We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 5, 2024

Cybercriminals are honing their sights on high-profile targets and exploiting creative new tactics to infiltrate even the most secure systems. In Malaysia, political figures are under siege as a campaign spreads the Babylon RAT via sneaky ISO files, giving attackers full control for keylogging and data theft.

In a world where cyberattacks are becoming more creative and bold, no one is off-limits - not even hackers themselves. The Lummac Stealer is flipping the script by targeting hackers, posing as an OnlyFans Checker tool, and stealing everything from passwords to crypto wallets.

In other news, a researcher found an unpatchable bug that is also very tricky to exploit. A newly exposed vulnerability in YubiKey 5 Series hardware security keys could allow expert attackers to clone affected devices. This side-channel vulnerability went unnoticed for 14 years.

Top Malware Reported in the Last 24 Hours

Babylon RAT targets Malaysian government

A cyberattack campaign in Malaysia is using malicious ISO files to spread the Babylon RAT, targeting political figures and officials. The ISO files contain deceptive components like shortcuts and scripts to trick users. The threat actor previously used the Quasar RAT against Malaysian entities, showing a trend of targeting high-profile individuals. Babylon RAT gives the attacker control over infected systems, allowing for activities like keylogging and data theft. This highlights the importance of enhancing security measures to prevent unauthorized access to sensitive data.

Fake OnlyFans Checker tool deploys Lummac Stealer

Cybersecurity experts uncovered the Lummac Stealer malware, posing as an OnlyFans Checker tool, which targets hackers. The malware also targets Disney+ and Instagram hackers. The malware is capable of stealing passwords, financial information, browsing history, and cryptocurrency wallets. It has been found to spread through cracked software and uses tactics to detect human users. The malware's architecture suggests global influences from East Asia, Africa, Latin America, and Celtic mythology.

Revival Hijack on PyPI

Security researchers uncovered a new threat called Revival Hijack that enables attackers to spread malicious payloads via PyPI. By re-registering a formerly legitimate package name with a malicious one, attackers can trick users into inadvertently downloading harmful packages. Attackers are utilizing tactics like cloning repositories and typosquatting to distribute malware. The researchers demonstrated the threat by replacing legitimate packages with empty ones, leading to nearly 200,000 downloads in three months.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco fixes bug

Cisco patched a command injection vulnerability in its Identity Services Engine (ISE) solution, allowing attackers to gain root privileges on vulnerable systems. The flaw, tracked as CVE-2024-20469, stems from insufficient validation of user input. Attackers with administrator privileges can execute malicious commands without user interaction. Cisco has released fixes for affected versions of ISE, including 3.2P7 and 3.3P4. Additionally, Cisco removed a backdoor account in its Smart Licensing Utility software and addressed other vulnerabilities such as CVE-2024-20295 and CVE-2024-20401.

DrayTek bugs added to KEV catalog

The CISA added two flaws in DrayTek VigorConnect routers to its KEV catalog. These flaws, known as CVE-2021-20123 and CVE-2021-20124, are path traversal issues that allow attackers to download arbitrary files with root privileges. The vulnerabilities were patched in October 2021. While there are no reports of in-the-wild attacks, Fortinet noted CVE-2021-20123 being exploited in a global campaign across industries. Exploitation attempts spiked in August, leading CISA to include the vulnerabilities in its catalog.

Flaw allows cloning of YubiKeys

Security researchers have found a vulnerability in Yubico YubiKey 5 Series that could allow a skilled hacker to clone the devices due to a cryptographic flaw. The vulnerability involves a side-channel attack on the Elliptic Curve Digital Signature Algorithm (ECDSA) used by YubiKey devices. The flaw affects YubiKey 5 devices with firmware version 5.7 or earlier. Exploiting the vulnerability is costly and difficult, requiring physical possession of the key and specialized equipment.

Top Scams Reported in the Last 24 Hours

“Hello Pervert” sextortion scam evolves

Sextortion scammers are using stolen passwords to extort victims for money, now with new tactics involving the mention of the Pegasus spyware and adding pictures of the victim's home environment. The scammers claim to have been monitoring the victim's online activities and threaten to expose embarrassing footage unless payment is made. While the use of Pegasus spyware is mentioned to increase the threat level, it is unlikely that everyday scammers have access to such sophisticated tools. The scammers obtain old passwords from data breaches and may even have access to the victim's physical address, using this information to add credibility to their threats.

Related Threat Briefings