Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing May 10, 2024

Scammers are aiming at users of top global Android applications through imitation. Security experts have taken the wraps off malicious Android apps posing as Google, Instagram, Snapchat, WhatsApp, and X. Threat actors gain control by requesting permissions, enabling malware deployment and data theft without user knowledge. Separately, eSentire's TRU uncovered a SocGholish infection initiated by a fake browser update, leading to data extraction, reconnaissance, and network manipulation, highlighting a sophisticated intrusion campaign.

Concurrently, Google patched the fifth zero-day vulnerability of the year in the Chrome browser, permitting attackers to exploit memory after it's been freed. Along similar lines, Citrix warned of a vulnerability in the PuTTY SSH client affecting XenCenter admin's private SSH keys in Hypervisor versions up to 8.2 CU1 LTSR.

Top Malware Reported in the Last 24 Hours

Malicious apps mimic popular services

The SonicWall Capture Labs team investigated a new Android RAT impersonating popular app icons for Google, Instagram, Snapchat, WhatsApp, and X to steal user credentials. The malware tricks users into granting accessibility and device admin permissions. It connects to a C&C server to execute various commands, including reading messages and call logs, accessing contacts, changing device wallpaper, phishing via web URLs, vibrating the device, and much more.

SocGholish infection via fake browser update

eSentire's Threat Response Unit uncovered a SocGholish malware campaign originating from a fake browser update. Utilizing obfuscated JavaScript, attackers aimed to establish a foothold in the victim's environment, employing living-off-the-land techniques to gather credentials and map out business relationships. The malicious activity commenced with a user downloading a deceptive update named "Update.js" from a compromised website.

Top Vulnerabilities Reported in the Last 24 Hours

Citrix warns of PuTTY SSH client vulnerability

A PuTTY SSH client vulnerability, tracked as CVE-2024-31497, affects several versions of XenCenter for Citrix Hypervisor 8.2 CU1 LTSR. The flaw stems from how older PuTTY versions generate ECDSA nonces and could allow attackers to steal admin SSH keys. The Citrix team has advised administrators to update PuTTY or remove the component altogether. The flaw has been fixed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1.

RCE threat to Telit Cinterion modems

Security vulnerabilities in Telit Cinterion cellular modems—used extensively in industrial, healthcare, and telecom sectors—allowed RCE via SMS. Exploiting the most severe flaw (CVE-2023-47610), attackers could gain deep-level access to the modem's OS without authentication. Experts recommend working with telecom operators to mitigate risks, such as disabling SMS delivery to impacted devices and enforcing application signature verification.

Google Chrome patched fifth zero day

Google released a security update for Chrome, addressing CVE-2024-4671, the fifth zero-day vulnerability exploited this year. Discovered by an anonymous researcher, the flaw allows user-after-free attacks due to a flaw in the Visuals component. While details of the exploitation remain undisclosed, users are urged to update their browsers to the latest version (124.0.6367.201/.202 for Mac/Windows and 124.0.6367.201 for Linux) to mitigate the risk of compromise.

Top Scams Reported in the Last 24 Hours

Feature removed due to phishing issues

Monday[.]com swiftly disabled its Share Update feature after threat actors abused it for phishing attacks. The cloud-based project management platform faced scrutiny as customers received phishing emails from Monday[.]com accounts, falsely attributed to HR departments. These emails directed recipients to forms on formstack.com, exploiting the feature. Although the platform reassured users that no data was compromised, it suspended the responsible user and removed the feature.

Related Threat Briefings