Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 9, 2024

Visual Studio Code: a trusted tool for developers, but in the hands of Stately Taurus, it’s become a gateway for cyberespionage. This Chinese APT group exploited VSCode to infiltrate government entities in Southeast Asia. The group, furthermore, used the ShadowPad backdoor.

Meanwhile, Predator spyware has defied U.S. sanctions and re-emerged stronger, securing new clients. With enhanced delivery systems designed for better anonymity and more complex infrastructure, Predator’s operators are making it harder than ever to trace their steps.

To prevent potential attacks, Progress Software issued an emergency patch for a critical vulnerability in its LoadMaster products. The bug could let attackers execute remote commands, putting entire infrastructures at risk if left unpatched.

Top Malware Reported in the Last 24 Hours

Stately Taurus abused VSCode

Unit 42 researchers discovered that Stately Taurus, a Chinese APT group, exploited Visual Studio Code for cyberespionage in Southeast Asia. Utilizing the software's reverse shell feature, this group infiltrated target networks through a novel technique identified in 2023. Stately Taurus also engaged in other malicious activities within this environment, such as deploying the ShadowPad malware. Additional tactics employed by Stately Taurus include the use of OpenSSH and SharpNBTScan for lateral movement and scanning within targeted environments.

Updated Predator now harder to track

Despite U.S. sanctions in March targeting Predator spyware's parent company and leadership, the tool has resurfaced, securing new clients and adapting its operations. Researchers observed increased Predator activity, with newly discovered infrastructure supporting spyware staging and exploitation processes. While Predator's use in Angola has been previously documented, new clients likely include the Democratic Republic of Congo (DRC), and clusters of activity have been detected in the UAE, Madagascar, and possibly Saudi Arabia. Predator operators have refined their delivery systems to offer more anonymity and enhanced security, complicating efforts to attribute operations to specific countries.

TIDRONE APT targets Taiwan

An unidentified threat actor TIDRONE, connected to Chinese-speaking groups, targeted military-related industries in Taiwan, particularly drone manufacturers, using advanced malware toolsets such as CXCLNT and CLNTEND via ERP software or remote desktops. The threat actors utilize UAC bypass, credential dumping, and post-exploitation hacking tools to disable antivirus products. Backdoors discovered in the campaign, including CXCLNT, collect sensitive victim information via non-landed executables, decrypting packet transmissions for analysis. Additionally, backdoors are adaptable to various payload formats for stealthy deployment and data exfiltration.

Top Vulnerabilities Reported in the Last 24 Hours

Severe RCE bug in Progress LoadMaster

Progress Software released an emergency fix for a critical vulnerability (CVE-2024-7591) affecting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products. This flaw enables remote attackers to execute commands on the device by exploiting improper input validation. The vulnerability impacts multiple versions of LoadMaster and MT Hypervisor, including Long-Term Support (LTS) branches. Progress Software has provided an add-on package to mitigate the vulnerability, but the free version of LoadMaster remains unaffected.

Active exploitation of SonicWall flaw

SonicWall issued a warning about a critical access control flaw, CVE-2024-40766, in its SonicOS software, which is now being exploited in attacks, including those by Akira ransomware affiliates. The flaw affects SonicWall Firewall Gen 5, Gen 6, and Gen 7 devices, potentially allowing unauthorized access and crashing the firewall. SonicWall urges admins to apply patches immediately and has provided mitigation recommendations, including limiting management and SSLVPN access to trusted sources and enabling multi-factor authentication.

Critical GeoServer vulnerability

A critical vulnerability (CVE-2024-36401) in GeoServer versions prior to 2.23.6, 2.24.4, and 2.25.2, is being actively exploited by attackers. This vulnerability allows them to take control of systems for malware deployment, cryptojacking, and botnet attacks. The attackers are leveraging this flaw to execute arbitrary code, deploy malware, and carry out various malicious activities, targeting organizations across different regions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its KEV Catalog.

Related Threat Briefings