Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Skip to main content

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing May 15, 2024

Yet another decade-long attack campaign was unearthed. ESET took the wraps off Ebury botnet's prolonged infiltration of Linux servers, which exceeds 100,000 compromised systems. As noted, attackers’ tactics include SSH credential theft and AitM attacks.

On the vulnerability side, D-Link's DIR-X4860 router is riddled with severe vulnerabilities that enable unauthenticated remote command execution. Exploitation involves bypassing authentication and leveraging a command injection flaw. Watch out for Microsoft's May 2024 Patch Tuesday updates as it addressed dozens of security flaws, including two zero-days exploited in the wild. Critical issues include CVE-2024-30040 and CVE-2024-30051, requiring immediate attention.

Top Malware Reported in the Last 24 Hours

Decade-long botnet campaign uncovered

ESET divulged the extensive infiltration of the Ebury botnet into over 400,000 Linux servers since 2009, with over 100,000 servers still compromised as of late 2023. The sophisticated campaign involved various monetization activities, including spam distribution, web traffic redirection, and credential theft, with actors also engaged in cryptocurrency heists and credit card theft. The attackers employ diverse delivery methods, including SSH credential theft and exploitation of web panel vulnerabilities.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft addresses 61 security flaws

Microsoft released its Patch Tuesday updates, addressing a total of 61 security vulnerabilities which includes two zero-day issues being actively exploited in the wild. These are a critical flaw in the Windows MSHTML Platform and an elevation of privilege vulnerability in the Windows Desktop Window Manager (DWM) Core Library. These flaws could allow attackers to execute arbitrary code and gain SYSTEM privileges.

Code execution threat in Mozilla products

Multiple vulnerabilities in Mozilla Firefox, Firefox ESR, and Thunderbird were reported, allowing for arbitrary code execution. Exploitation could lead to program installation, data manipulation, or unauthorized account creation. Affected versions include Firefox ESR prior to 115.11, Thunderbird prior to 115.11, and Firefox prior to 126. While no active exploits are reported, users are urged to update to mitigate risks.

D-Link flaws enable RCE

The D-Link EXO AX4800 (DIR-X4860) router is vulnerable to unauthenticated remote command execution. Researchers from SSD Secure Disclosure discovered flaws in the latest firmware version, allowing attackers to gain root access via the Home Network Administration Protocol (HNAP) port. A POC exploit has also been publicly released.

NHS warns of active exploitation of Arcserve bugs

The U.K's NHS alerted organizations about the potential exploitation of vulnerabilities in Arcserve Unified Data Protection (UDP) software, disclosed in March. These include authentication bypass and path traversal flaws, with Tenable rating them ‘critical’ and the Centre for Cybersecurity Belgium emphasizing urgent action. Risks range from data theft to ransomware attacks, necessitating heightened monitoring alongside patching.

Adobe releases critical security updates

Adobe rolled out a series of critical security patches addressing code execution vulnerabilities across various products such as Illustrator, Substance3D Painter, Aero, and Dreamweaver. This update addresses vulnerabilities that could allow malicious actors to execute arbitrary code on affected systems. Users were strongly advised to apply the latest patches to mitigate potential risks.

ICS advisories by multiple organizations

Several major ICS providers have released Patch Tuesday advisories addressing critical vulnerabilities in their products. Siemens, Rockwell Automation, Mitsubishi Electric, and Johnson Controls have all issued advisories detailing vulnerabilities ranging from remote code execution to SQL injection. These vulnerabilities, if exploited, could lead to unauthorized access, privilege escalation, and data tampering. The CISA has also alerted organizations about these vulnerabilities.

Apple addresses Safari zero-day

Apple issued security updates to address a zero-day vulnerability in Safari (CVE-2024-27834) exploited during the Pwn2Own Vancouver hacking competition. The flaw could allow attackers to bypass pointer authentication, potentially leading to RCE. The update is available for macOS Monterey and macOS Ventura, with Safari 17.5 also released for iOS, iPadOS, macOS Sonoma, and visionOS.

VMware fixes multiple flaws including three zero-days

VMware fixed four vulnerabilities in its Workstation and Fusion desktop hypervisors, including three zero-days demonstrated at Pwn2Own Vancouver 2024. These flaws included a use-after-free vulnerability in Bluetooth (CVE-2024-22267) and information disclosure vulnerabilities. Threat actors with local administrative privileges on virtual machines could exploit these issues for code execution or to read privileged information from hypervisor memory.

Related Threat Briefings