Cyware Daily Threat Intelligence, November 19, 2024
Daily Threat Briefing • Nov 19, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Nov 19, 2024
As cyber threats grow more sophisticated, attackers are leveraging tailored tactics to exploit both individuals and organizations. BabbleLoader, a stealthy malware loader, is delivering information stealers like WhiteSnake and Meduza, targeting users searching for cracked software and professionals in finance and administration by disguising itself as accounting software. Its advanced evasion techniques bypass antivirus and sandbox defenses, disrupting analysis and detection.
Critical vulnerabilities are also under scrutiny. The LibreNMS project revealed CVE-2024-51092, a flaw in its network monitoring platform that allows authenticated attackers to execute OS commands and potentially take over servers. Users are strongly advised to update to version 24.10.0 to mitigate these risks.
Meanwhile, phishing campaigns continue to escalate. DocuSign phishing attacks targeting state and municipal contractors have surged by 98% in just one week. Exploiting licensing cycles and spoofing government agencies like the Department of Health, these campaigns aim to trick businesses into signing fake documents for financial gain.
New BabbleLoader spotted
A new stealthy malware loader called BabbleLoader is being used to deliver information stealer families such as WhiteSnake and Meduza. BabbleLoader is designed to bypass antivirus and sandbox environments by employing advanced evasion techniques. The loader targets English and Russian speakers, singling out users looking for generic cracked software and business professionals in finance and administration by passing it off as accounting software. BabbleLoader packs various evasion techniques to fool conventional and AI-based detection systems, disrupts static analysis, and takes steps to impede analysis in sandboxed environments.
The expanding threat of Helldown ransomware
Sekoia discovered a Linux variant of the Helldown ransomware, indicating that attackers are expanding their targets. Helldown uses Windows ransomware derived from LockBit 3.0 code, suggesting a focus on virtual infrastructures like VMware. Originally documented in August 2024, Helldown targets sectors such as IT, telecommunications, manufacturing, and healthcare by exploiting security vulnerabilities. It usually gains entry through Zyxel firewalls, followed by persistence, credential harvesting, and deploying ransomware. The Windows variant deletes system files to cover tracks, while the Linux variant is less sophisticated but can encrypt files.
Water Barghest monetizes IoT devices
Water Barghest's sophisticated operation has been found exploiting and monetizing IoT devices while maintaining a low profile. The group’s botnet had compromised over 20,000 devices and now uses automated scripts to detect and infect vulnerable IoT devices from public internet scan databases such as Shodan. Once compromised, the gang deploys Ngioweb malware, runs in memory, and connects to C2 servers. The gang targets IoT devices from Cisco, DrayTek, Netgear, Synology, Zyxel, etc using n-day flaws and one zero-day exploit.
Chinese hackers exploit VPN 0-day
Chinese threat actors are using a toolkit called DeepData to exploit a zero-day vulnerability in Fortinet's FortiClient Windows VPN client, allowing them to steal credentials. The hackers, known as BrazenBamboo, use malware like LightSpy and DeepPost to steal data from compromised devices. DeepData's latest version targets FortiClient, extracting credentials from memory and sending them to attackers. By compromising VPN accounts, BrazenBamboo gains access to corporate networks for espionage.
Critical LibreNMS flaw causes server takeover
The LibreNMS project disclosed a critical vulnerability (CVE-2024-51092) affecting versions up to 24.9.1 of its network monitoring platform. This flaw allows authenticated attackers to run OS commands, potentially taking over the server. The issue involves design flaws like OS command injection, configuration parameter poisoning, and arbitrary directory creation. An attacker can chain these flaws to achieve code execution. The problem is fixed in version 24.10.0, and users are advised to update promptly to avoid risks.
High-risk issue in Veritas NetBackup patched
A high-risk flaw, CVE-2024-52945, was identified in Veritas NetBackup before 10.5. This only applies to NetBackup components running on Windows OS. If a user executes specific NetBackup commands or perpetrators use social engineering techniques to impel the user to execute the commands, a rogue DLL could be loaded. This causes the attacker’s code to execute in the security context of the user. It's highly recommended that users upgrade to Veritas NetBackup version 10.5 or newer to mitigate the risks posed by this flaw.
Surge in DocuSign phishing attacks
There has been a surge in DocuSign phishing attacks targeting businesses that work with state and municipal authorities. These attacks have seen a 98% rise between November 8 and November 14 as compared to all of September and October. Phishers are spoofing government agencies such as the Department of Health, the City of Milwaukee, and the North Carolina Licensing Board to trick contractors into signing fake documents for financial gain. The attacks use legitimate DocuSign infrastructure, timing when businesses expect licensing cycles, and include industry-specific terminology.
Malvertising campaign exploits Facebook
Bitdefender Labs has detected malvertising campaigns using fake ads on Facebook to trick users into installing a harmful Bitwarden browser extension disguised as a security update. The campaign targets users across Europe and uses redirect chains to lead to a phishing page. Once installed, the malicious extension collects personal data and targets Facebook business accounts. The attack involves a multi-step process to lure users and manipulate browser security checks. The extension requests extensive permissions and collects and exfiltrates data to a C2 server.
QuickBooks popup scam delivery via Google ads
QuickBooks users are targeted by India-based scammers through fake popups and fraudulent phone numbers, posing a threat to user data and security. Scammers use fake Google ads and websites to trick users into downloading a program that generates a fake error message, prompting them to call a fraudulent phone number for assistance. The program also installs a backdoor zeform.exe, which is disguised as a legitimate QuickBooks installer.