Cyware Daily Threat Intelligence

Daily Threat Briefing • May 16, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 16, 2024
Google combats the third zero-day in a week. The high-severity bug affected the Chrome V8 JavaScript engine. In similar news, cyber experts identified multiple vulnerabilities in GE HealthCare's Vivid ultrasound systems, potentially allowing attackers to install ransomware and manipulate patient data.
Meanwhile, the Russian-affiliated Turla APT is suspected behind a highly sophisticated cyberespionage spotted in the wild. Turla's LunarWeb and LunarMail backdoors infiltrated an unnamed European Ministry of Foreign Affairs. LunarWeb, infects servers while mimicking legitimate HTTP(S) traffic, whereas LunarMail persists as an Outlook add-in and communicates via email. The backdoors have been active since 2020.
Espionage group drops LunarWeb and LunarMail
An unnamed European Ministry of Foreign Affairs and its diplomatic missions in the Middle East fell victim to espionage operations orchestrated by the Turla group. ESET researchers discovered two previously undocumented backdoors, LunarWeb and LunarMail, deployed in the attacks. LunarWeb operates on servers using HTTP(S) for command-and-control communications, while LunarMail, persisting as an Outlook add-in on workstations, communicates via email.
Kimsuki deploys new linux malware
North Korean state-sponsored hacker group Kimsuy was identified using a new Linux malware dubbed Gomir, a variant of the GoBear backdoor. The malware is distributed through trojanized software installers and shares similarities with GoBear, including direct C2 and support for various operations. Gomir targets South Korean government organizations and utilizes supply-chain attacks to maximize its impact.
Third zero-day hits Google Chrome
Google issued an emergency security update for Chrome to address a high-severity zero-day vulnerability (CVE-2024-4947) actively exploited in attacks. The flaw stemmed from a type confusion issue in the Chrome V8 JavaScript engine. This marks the third zero-day patched within a week. Alongside, Google urged users to update their browsers to the latest version (125.0.6422.60/.61 for Mac/Windows and 125.0.6422.60 for Linux) to mitigate the risk of exploitation.
Design flaw detected in Foxit Reader
Cybersecurity researchers have uncovered a concerning trend in PDF exploitation, particularly targeting users of Foxit Reader. Exploits with low detection rates abuse flaws in Foxit Reader's design where default options could lead to the execution of malicious commands. Campaigns leveraging this exploit range from espionage-focused attacks to broader cybercrime operations, utilizing various malicious tools.
Security flaws found in Ubuntu 24.04 LTS
Ubuntu 24.04 LTS faced several security vulnerabilities, spanning various packages and components, including less, GNU C Library, Curl, GnuTLS, libvirt, and Pillow. The exploitation of these vulnerabilities could lead to denial of service or arbitrary code execution. Detailed descriptions of each vulnerability highlight their impact and potential exploitation scenarios.
Security flaws in ultrasound systems pose risk
Nozomi Networks uncovered security vulnerabilities affecting GE HealthCare's Vivid Ultrasound product family, potentially allowing malicious actors to compromise patient data and even deploy ransomware. The flaws, including hard-coded credentials and command injection, affect the Vivid T9 ultrasound system and the EchoPAC software installed on doctors' workstations. While exploitation requires physical access to the devices, the consequences could be severe.
WiFi bug connect users to less secure networks
A newly discovered vulnerability in the WiFi standard, identified as CVE-2023-52424, enables attackers to execute an SSID Confusion attack on enterprise, mesh, and certain home WiFi networks. This flaw allows attackers to spoof network names and trick victims into connecting to less secure networks, potentially leading to traffic interception and manipulation.
Intel addresses 90+ vulnerabilities
Intel addressed over 90 vulnerabilities across various products, with critical flaws impacting its Neural Compressor AI product. The most critical vulnerability, CVE-2024-22476, posed a severe risk of privilege escalation via remote access. High-severity flaws were discovered in server firmware, graphics products, wireless solutions, and more, potentially leading to privilege escalation, DoS attacks, or information disclosure.
Rise in DocuSign phishing attacks
A concerning surge in phishing attacks posing as DocuSign documents threatens customer security. These attacks employ carefully crafted emails resembling authentic document signing requests, aiming to trick recipients into divulging sensitive information or clicking on malicious links. Factors such as DocuSign's widespread usage, trusted image, and cybercriminals' evolving tactics contribute to the spike.
Instagram scams via influencer program
A concerning trend has emerged regarding cybercriminals' manipulation of Instagram's influencer program. Scammers are creating dummy accounts to hack into targets' Instagram profiles and share posts about cryptocurrencies, subsequently soliciting votes for fake influencer contests. Victims are directed to fraudulent pages disguised as voting platforms, where they unwittingly update their email addresses, giving scammers control over their accounts.