Cyware Daily Threat Intelligence
Daily Threat Briefing • May 2, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • May 2, 2024
In Q1 2024, LockBit, Black Basta, and Play emerged as prominent ransomware groups, with LockBit facing setbacks from law enforcement actions, found a ransomware report. Also, DarkVault's emergence hints at LockBit’s rebranding efforts. Challenging macOS security, a new Adload variant has been observed evading Apple's latest XProtect updates. The malware evades detection with minor tweaks, highlighting the ongoing challenge of combating evolving threats.
A decade-old D-Link vulnerability has come under attack from what cybersecurity experts identify as the Goldoon botnet. The botnet awaits commands from its C2 server to execute various malicious behaviors, including DoS attacks through common protocols, like the one in the game Minecraft. Furthermore, HPE Aruba Networking's April 2024 security advisory outlined critical RCE flaws in ArubaOS, urging prompt updates for mitigation.
LockBit Hit, Black Basta surges, DarkVault emerges
ReliaQuest's Q1 2024 report highlighted LockBit's setback post-law enforcement actions, with Black Basta showing a 41% increase in activity. LockBit's reputation among affiliates has waned, leading to speculation about a potential rebranding as DarkVault. Cl0p ransomware is forecasted to resurge, targeting enterprise file transfer software. Law enforcement’s release of decryption tools has prompted ransomware groups to reconsider key storage methods.
Adload malware evades Apple's XProtect
Despite a significant update to Apple's XProtect antivirus targeting Adload adware, a new variant of Adload was spotted bypassing detection by XProtect and other antivirus engines. This variant, including the Adload Go variant, demonstrates sophisticated evasion techniques, posing a serious threat to macOS security. Minor tweaks in the malware's code allow it to evade XProtect's signature rules. Users are urged to consider additional security measures beyond built-in antivirus solutions.
A new Botnet abuses D-Link flaws
FortiGuard Labs identified a new botnet named Goldoon that targets a decade-old D-Link router vulnerability. Goldoon's propagation involves downloading a file named "dropper" from a specified URL, which then executes and cleans up potentially malicious files across various Linux system architectures. Then, the dropper downloads the botnet payload, establishing a persistent connection with a C2 server.
Critical GitLab bug exploited in the wild
The CISA flagged a critical flaw in GitLab (CVE-2023-7028) as an actively exploited vulnerability in its KEV. This bug, with a maximum CVSS score of 10.0, enables account takeover by sending password reset emails to unverified email addresses. GitLab disclosed the issue in January, affecting all authentication mechanisms in versions 16.1.0 onwards. Successful exploitation could lead to account compromise, data theft, and supply chain attacks.
HPE issues security advisory for RCE
HPE Aruba Networking released a security advisory detailing critical RCE vulnerabilities affecting multiple versions of ArubaOS, its proprietary network operating system. The advisory identified ten vulnerabilities, including four critical-severity unauthenticated buffer overflow issues that can lead to RCE. These vulnerabilities impacted various HPE Aruba Networking products, including Mobility Conductor, Mobility Controllers, WLAN Gateways, and SD-WAN Gateways managed by Aruba Central.
Customized QR code phishing campaigns
QR code phishing, or Quishing, has surged with hackers deploying sophisticated attacks using custom templates tailored to each organization. These personalized emails, adorned with legitimate company logos and individual names, create a sense of authenticity and urgency. By prompting recipients to update their authentication via QR codes, criminals lure victims to credential-harvesting sites.