Cyware Daily Threat Intelligence

Daily Threat Briefing • Sep 6, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Sep 6, 2024
Cyber attackers are pushing the boundaries of sophistication, from targeting cryptocurrency wallets to seizing control of web platforms. SpyAgent, a new Android malware, is hijacking mnemonic keys through phishing campaigns, already spreading from Korea to the U.K.
In parallel, the DarkCracks malware campaign is stealthily breaching GLPI and WordPress websites. The campaign has been bypassing antivirus defenses and using multi-stage attacks to gain long-term control over systems.
In the enterprise space, Veeam has issued a critical bulletin to patch 18 vulnerabilities, including a severe remote code execution flaw that puts their Backup & Replication products at risk of compromise.
New Android SpyAgent campaign
A new mobile malware called SpyAgent is targeting mnemonic keys for cryptocurrency wallets. This Android malware disguises itself as legitimate apps and steals sensitive data such as text messages, contacts, and images. It spreads through phishing campaigns and infects devices by tricking users into downloading fake apps. The malware can also receive and execute commands from a remote server. The malware has been targeting users in Korea and has shown signs of spreading to the U.K. The researchers also found evidence suggesting a potential shift to targeting iOS users in the future.
Fog ransomware now targets financial sector
The Fog ransomware group, previously known for targeting education and recreational sectors, has now shifted focus to the financial services sector. The ransomware, a variant of STOP/DJVU, targets both Windows and Linux endpoints and demands a ransom via a Tor site. The attackers are highly skilled and utilize a multi-pronged approach, combining data theft with encryption to pressure victims into paying the ransom. They employ various tools and commands to traverse networks, gather information, exfiltrate data, and hinder file recovery from backups.
BlindEagle uses BlotchyQuasar, targets Colombia
Zscaler delineated a BlindEagle activity targeting the Colombian insurance sector for payment-related data theft. The group's attack chain typically starts with a phishing email containing a PDF attachment and a link to a ZIP archive with BlotchyQuasar. The phishing email impersonates the Colombian National Tax and Customs Authority and targets employees in the Colombian insurance industry. The BlotchyQuasar malware has complex protection layers and can log keystrokes, monitor banking and payment services, steal data from browsers and FTP clients, and access C2 servers.
New DarkCracks malware campaign
QiAnXin identified a sophisticated malware campaign known as DarkCracks that targets GLPI and WordPress websites to distribute malicious loaders and maintain control over compromised systems. This stealthy threat evades detection by most antivirus software. DarkCracks employs a complex delivery system utilizing public websites to distribute malicious payloads and compromise devices for long-term exploitation. The malware initiates a multi-stage attack upon gaining access to a server, enabling attackers to establish persistent control over networks. The campaign's use of a three-tier URL verification system and targeted phishing tactics, including a decoy resume file in Korean, adds layers of difficulty for defenders.
Veeam warns of critical RCE vulnerability
Veeam released a security bulletin addressing 18 high and critical severity flaws in its Backup & Replication, Service Provider Console, and ONE products. The most severe vulnerability is a critical RCE flaw in Backup & Replication, which could be exploited without authentication. Other critical vulnerabilities include RCE, sensitive data extraction, MFA bypass, weak TLS certificate validation, and privilege escalation. The Service Provider Console and ONE products also have critical vulnerabilities allowing RCE and unauthorized access to sensitive information.
**Bug in LiteSpeed Cache WordPress plugin **
The LiteSpeed Cache plugin for WordPress has been found to have a critical security flaw (CVE-2024-44000) that could allow unauthorized users to take control of accounts. The flaw is related to a publicly exposed debug log file, which could potentially allow attackers to view sensitive information and log in to vulnerable sites. The plugin has received a patch (version 6.5.0.1) to address the issue by moving the log file to a dedicated folder and removing the option to log cookies. Users are advised to check for the presence of the debug log file and take steps to secure their installations.
Apache OFBiz patches severe flaw
A new high-severity security flaw, CVE-2024-45195, has been found in the Apache OFBiz ERP system, allowing unauthenticated remote code execution on Linux and Windows. This vulnerability is a bypass for previously addressed issues and could lead to code or SQL query execution without authentication. The latest patch also addresses a critical server-side request forgery (SSRF) vulnerability, CVE-2024-45507. It's important to update to version 18.12.16 to mitigate these risks.
Malvertising campaign targets Lowe’s employees
Lowe's employees are being targeted in a phishing scam through fake Google ads leading to malicious websites mimicking the company's employee portal, MyLowesLife. The fake sites closely resemble the real portal and prompt users to enter their login credentials, which are then stolen by attackers. The phishing sites use generic templates to evade detection and make it harder for authorities to shut them down.