Cyware Daily Threat Intelligence

Daily Threat Briefing • May 20, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 20, 2024
Free laundry, anyone? Two UC Santa Cruz students found a flaw affecting millions of laundry machines managed by CSC ServiceWorks, allowing free laundry. They accessed the machines via an insecure API, prompting security concerns. In other headlines, a campaign, dubbed GitCaught, misuses GitHub and FileZilla, distributing malware like Atomic, Vidar, and Lumma via fake software versions. Suspected CIS threat actors manage these attacks, targeting Android, macOS, and Windows.
A cybercrime operation abusing authentic internet platforms, such as FileZilla and GitHub, has also been observed to deploy multiple malware variants across different operating systems. A Russian threat group is supposedly behind the attack campaign.
Cyber campaign leverages GitHub and FileZilla
Recorded Future's Insikt Group discovered a campaign dubbed GitCaught, exploiting legitimate services like GitHub and FileZilla to distribute an array of malware. Perpetrators, possibly Russian-speaking threat actors, utilize fake profiles and repositories on GitHub to host counterfeit software, aiming to steal sensitive data. The malware distributed included Atomic, Vidar, and Octo.
Grandoreiro banking trojan launches attacks
IBM's X-Force unit reports a resurgence of the Grandoreiro banking trojan in phishing campaigns, impersonating entities like Mexico's Tax Administration Service and Argentina's Revenue Service. The malware, now modular and capable of targeting over 1,500 banking applications across 60 countries, features updated decryption and command-and-control mechanisms. Additionally, it spreads efficiently by harvesting email addresses from victim data.
Hijack Loader advances anti-analysis techniques
Zscaler ThreatLabz reports a new version of Hijack Loader incorporating updated anti-analysis methods for stealthier operations. The loader now bypasses Windows Defender, UAC, and employs process hollowing. It delivers various malware families, including Amadey, and utilizes PNG image decryption for payload loading. Recent iterations also feature additional modules for enhanced capabilities, posing a significant threat in malware distribution campaigns.
Latrodectus emerges as IcedID successor
Security experts observed a surge in email phishing campaigns that deliver Latrodectus malware. The suspected successor to IcedID malware utilizes oversized JavaScript files and WMI and deploys payloads like QakBot, PikaBot, and DarkGate. Latrodectus exhibits advanced capabilities of self-deletion and anti-analysis checks. The campaign also propagates other malware loaders like D3F@ck Loader through Google ads impersonating Calendly and Rufus.
Students uncover flaw in laundry machines
Two UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko uncovered a vulnerability affecting over a million internet-connected laundry machines. They could remotely command the laundry machines to start cycles without payment. The flaw lies in the insecure API used by CSC's mobile app, lacking proper security checks. CSC reportedly reset the students' account balance of several million dollars but failed to fix the bug.
Critical flaw in Intel’s Neural Compressor
Intel revealed a severe vulnerability, CVE-2024-22476, in its Intel Neural Compressor software, potentially allowing unauthenticated attackers to execute arbitrary code on affected systems. Rated the maximum CVSS score of 10, the flaw arises from improper input validation. It affects versions before 2.5.0 and requires immediate patching to mitigate risks.
CISA flags exploited security issues
The CISA added three security vulnerabilities, including one in Google Chrome and two in certain D-Link routers in its KEV. These are a Chrome vulnerability (CVE-2024-4761), a ten-year-old flaw (CVE-2014-100005) affecting D-Link DIR-600 routers, and another bug (CVE-2021-40655) in D-Link DIR-605 routers. The CISA advised replacing affected devices or implementing defenses by June 6th.