Cyware Daily Threat Intelligence
Daily Threat Briefing • May 29, 2024
A new North Korean threat actor, with alleged links to the Lazarus group, was found targeting multiple sectors with bespoke malware and ransomware via fake companies, trojanized tools, and malicious games. In another nefarious activity, Proofpoint identified piano-themed email scams targeting North American students, faculty, and other industries, involving advance fee fraud since January.
A troubling trend of threat actors has emerged to target individuals in Asia, North America, and Southern Europe through Cloudflare Workers. Attackers deploy HTML smuggling and transparent phishing techniques to obtain sensitive data, such as Microsoft login credentials. What more? Researchers have released a proof-of-concept exploit for a Fortinet SIEM solution vulnerability; monitoring logs is advised for detection.
Top Malware Reported in the Last 24 Hours
New threat actor launches malware campaign
A new North Korean threat actor, Moonstone Sleet, is targeting software, IT, education, and defense sectors with ransomware and custom malware. Using tactics like creating fake companies and job opportunities, Moonstone Sleet delivers malware through trojanized tools, fake games, and malicious npm packages. The group has been observed employing sophisticated phishing techniques and launching ransomware attacks, including a notable attack demanding $6.6 million in Bitcoin.
Kiteshield-packed ELF files contain malware
Researchers scrutinized a batch of suspicious ELF files exhibiting sophisticated evasion techniques such as anti-debugging measures, obfuscation, and encryption. These files, initially elusive to antivirus detection, were found to be packed with Kiteshield, a Linux packer aimed at encrypting and protecting ELF binaries. Kiteshield employs various obfuscation tactics, including XOR-based encryption of loader keys and string obfuscation to hinder analysis.
Top Vulnerabilities Reported in the Last 24 Hours
Critical flaws discovered in Slider Revolution plugin
An audit by Patchstack revealed two significant vulnerabilities in the widely used Slider Revolution plugin for WordPress, affecting over 9 million active users. The flaws included an unauthenticated stored XSS vulnerability and a broken access control issue in the plugin's REST API endpoints, potentially allowing unauthorized users to steal sensitive information and manipulate slider data. Patchstack recommends updating to version 6.7.11 or higher to mitigate these risks.
PoC exploit released for Fortinet SIEM flaw
Security researchers at Horizon3’s Attack Team released a PoC exploit for an RCE vulnerability, CVE-2024-23108, in the Fortinet SIEM solution. This exploit allows attackers to execute commands as root on internet-facing FortiSIEM appliances. Fortinet had previously warned of this critical vulnerability, along with CVE-2024-23109, in February. The affected versions span multiple FortiSIEM releases. CERT-EU also issued an advisory urging immediate updating of affected systems.
Top Scams Reported in the Last 24 Hours
Advance fee fraud scam targets American universities
Proofpoint identified a series of malicious email campaigns using piano-themed messages to conduct advance fee fraud scams. Experts spotted over 125,000 messages targeting primarily students and faculty at North American colleges, as well as healthcare and food and beverage sectors. The scam offers a free piano, asking victims to pay a fake shipping company for delivery. Payments are requested via Zelle, Cash App, PayPal, Apple Pay, or cryptocurrency.
**Attack campaigns target Cloudflare Workers **
Netskope Threat Labs identified an advanced phishing campaign leveraging Cloudflare Workers, a serverless computing platform. These campaigns employ two main techniques: HTML smuggling and transparent phishing. HTML smuggling embeds malicious code within benign web pages, assembling phishing pages directly on victims' devices to evade detection. Transparent phishing involves attackers acting as intermediaries between victims and legitimate login pages, capturing sensitive data.