Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing November 14, 2023

Hamas-Israel cyberwar update - BlackBerry warned of a Windows version of the BiBi-Wiper malware that previously targeted Linux systems in cyberattacks against Israel. The Windows variant expands the threat to end user machines, overwriting data and deleting shadow copies to hinder file recovery. In other news, a security analysis of PyPI packages uncovered close to 4,000 hardcoded credentials with many posing an immediate threat. Configuration/documentation files like .json and .yml, along with 'readme' files, were also identified as storing credentials. Experts say accidentally published files are a more common issue here.

The ongoing conflict between innovation and exploitation once again highlighted the need for constant vigilance in cryptographic security. Digital adversaries swindled $60 million from roughly one million individuals by exploiting Ethereum network’s CREATE2 opcode.

Top Breaches Reported in the Last 24 Hours

Ransomware attack hits Texas hospital

Cogdell Memorial Hospital, a critical access hospital in Texas, suffered a ransomware attack by the Lorenz extortion group. The incident impacted the hospital's computer network, leading to restricted access to systems and phone system operability. The Lorenz group claimed over 400GB of data theft, including internal files, patient medical images, and employee email communications.

Attackers cripple Danish critical infrastructure

Russian GRU carried out coordinated attacks on 22 companies in Denmark, which is touted to be the largest attack in the latter’s history so far. These organizations oversee the nation's energy infrastructure. Attackers exploited zero-day vulnerabilities in Zyxel firewalls to hack into the systems. They demonstrated meticulous planning, exploiting vulnerabilities, tracked as CVE-2023-28771, to gain remote access to industrial control systems.

Cyberattack impacts 2.2 million patients

Michigan-based McLaren Health Care confirmed falling victim to a cyberattack earlier this year, affecting 2.2 million patients. The healthcare provider spotted suspicious activities in its systems three weeks after the intrusion began. The compromised data includes patient names, birth dates, SSNs, and extensive medical information. The ALPHV (BlackCat) ransomware gang claimed responsibility for the breach in October, boasting access to sensitive information.

Second data incident within a short period

Chess[.]com, the popular online platform for chess enthusiasts, suffered a second data leak within a week. This incident involves the exposure of nearly 500,000 user records, including sensitive information such as full names, usernames, email addresses, profile links, and more. The leak is distinct and unrelated to the previous one, affecting approximately 828,327 users. The threat actor responsible for the recent leak claims to have acquired access to four more scraped databases.

Boeing LockBit feud escalated

Boeing is facing a significant data breach by the LockBit ransomware gang. The attackers warned Boeing about the potential public release of stolen data and threatened to publish a sample if their ransom demands were not met. After Boeing refused to pay, LockBit leaked over 43GB of files, including sensitive data such as configuration backups, audit logs, and logs on monitoring tools.

Top Malware Reported in the Last 24 Hours

BiBi-Windows wiper targets Israeli entities

Cybersecurity researchers warn of the BiBi-Windows Wiper, a Windows malware associated with a pro-Hamas cybercriminal group targeting Israel. The malware, a counterpart to BiBi-Linux Wiper, overwrites data with junk data, deletes shadow copies, and exhibits multithreading capabilities. The group behind this aims to disrupt Israeli companies' operations using data destruction. Tactical overlaps with another actor, Moses Staff (suspected to be of Iranian origin), have been identified.

Ducktail stealer hijacks Facebook account

Threat actors used the Ducktail stealer to target marketing professionals in India between March and October, revealed security experts. Unlike previous campaigns using .NET applications, this one utilized Delphi as the programming language. Victims received archive files posing as PDFs, launching a PowerShell script and rogue library to alter browser shortcuts. The rogue extension, disguised as Google Docs Offline, sent information to a server in Vietnam, hijacking Facebook business accounts.

Hardcoded credentials found in PyPI packages

GitGuardian and researcher Tom Forbes discovered nearly 4,000 unique secrets, including valid credentials, hardcoded in almost 3,000 Python packages on PyPI. Over 760 of these secrets were confirmed as valid, posing an immediate threat to organizations. The leaked secrets included AWS, Azure AD, GitHub, MongoDB, MySQL, PostgreSQL, SSH, Coinbase, and Twilio Master credentials.

