Cyware Daily Threat Intelligence
Daily Threat Briefing • Nov 22, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Nov 22, 2023
The LummaC2 info-stealer has a new trick up its sleeve to bypass new restrictions introduced by Google. A new feature added to the malware can now allow cybercriminals to restore expired Google authentication cookies and hijack accounts, even after the owners have logged out. The development comes just a day after it was found that the stealer malware introduced new trigonometry principles as part of new evasion tactics. In other trending news from the last 24 hours, threat actors behind the now-defunct Qakbot have been found using DarkGate and PikaBot as malware loaders to perform ransomware and espionage attacks.
Besides, there’s an update on the relatively new ClearFake campaign. The attackers behind the campaign are now using fake browser updates to infect macOS systems with the Atomic Stealer malware.
AutoZone emerges as a new victim of MOVEit
Auto parts giant, AutoZone, disclosed in a notification that the data of around 184,995 people was affected in the Cl0p MOVEit file transfer attacks that occurred earlier this year. It took the company three more months to determine what data the intruders had stolen from its systems, and the listing on the Office of the Maine Attorney mentioned full names and Social Security numbers were among the breached data.
TmaxSoft leaks 2TB of data
An unsecured Kibana instance belonging to TmaxSoft, a Korean IT company, exposed over 2TB of data containing over 50 million sensitive records. The leaked data included names, email addresses, phone numbers, contents of sent attachments, and contract numbers of employees. According to Cybernews, the data was left open to the public for two years.
Kronos losses $26 million
Cryptocurrency trading and investment firm Kronos Research experienced a cyberattack that resulted in a loss of 12,800 ETH, worth around $26 million. The company stated that attackers gained unauthorized access to some of its APIs to steal the amount from its systems. The stolen amount was distributed to six different wallets.
BeaverTail and InvisibleFerret discovered
North Korea-based threat actors deployed two new malware families, BeaverTail and InvisibleFerret, in a couple of campaigns targeting job seekers. These malware are designed to perform data theft on Windows, Linux, and macOS systems. While InvisibleFerret is a Python-based backdoor malware, BeaverTail is distributed as JavaScript inside npm packages.
Update on features added to LummaC2 stealer
Lumma Stealer (aka LummaC2) has been upgraded with a new anti-evasion feature that allows cybercriminals to restore expired Google cookies. This enables the attackers to gain unauthorized access to Google accounts even after the legitimate owner has logged out of their account or their session has expired. The feature is available on a subscription basis on a forum that boasts that attackers can restore Google cookies using a key from restore files.
ClearFake campaign expands
The relatively new ClearFake campaign has expanded its operation to deliver Atomic Stealer on macOS systems. The campaign leverages SEO poisoning to advertise fake browser updates for Safari or Chrome browsers and trick users into downloading the malware. The malware is embedded within a password-protected DMG file.
Konni RAT observed in an active campaign
Security researchers observed an ongoing Konni RAT campaign that leverages a Russian-language Word document purporting to be an assessment of Russia’s so-called Special Military Operation. A VBA script is triggered upon opening the document, which runs and performs system checks, UAC bypass, and DLL file manipulations on victims’ systems. The subsequent script stops redundant execution, copies files, creates a new service, and configures registry settings. The final payload encrypts its C2 configuration using AES-CTR encryption and gathers system information.
DarkGate and PikaBot replace QBot
DarkGate and Pikabot have emerged as successors of the Qakbot (QBot) trojan, indicating that threat actors behind the now-defunct trojan are using the two malware loaders with similar features as Qbot to perform ransomware, espionage, and data theft attacks. Cofense researchers have drawn a conclusion based on the phishing campaigns using tactics and techniques similar to previous QBot campaigns. One of these campaigns was observed hijacking email threads in September.
Looney Tunable Linux flaw added to KEV
The CISA added Looney Tunables Linux vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating its exploitation in the wild. The flaw, tracked as CVE-2023-4911, can enable attackers to execute code with elevated privileges. It affects multiple Linux distributions, including Debian, Fedora, and Ubuntu. Researchers at Qualys’ Threat Research Unit disclosed the vulnerability last week and published a PoC exploit.
Update on Citrix Bleed mitigation measure
As an additional mitigation measure, Citrix urged admins to kill NetScaler user sessions after patching their vulnerable devices against the Citrix Bleed vulnerability (CVE-2023-4966). This comes following the mass exploitation of the vulnerability by ransomware groups like LockBit and other threat actors across the globe. One instance was reported by researchers from Mandiant who observed the exploitation of this vulnerability as a zero-day since late August.