Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 6, 2023

No patches, find alternatives! This is a warning for the users of Atlas VPN - take precautions against a zero-day flaw for which a PoC exploit has been published on Reddit. The bug abuses the Atlas VPN Linux API to reveal a user's real IP address. Experts have suggested considering alternative VPN solutions until a fix is available. Along similar lines, no patches are available for a critical and moderate-severity flaw found in the widely used PHPFusion open-source content management system. While the first allows remote code execution, the other one enables attackers to read file contents and write files to arbitrary locations.

Some grave malware threats also hover over organizations worldwide as security researchers uncover new variants of Agent Tesla and SideTwist backdoor. Both campaigns employ phishing lures tailored to specific targets and lead to the deployment of malicious payloads.

Top Breaches Reported in the Last 24 Hours

Hacker group exposes Iranian surveillance software

Hacking group GhostSec unveiled the source code of alleged surveillance software used by Iran's FANAP group. Over 26GB of compressed data has been analyzed and gradually released by GhostSec, revealing various components of the code, including facial recognition and tracking systems. The FANAP group, initially a technology provider for financial services, is claimed to have expanded into a comprehensive surveillance system utilized by the Iranian government. GhostSec asserts that the software was deployed across Iran's Pasargad Bank branches.

Play ransomware expands reach to U.S. and Germany

Known for initially targeting Latin American entities, the notorious Play ransomware group has spread wings to infiltrate the networks of firms in the U.S. and Germany. It recently listed six businesses on its Tor network data leak site, signaling potential data breach threats. The U.S. victims include Majestic Spice, Bordelon Marine, Master Interiors, Kikkerland Design, Precisel, and Winshuttle. The victim from Germany is Markentrainer Werbeagunter.

Public school district notifies of breach

Minneapolis Public Schools started notifying over 100,000 individuals whose personal information may have been compromised in a cyberattack earlier this year. The Medusa ransomware group had claimed responsibility and demanded a ransom of $1 million ransom. The school district refused to pay, following which the threat actor had exposed sensitive student information.

Top Malware Reported in the Last 24 Hours

New Agent Tesla variant

FortiGuard Labs has uncovered a phishing campaign distributing a new Agent Tesla variant that exploits CVE-2017-11882/CVE-2018-0802 vulnerability to harvest data from infected systems. Despite Microsoft's patches released in 2017 and 2018, the vulnerability remains popular among threat actors, leading to thousands of daily attacks. The report provides insights into the attack's technical details, including the phishing email, exploitation techniques, payload analysis, and the methods employed by Agent Tesla for collecting sensitive information from victims.

Blueshell malware surges in APT attacks

The Blueshell backdoor has seen a significant uptick in usage by various threat actors targeting Windows, Linux, and other operating systems in Korea and Thailand. This malware, active since 2020 and written in the Go language, is believed to originate from a Chinese user and was once available on GitHub. Recent research by AhnLab identified Blueshell's usage by the Dalbit Group, a China-based threat group known for targeting vulnerable servers to steal critical data for ransom demands.

APT34 deploys SideTwist backdoor

The Iranian threat actor APT34, aka OilRig, has been associated with a recent phishing attack that led to the deployment of a variant of the SideTwist backdoor. APT34, known for its advanced attack techniques, has been targeting various sectors in the Middle East since at least 2014. The attack chain begins with a malicious Microsoft Word document containing a macro that launches the SideTwist payload. This incident highlights the group's ability to evolve and create new tools to maintain persistence and avoid detection.

Top Vulnerabilities Reported in the Last 24 Hours

Bug in VPN Client exposes user IP Addresses

A zero-day flaw in the Atlas VPN Linux client has been discovered, allowing websites to expose users' real IP addresses. The flaw is due to an unprotected API endpoint that lacks authentication, enabling anyone, including websites, to issue commands to the client. A PoC exploit demonstrated how visiting a website could disconnect the VPN session, revealing the user's actual IP address. The vulnerability bypasses Cross-Origin Resource Sharing (CORS) protections in web browsers.

Critical vulnerabilities in PHPFusion CMS

Security researchers from Synopsys have identified two vulnerabilities, including a critical one (CVE-2023-2453), in the PHPFusion open-source content management system. The critical flaw permits authenticated attackers to execute remote code by uploading a malicious .php file to a known path on the target system. Another moderate-severity vulnerability (CVE-2023-4480) allows attackers to read file contents and write files to arbitrary locations within the CMS. These vulnerabilities affect PHPFusion versions 9.10.30 and earlier, with no patches currently available.

Google releases Chrome 116 update

Google has issued a Chrome 116 update to address four high-severity vulnerabilities identified by external researchers. These include an out-of-bounds memory access flaw in the Federated Credential Management (FedCM) API (CVE-2023-4761), a type confusion issue in the V8 JavaScript engine (CVE-2023-4762), a use-after-free problem in Chrome's Networks component (CVE-2023-4763), and an incorrect security UI flaw in BFCache, potentially allowing remote attackers to spoof the URL bar (CVE-2023-4764).

Google severe flaws in Android

Google has released its monthly security patches for Android, which include fixes for a zero-day vulnerability (CVE-2023-35674) in the Android Framework, which may have been actively exploited. The update also addresses several privilege escalation flaws in the Framework and a critical security vulnerability in the System component that could lead to remote code execution. Google has fixed a total of 14 flaws in the System module and two shortcomings in the MediaProvider component.

Related Threat Briefings