Top Vulnerabilities Reported in the Last 24 Hours

Private RSA keys can be snooped on

A study conducted by researchers at the University of California, San Diego, revealed a potential security risk in certain devices' SSH connections. The researchers demonstrated the ability to snoop on SSH connections and impersonate equipment by deducing private RSA keys. A Man-in-the-Middle (MitM) attack could allow attackers to silently observe users' login details and monitor their activities on remote SSH servers. The vulnerability primarily affects some IoT and embedded devices using RSA keys.

Top Scams Reported in the Last 24 Hours

Ethereum network exploited to steal $60 million

Cybercriminals are reportedly exploiting the Ethereum network's CREATE2 opcode, bypassing security measures in specific wallets, which has been leading to substantial losses for cryptocurrency investors. The opcode, originally designed for contract address anticipation, is now used by scammers to create addresses with bad signatures, evading security checks. Uniswap's decentralized exchange is notably affected. Investigations by Scam Sniffer and SlowMist reveal that one group collected $60 million from nearly 99,000 victims in six months.

Related Threat Briefings

Jul 14, 2025

Cyware Daily Threat Intelligence, July 14, 2025

A silent redirect to PowerShell is the entry point for a new Interlock RAT variant. Linked to the KongTuke cluster, the PHP-based malware uses compromised websites with hidden scripts to launch system profiling and establish Cloudflare Tunnel-based C2 with fallback IPs for persistence. Users who trusted GravityForms’ official site got more than they expected. A supply chain attack injected backdoors into plugin files distributed via the official site and Composer, enabling attackers to collect WordPress environment data or more. A single HTTP header is enough to hijack vulnerable FortiWeb servers. A critical SQL injection flaw in Fortinet’s Fabric Connector, allows pre-auth RCE through unsanitized bearer tokens, with PoC exploits using MySQL queries to drop and execute malicious scripts.

Jul 11, 2025

Cyware Daily Threat Intelligence, July 11, 2025

You don’t need to visit shady corners of the internet to get infected, GitHub will do. A malware campaign is disguising Lumma Stealer as tools like Free VPN for PC, using polished project pages, Base64 payloads, and trusted Windows processes to slip past defenses. Meanwhile, MCP-based tools are facing a string of critical vulnerabilities, with CVE-2025-6514 leading the list. The flaw allows remote code execution via malicious MCP servers and affects users across platforms. Other bugs enable code injection, directory traversal, and symlink abuse. Crypto users are being lured in by fake AI and gaming firms offering too-good-to-be-true deals. A social engineering campaign is using Telegram, Discord, and spoofed social media accounts to deliver stealer malware. Attackers impersonate legit teams on GitHub and Notion, promising crypto payouts in exchange for “testing” software.

Jul 10, 2025

Cyware Daily Threat Intelligence, July 10, 2025

A fake defense official and a Google Drive link were all it took to breach a European ministry. Recent DoNot APT campaigns reveal a shift toward diplomatic espionage, using custom malware to exfiltrate data and maintain persistence through scheduled tasks and obfuscated binaries. A botnet announcing itself with Hello-World is now sweeping through Taiwan. A new scraper botnet has been using repeated GET requests across ports 80–85. Thousands of IPs are involved, with more than half traced back to Taiwanese infrastructure, hinting at regional tech compromise or shared vulnerabilities. You might not hear it, but your car’s Bluetooth could be listening. Researchers have found critical flaws in the BlueSDK stack used by major automakers, enabling remote code execution through a PerfektBlue attack. The vulnerabilities allow attackers to access call logs, record in-cabin audio, and track vehicles.

Jul 9, 2025

Cyware Daily Threat Intelligence, July 09, 2025

A PDF reader with 50,000 downloads turned out to be anything but harmless. The Anatsa banking trojan slipped back into Google Play, targeting North American users with fake maintenance screens while logging keystrokes and automating fraudulent transactions. However, the app has been pulled by Google. This month’s Patch Tuesday came with a hefty payload. Microsoft released fixes for 137 vulnerabilities, including a zero-day in SQL Server, which allowed access to uninitialized memory. Among the 14 critical issues were remote code execution bugs in SharePoint and multiple RCE and side-channel flaws affecting AMD-based systems. When a tap does more than you think, it’s probably TapTrap. Researchers have uncovered a sneaky Android exploit that uses near-invisible UI animations to trick users into approving sensitive actions. By overlaying transparent elements, TapTrap misleads users into tapping unintended buttons.

