Cyware Daily Threat Intelligence

Daily Threat Briefing • May 24, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 24, 2024
In the realm where deeds bleed and alchemy thrives, emerges a digital specter, BLOODALCHEMY, poised to infiltrate Southeast Asian governments. It uses the DLL side-loading technique and can overwrite toolsets and gather confidential data. A Chinese APT is back in action with the KeyPlug backdoor that targets Windows and Linux, using different communication protocols.
The scalability of cloud platforms also fuels a rise in cryptomining attacks. For instance, the Kinsing malware exploited vulnerabilities in Apache Tomcat servers, hiding in innocent file locations to evade detection and mine Monero. Furthermore, Google released a Chrome update to fix the fourth zero-day flaw in two weeks and the eighth for the year. The high-severity type confusion flaw in the V8 JavaScript engine was being exploited in the wild.
Italian industries targeted with KeyPlug
Tinexta Cyber’s Zlab Malware Team uncovered a KeyPlug backdoor campaign that has been infiltrating various Italian industries for months. Attributed to APT41, KeyPlug targets both Windows and Linux systems using multiple communication protocols. The malware evades detection even with firewalls, NIDS, and EDR defenses in place. Its Windows variant uses a .NET framework loader to decrypt and execute its payload, while the Linux version employs VMProtect to complicate analysis.
BLOODALCHEMY malware linked to Deed RAT
BLOODALCHEMY, a malware targeting Southern and Southeastern Asian governments, is an updated version of Deed RAT, revealed cyber experts at Japan’s ITOCHU Cyber & Intelligence. BLOODALCHEMY uses DLL side-loading to infiltrate systems and execute malicious payloads. It gathers host data, loads additional malware, and self-terminates. Initial access is gained by compromising VPN maintenance accounts. Experts noted that BLOODALCHEMY and Deed RAT shared origins with ShadowPad.
Malware abuses Apache Tomcat for cryptomining
Operators behind Kinsing malware are exploiting Apache Tomcat server vulnerabilities to infiltrate Linux-based cloud infrastructures for unauthorized cryptomining. It remains stealthy by hiding within innocent file locations, including /var/cache/man/ directories, evading detection in commonplace areas. The activity has been ongoing for over a year, employing an outdated XMRig cryptominer to mine Monero cryptocurrency.
Malicious PyPI and NPM packages targeting MacOS
Cybersecurity researchers at GuardDog uncovered a string of malicious software packages on PyPI and NPM. The investigation, led by the suspicious "reallydonothing" package, revealed a common structure among malicious packages. Threat actors overwrote setup commands in the setup.py file to execute malicious code upon installation, targeting MacOS systems by searching for specific file patterns.
Google patches another exploited zero-day
Google issued an emergency security update to address the eighth actively exploited zero-day vulnerability in the Chrome browser this year. Discovered internally by Google’s Clément Lecigne, the high-severity flaw (CVE-2024-5274) is a type confusion bug in Chrome’s V8 JavaScript engine. This vulnerability allows for crashes, data corruption, and arbitrary code execution. Google has not disclosed technical details to prevent further exploitation and to protect users.
CISA adds Apache vulnerability to its catalog
The CISA included CVE-2020-17519, an Apache Flink improper access control flaw, in its KEV catalog due to evidence of active exploitation. This improper access control issue allows remote unauthenticated attackers to read any file on the JobManager's local filesystem via its REST interface. Affected versions include 1.11.0, 1.11.1, and 1.11.2, with fixes available in versions 1.11.3 and 1.12.0 since January 2021.
GitLab addresses high-severity XSS bug
GitLab swiftly patched a critical XSS vulnerability, CVE-2024-4835, in its VS code editor (Web IDE). This flaw could allow threat actors to compromise user accounts and steal sensitive data through malicious pages. Although requiring some user interaction, the exploit affects GitLab versions 15.11 to 17.0. GitLab promptly released patched versions (17.0.1, 16.11.3, and 16.10.6) for Community and Enterprise Editions, urging immediate upgrades.