We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing May 21, 2024

Bugs in QNAP NAS devices were found to pose significant security risks. White hat experts demonstrated a critical vulnerability exploit, risking small and large business environments using NAS devices. Another critical flaw was seen in Fluent Bit (CVE-2024-4323) which allowed denial-of-service, information disclosure, or remote code execution. Users should update to version 3.0.4 to mitigate risks.

Hopping to malware updates, the SolarMarker malware, which targets diverse sectors with data theft capabilities, established a multi-tiered infrastructure to complicate law enforcement takedown efforts. Separately, Akira ransomware was found targeting SMEs using a novel privilege escalation method by stealing NTDS.dit. Exploiting VMware and VPN vulnerabilities, the attackers maintain stealth to deploy the main payload.

Top Malware Reported in the Last 24 Hours

SolarMarker malware goes multi-tiered

Threat actors behind SolarMarker have evolved their operations with a complex infrastructure, comprising primary and secondary clusters, complicating mitigation efforts. SolarMarker infiltrates systems via bogus downloader sites or malicious emails, deploying a .NET-based backdoor or a Delphi-based hVNC backdoor. A new investigation revealed a multi-tiered architecture of command-and-control servers used by the actors, enhancing adaptability and resiliency.

Akira’s privilege escalation technique raises alarm

Lately, the Akira ransomware group employed a sophisticated tactic, breaching a victim's virtual environment to pilfer the crucial NTDS.dit file, containing domain user accounts and passwords. Akira established a foothold by exploiting a VMware vCenter server vulnerability, leveraging stolen credentials to create stealthy attack environments within the network. This enabled escalated privileges, facilitating rapid lateral movement and ransomware deployment.

Top Vulnerabilities Reported in the Last 24 Hours

Critical RCE flaw in QNAP QTS

Researchers demonstrated a PoC attack for CVE-2024-27130, a zero-day RCE flaw in QNAP's QTS operating system. The flaw stems from improper input handling and has been present in the codebase for over a decade. Researchers also performed an in-depth study of QNAP’s QTS, QuTSCloud, and QTS hero models, uncovering fifteen bugs. According to experts, the codebase had security holes in the past; some have been used for more than ten years.

Fluent Bit bug raises DoS and RCE concerns

A critical security flaw, CVE-2024-4323, dubbed Linguistic Lumberjack by Tenable Research, has been found in Fluent Bit versions 2.0.7 through 3.0.3, affecting its built-in HTTP server. Exploiting the flaw via endpoints like /api/v1/traces can lead to DoS condition, information disclosure, or RCE by causing memory corruption. Input names for /api/v1/traces are not properly validated, allowing non-string values to trigger the issue.

CISA flags critical Mirth Connect flaw

The CISA warned about a severe security flaw in NextGen Healthcare's Mirth Connect, adding it to its KEV catalog due to active exploitation by cybercriminals. The vulnerability, identified as CVE-2023-43208, allows unauthenticated RCE and stems from an incomplete fix for CVE-2023-37679. Both flaws exploit insecure use of the Java XStream library for XML payload unmarshalling.

Related Threat Briefings