Jul 8, 2025

Cyware Daily Threat Intelligence, July 08, 2025

A spyware campaign targeting Russian industrial firms has been quietly escalating since mid-2024. Batavia spreads through phishing emails disguised as contract requests. Later stages drop Delphi-based malware that shows fake documents while harvesting data, followed by a payload that broadens file collection and ensures persistence, with signs of a potential fourth stage. A new ransomware group named BERT is hitting victims across sectors and operating systems. Targeting both Windows and Linux, BERT launches fast, multi-threaded encryption attacks. The malware shuts down critical services and shares code similarities with REvil and Babuk, hinting at recycled tools and techniques. SAP has released patches for 27 vulnerabilities, seven of them critical. The most severe, with a CVSS score of 10.0, affects the Live Auction Cockpit in SAP SRM. Other high-impact bugs include a code injection flaw in SAP S/4HANA and insecure deserialization issues in NetWeaver. Updates also address privilege escalation flaws in the SAPCAR utility.

Jul 7, 2025

Cyware Daily Threat Intelligence, July 07, 2025

SHELLTER has gone rogue—what was once a legit security tool is now fueling infostealer campaigns with AES-128 encryption, polymorphic junk code, and sneaky call stack tricks to dodge detection. Meanwhile, Hpingbot, a Go-based botnet with a flair for innovation, uses Pastebin, hping3, and persistent tactics to do more than just DDoS—hinting at nastier payloads like ransomware or APT tools. Critical bugs are back on the menu—this time hitting low-code platforms and the Linux boot process. ScriptCase’s Production Environment module harbors two flaws (CVE-2025-47227 & CVE-2025-47228, enabling remote command execution and admin password resets, risking full server compromise, while CVE-2016-4484 in Linux lets attackers gain root access during boot by exploiting the initramfs debug shell.

Jul 4, 2025

Cyware Daily Threat Intelligence, July 04, 2025

There’s a reason that app never showed up on your home screen. The IconAds fraud operation used 352 hidden-UI apps to flood ad networks with over a billion fake bid requests daily. Kaleidoscope took it further, using decoy apps to mask malicious versions distributed via third-party stores. Meanwhile, NGate and Ghost Tap abused NFC to enable remote cash theft, and Qwizzserial posed as a government app in Uzbekistan. When routers fall, botnets rise. RondoDox is exploiting flaws in TBK DVRs and Four-Faith routers to install a Linux-based botnet that renames critical system files into nonsense strings, effectively crippling recovery efforts. It launches DDoS attacks through spoofed traffic that looks like OpenVPN or online games, making detection even harder. Sometimes, all it takes is a single misplaced HTTP header. Three critical vulnerabilities in Apache Tomcat and Camel are under active exploitation, enabling remote code execution. One stems from mishandling PUT requests; the others from flawed case handling in headers. Over 125,000 attempts were recorded in March alone, signaling widespread attacker interest.

Jul 3, 2025

Cyware Daily Threat Intelligence, July 03, 2025

Two different names - same tactics, same tools, same playbook. Researchers have found striking overlaps between TA829 and the lesser-known UNK_GreenSec, both of which use phishing lures and REM Proxy services through compromised MikroTik routers. Victims are redirected from fake Google Drive or OneDrive pages to payloads like RomCom RAT, Metasploit, and Morpheus ransomware. They look like wallet helpers, but they’re after everything inside. More than 40 malicious Firefox extensions have been caught stealing seed phrases and wallet keys from unsuspecting crypto users. Masquerading as MetaMask, Coinbase, and Trust Wallet, these clones use tampered open-source code, fake five-star reviews, and slick branding to blend in. A single HTTP request is all it takes to bring the server down. A critical bug in Wing FTP Server allows unauthenticated remote code execution via the login confirmation endpoint. The flaw lets attackers inject Lua code into session files, enabling total takeover, even as root or SYSTEM. It affects all versions up to 7.4.3, with a fix issued in 7.4.4.

