restrictions, giving users a free hand to manipulate it. Officials said they have located the suspected exploit and patched the flaw.

Traveler data stolen

NS, the Dutch national railway, informed roughly 780,000 commuters about a breach incident affecting their personal data. It reportedly suffered a breach after a hacker infiltrated the networks of market research firm Blauw via software supplied to it by a third party. E-mail addresses, telephone numbers, and full names of travelers may have been exposed.

Top Malware Reported in the Last 24 Hours

AlienFox chases misconfigured servers

Security experts at SentinelLabs uncovered a new modular toolkit dubbed AlienFox. It comprises custom tools and modified open-source utilities developed by different authors. As a threat, the malware scans for misconfigured servers to extract authentication secrets and credentials for cloud-based email services. The toolkit has different scripts for persistence and privilege escalation.

Realtek and Cacti bugs exploited

Security issues in Realtek and Cacti are being exploited to distribute ShellBot and Moobot malware, revealed FortiGuard Labs. Realtek bug, CVE-2021-35394, is an arbitrary command injection bug that affects UDPServer. CVE-2022-46169, the Cacti bug, is a command injection flaw that enables an unauthenticated user to execute arbitrary code on the vulnerable server.

Infected 3CX phone system

Cybercriminals are allegedly using a digitally signed and trojanized version of the 3CX desktop client to target the company's clients in an ongoing supply chain attack. Both Windows and macOS users are being targeted. While Sophos researchers aren’t sure who could be behind the attack, CrowdStrike suspects the involvement of a North Korean state-backed group it tracks as Labyrinth Collima.

Top Vulnerabilities Reported in the Last 24 Hours

QNAP Linux Sudo flaw

A critical Sudo privilege escalation flaw in Linux-powered NAS devices is affecting several QNAP products. The flaw, earmarked CVE-2023-22809, is described as a "sudoers policy bypass in Sudo version 1.9.12p1 when using sudoedit." The range of products impacted includes QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) NAS operating systems.

Related Threat Briefings