We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing May 2, 2024

In Q1 2024, LockBit, Black Basta, and Play emerged as prominent ransomware groups, with LockBit facing setbacks from law enforcement actions, found a ransomware report. Also, DarkVault's emergence hints at LockBit’s rebranding efforts. Challenging macOS security, a new Adload variant has been observed evading Apple's latest XProtect updates. The malware evades detection with minor tweaks, highlighting the ongoing challenge of combating evolving threats.

A decade-old D-Link vulnerability has come under attack from what cybersecurity experts identify as the Goldoon botnet. The botnet awaits commands from its C2 server to execute various malicious behaviors, including DoS attacks through common protocols, like the one in the game Minecraft. Furthermore, HPE Aruba Networking's April 2024 security advisory outlined critical RCE flaws in ArubaOS, urging prompt updates for mitigation.

Top Malware Reported in the Last 24 Hours

LockBit Hit, Black Basta surges, DarkVault emerges

ReliaQuest's Q1 2024 report highlighted LockBit's setback post-law enforcement actions, with Black Basta showing a 41% increase in activity. LockBit's reputation among affiliates has waned, leading to speculation about a potential rebranding as DarkVault. Cl0p ransomware is forecasted to resurge, targeting enterprise file transfer software. Law enforcement’s release of decryption tools has prompted ransomware groups to reconsider key storage methods.

Adload malware evades Apple's XProtect

Despite a significant update to Apple's XProtect antivirus targeting Adload adware, a new variant of Adload was spotted bypassing detection by XProtect and other antivirus engines. This variant, including the Adload Go variant, demonstrates sophisticated evasion techniques, posing a serious threat to macOS security. Minor tweaks in the malware's code allow it to evade XProtect's signature rules. Users are urged to consider additional security measures beyond built-in antivirus solutions.

A new Botnet abuses D-Link flaws

FortiGuard Labs identified a new botnet named Goldoon that targets a decade-old D-Link router vulnerability. Goldoon's propagation involves downloading a file named "dropper" from a specified URL, which then executes and cleans up potentially malicious files across various Linux system architectures. Then, the dropper downloads the botnet payload, establishing a persistent connection with a C2 server.

Top Vulnerabilities Reported in the Last 24 Hours

Critical GitLab bug exploited in the wild

The CISA flagged a critical flaw in GitLab (CVE-2023-7028) as an actively exploited vulnerability in its KEV. This bug, with a maximum CVSS score of 10.0, enables account takeover by sending password reset emails to unverified email addresses. GitLab disclosed the issue in January, affecting all authentication mechanisms in versions 16.1.0 onwards. Successful exploitation could lead to account compromise, data theft, and supply chain attacks.

HPE issues security advisory for RCE

HPE Aruba Networking released a security advisory detailing critical RCE vulnerabilities affecting multiple versions of ArubaOS, its proprietary network operating system. The advisory identified ten vulnerabilities, including four critical-severity unauthenticated buffer overflow issues that can lead to RCE. These vulnerabilities impacted various HPE Aruba Networking products, including Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.

Top Scams Reported in the Last 24 Hours

Customized QR code phishing campaigns

QR code phishing, or Quishing, has surged with hackers deploying sophisticated attacks using custom templates tailored to each organization. These personalized emails, adorned with legitimate company logos and individual names, create a sense of authenticity and urgency. By prompting recipients to update their authentication via QR codes, criminals lure victims to credential-harvesting sites.

Related Threat Briefings