Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Nov 29, 2023

The prevalence of software cracks has reached epidemic proportions. A variant of DJvu ransomware, which itself is a variant of the STOP ransomware, was found spreading through software cracks. The updated edition employs a pay-per-install malware downloader service for connecting with a C2 server, retrieving various stealer and loader malware families. In a separate update, Google fixed an actively exploited zero-day flaw in the Chrome browser. The integer overflow bug lies in the Skia 2D graphics library. With this, it marks the sixth zero-day fixed in Chrome in 2023.

New findings have surfaced about a sophisticated Android malware campaign ongoing since July. The campaign targeting Iranian banks has expanded its capabilities, incorporating additional evasion tactics, and now involves more than 200 malicious apps. The campaign has evolved to target a broader set of banks and cryptocurrency wallet apps.

Top Breaches Reported in the Last 24 Hours

PLAY ransomware adds 17 new victims

The PLAY ransomware group has added 17 new victims to its leak list, comprising companies based in the U.S., the U.K, the Netherlands, and Canada. The group published the list on its dark web portal, threatening data exposure if ransom demands weren't met by December 4. The victims span various industries, including IT services, outsourcing, retail, real estate, shipping, engineering, consulting, and management services.

Space agency suffers data breach

Japan's Aerospace Exploration Agency (JAXA) reported a cyber incident, suspecting a breach, possibly affecting its Active Directory. It immediately shut down part of its network, including the intranet, while seeking assistance to assess the full extent of the incident. However, the government believes no sensitive information has been stolen. JAXA has faced cybersecurity challenges in the past with breaches in 2016 and 2012.

LockBit 3.0 hits Egyptian payment provider

The LockBit 3.0 ransomware group has reportedly successfully encrypted files and allegedly exfiltrated data from Egyptian e-payment provider Fawry. The incident came to light when LockBit published a sample of allegedly stolen data on its dedicated leak site. Fawry has confirmed the breach and believes the exposed data may include personal details of customers involved in a system migration project.

**Major automotive parts supplier **

The Qilin ransomware group claimed responsibility for a recent cyberattack on Yanfeng Automotive Interiors, one of the world's largest automotive parts suppliers. The attack reportedly disrupted production at Stellantis' North American plants. The ransomware gang has threatened to release stolen data, including financial documents and internal reports, in the coming days. Yanfeng's website was inaccessible during the incident.

Top Malware Reported in the Last 24 Hours

GoTitan and PrCtrl Rat abuse ActiveMQ bug

Threat actors are exploiting the recently disclosed critical vulnerability in Apache ActiveMQ to distribute the GoTitan botnet and PrCtrl Rat, a .NET program capable of remote control. Various hacking groups, including the Lazarus group, have weaponized the flaw. Following successful breaches, attackers drop payloads designed for orchestrating DDoS attacks, and PrCtrl Rat helps establish contact with the C2 server for executing additional commands on the compromised system.

Xaro ransomware variant exploits cracked software

A variant of the DJvu ransomware, termed Xaro, has been identified in a campaign that leverages cracked software for distribution. Xaro is spread through an archive file masquerading as legitimate freeware. The archive contains a supposed installer for CutePDF, which is actually a payload for the PrivateLoader malware downloader service. PrivateLoader fetches a range of stealer and loader malware families, in addition to dropping Xaro. The attackers demand a ransom of $980, which drops to $490 if paid within 72 hours.

Android malware targets Iranian banks

Over 200 malicious apps associated with an Android malware campaign have been identified targeting Iranian banks. Threat actors trick victims into granting extensive permissions, abusing Android's accessibility services to harvest banking login credentials and credit card details. The campaign has been ongoing since July and has broadened its scope to include more banks and cryptocurrency wallet apps. It has incorporated previously undocumented features, such as intercepting SMS messages, preventing uninstallation, and accessing GitHub repositories for the latest phishing sites.

Top Vulnerabilities Reported in the Last 24 Hours

Chrome zero-day exploited in the wild

Google has released security updates for Chrome fixing seven vulnerabilities, including a zero-day (CVE-2023-6345) that is being exploited in the wild. The flaw is described as an integer overflow bug in the Skia 2D graphics library. While Google confirmed the existence of an exploit, it did not provide additional details about the attacks or the threat actors involved. This marks the sixth zero-day patched by Google in Chrome in 2023.

BLUFFS: New Bluetooth attack

Researchers at Eurecom discovered a series of Bluetooth attacks named BLUFFS that exploited two previously unknown flaws in the Bluetooth standard. The flaws, tracked under CVE-2023-24023, affect Bluetooth Core Specification 4.2 through 5.4, impacting a wide range of devices, including laptops, smartphones, and other mobile devices. BLUFFS breaks Bluetooth sessions' forward and future secrecy, compromising the confidentiality of past and future communications between devices.

Related Threat Briefings