We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence, November 27, 2024

shutterstock 2140156719 (1)

Daily Threat Briefing Nov 27, 2024

From IoT devices to Telegram bots, threat actors are weaponizing the digital landscape. The Matrix threat actor has orchestrated a massive DDoS campaign targeting servers in China, Japan, and the U.S. Using open-source tools and Mirai variants, they monetize their attacks through cryptocurrency payments via Telegram bots like Kraken Autobuy.

A single click isn’t needed when zero-click exploits are in play. RomCom hackers used zero-day vulnerabilities in Mozilla Firefox and Windows to infect systems across Europe and North America. These exploits, patched in October and November, respectively, allowed malware installation via rogue websites.

Scammers are minting opportunities from the NFT craze. By impersonating OpenSea, phishing emails trick users into connecting wallets on fake websites, putting their crypto assets at risk. 

Top Malware Reported in the Last 24 Hours

Matrix hits IoT devices in massive DDoS campaign

A threat actor Matrix staged a novel and widespread DDoS campaign by leveraging accessible tools to hit IoT devices and entity servers. The attacks hit IP addresses in China, Japan, Argentina, Australia, Brazil, and the U.S. Matrix uses a mix of Python, Shell, and Golang-based scripts sourced from GitHub; utilizes tools like Mirai variants, SSH scanners, and Discord bots; and monetizes services via a Telegram bot "Kraken Autobuy", offering DDoS plans for cryptocurrency payments. Combating this threat requires changing default credentials, securing administrative protocols, applying timely firmware updates, and monitoring for exposed flaws.

Credit card skimmer attacks Magento websites

A sophisticated skimmer has been targeting Magento websites to rob payment data, either by creating a phony credit card form or extracting payment fields directly. Depending on the malware variant, it activates only on checkout pages. The encrypted stolen data is exfiltrated to a remote server. The malware was detected through routine inspection and is currently affecting 8 websites.

Top Vulnerabilities Reported in the Last 24 Hours

Russian hackers use Firefox and Windows zero-days

Russian-linked hacking group RomCom exploited bugs in Mozilla Firefox (CVE-2024-9680) and Microsoft Windows (CVE-2024-49039) to target users in Europe and North America. Researchers observed that RomCom used two earlier unknown zero-day bugs in a massive attack that let them deploy a "zero-click" exploit, installing malware remotely without user interaction. RomCom capitalized on these bugs via rogue websites to infect target systems with backdoor malware, granting them extensive access. Mozilla fixed the Firefox bug on October 9, while Microsoft patched the Windows bug on November 12, after a report from Google’s TAG.

NVIDIA fixes high-risk flaw in UFM products

A high-risk security flaw, CVE-2024-0130, affecting NVIDIA's UFM Enterprise, UFM Enterprise Appliance, UFM SDN Appliance, and UFM CyberAI products could let hackers gain escalated privileges, tamper with data, deny service, and reveal sensitive data. The flaw emerges from an improper authentication issue, which is exploitable via the Ethernet management interface. Firmware updates are available in the NVIDIA Enterprise Support Portal.

NachoVPN attack delivers rogue updates

A group of flaws, dubbed NachoVPN, enables rogue VPN servers to install harmful updates on unpatched Palo Alto and SonicWall SSL-VPN clients. AmberWolf researchers discovered that hackers can bait victims into connecting to these rogue servers via phishing or social engineering to grab login details, run unauthorized code, and install malware via updates or bogus certificates. SonicWall issued fixes for its NetExtender flaw two months after it was reported, while Palo Alto Networks provided updates for its GlobalProtect flaw seven months post-notification. AmberWolf introduced an open-source tool NachoVPN that simulates these rogue servers and can exploit the flaws. 

Top Scams Reported in the Last 24 Hours

Researchers unveil advanced phishing tactics

A U.K-based insurance customer experienced a phishing attack that started when a deletion rule was created in an executive's mailbox from a U.S. IP address. This rule deleted emails with a specific keyword. Researchers identified this attack via a phishing email that originated from a shipping entity's CEO, likely having been compromised. The phishing email linked to a PDF on an AWS server and tricked users by resembling a OneDrive message. The phisher led users to a bogus Microsoft login page to extract credentials. Recommendations include using strong passwords and MFA.

OpenSea users targeted in phishing scam

A phishing scam is targeting NFT users by pretending to be the OpenSea marketplace. Scammers trick users by sending seemingly genuine emails coming from misleading addresses to induce urgency and excitement to prompt clicks. When users click the provided link, they are sent to a phony website mimicking OpenSea and are asked to connect their wallets, risking their crypto assets. Users should avoid suspicious offers, access OpenSea directly, and use secure methods for their crypto assets.

Related Threat Briefings