Jul 2, 2025

Cyware Daily Threat Intelligence, July 02, 2025

It starts with what looks like an official message from the Colombian government. Behind it is a phishing campaign delivering DCRAT, a modular remote access tool designed for theft and system control. The attack chain begins with a ZIP file containing a VBS script that downloads an obfuscated payload. DCRAT uses steganography, multi-stage execution, and evasion techniques to dig in and stay hidden, while quietly stealing data and manipulating infected systems. That Zoom update request on Telegram? It could be a trap. North Korean actors are deploying NimDoor malware to infiltrate Web3 and crypto platforms using social engineering via Telegram. Victims are tricked into running a fake AppleScript update that launches Nim-compiled binaries with advanced techniques like signal-based persistence, process injection, and encrypted WebSocket communication. It only takes one crafted page to turn a browser into a backdoor. Google has patched CVE-2025-6554, a critical zero-day in Chrome’s V8 engine that was exploited in the wild to execute arbitrary code. The flaw, caused by a type confusion bug, may have been used in targeted attacks. Users across Windows, macOS, and Linux are urged to update immediately.

Jun 30, 2025

Cyware Daily Threat Intelligence, June 30, 2025

Cybercriminals are sharpening their bait, whether it’s fake installers, hijacked Bluetooth connections, or internal-looking spoofed emails. A new malware campaign uncovered by Netskope is stealthily infecting victims using fake installers of popular Chinese-language software like WPS Office and Sogou to deploy a cocktail of malware, including Sainbox RAT (a Gh0stRAT variant) and a powerful rootkit. Meanwhile, Bluetooth devices from top audio brands, such as Bose, Sony, and Beyerdynamic, are under scrutiny after researchers disclosed three critical flaws in Airoha chipsets (CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702). Exploiting these vulnerabilities could let attackers hijack Bluetooth connections, snoop on calls, access contacts, or even rewrite firmware for remote code execution. In a new phishing campaign flagged by Varonis, attackers are abusing Microsoft 365’s Direct Send feature to impersonate internal users and send phishing emails without ever breaching a mailbox. By exploiting the lack of authentication in Direct Send, the campaign sidesteps standard email protections like SPF and DMARC.

Jun 26, 2025

Cyware Daily Threat Intelligence, June 26, 2025

A phishing email is all it takes to breach critical infrastructure. The OneClik APT campaign is targeting energy and oil sectors using Microsoft ClickOnce to deliver a .NET loader and Golang backdoor. The malware uses AWS infrastructure to hide in plain sight, evolving through multiple variants with increasingly stealthy techniques. What do a server board, a home router, and a firewall have in common? They’re all vulnerable, and now officially on CISA’s hit list.CISA has added three exploited vulnerabilities to its KEV catalog, affecting AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. A familiar name in your WhatsApp inbox might not be who you think it is. APT42 is targeting Israeli cybersecurity experts and academics through highly personalized spear-phishing campaigns. By posing as journalists or researchers and using platforms like WhatsApp, they lure victims to phishing pages disguised as Google Meet, aiming to steal credentials. With over 100 domains linked to the campaign, the scope likely extends well beyond Israel.

Jun 25, 2025

Cyware Daily Threat Intelligence, June 25, 2025

A familiar package name could be hiding far more than useful code. North Korean actors behind the Contagious Interview campaign have published 35 malicious npm packages, including keyloggers and multi-stage malware loaders like HexEval and InvisibleFerret. By mimicking popular libraries, they’ve tricked thousands of developers into pulling in backdoors designed for cross-platform surveillance. Search results for AI tools are leading users straight into malware traps. Researchers uncovered a campaign that abuses SEO tactics to rank malicious sites for AI-related queries. These sites distribute payloads like Vidar Stealer and Lumma, wrapped in deceptive installers and ZIP files, while using obfuscation techniques like XOR encryption and browser fingerprinting to stay hidden. Even AI model frameworks aren’t immune to critical flaws. NVIDIA has patched two vulnerabilities in its Megatron-LM framework that could allow attackers to inject code or escalate privileges. The bugs, affecting the Python component, pose a serious risk to model integrity and data security if left unpatched.