Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 10, 2024

The cyber landscape is growing more treacherous as attackers refine their tactics. The Quad7 botnet is evolving, targeting more SOHO devices with custom malware, while leveraging new communication protocols to slip under the radar.

ESET researchers have also uncovered CosmicBeetle’s latest move, replacing its Scarab ransomware with ScRansom. What’s new is that the group seems to be trying out its luck at becoming a RansomHub affiliate.

Meanwhile, the FreeBSD Project has flagged a critical vulnerability, which could allow attackers to crash a system or execute malicious code, creating serious risks for affected systems.

Top Malware Reported in the Last 24 Hours

Quad7 botnet expands targets

The Quad7 botnet is expanding its operations by targeting additional SOHO devices with new custom malware for Zyxel VPN appliances, Ruckus wireless routers, and Axentra media servers. This expansion includes the targeting of specific devices with different welcome banners on the Telnet port, and the use of new communication methods and tactics to evade detection. The botnet has evolved to utilize new tools such as "FsyNet" and a backdoor named "UPDTAE" for remote control of infected devices. There are also experiments with a new communication protocol named CJD route2.

Earth Preta evolves

Earth Preta has significantly enhanced its malware deployment and strategies, particularly in their campaigns targeting government entities in the APAC region. The group deployed PUBLOAD via a variant of the worm HIUPAN and used additional tools such as FDMTP and PTSOCKET, and conducted a time-sensitive spear-phishing campaign. The group has also employed sophisticated malware variants and adapted to use multi-stage downloaders.

CosmicBeetle and its new ransomware

ESET researchers observed the CosmicBeetle, aka NoName, threat actor using its new ScRansom ransomware, replacing its previous Scarab ransomware, with a focus on small and medium-sized businesses. The threat actor has also been using the leaked LockBit builder to mimic the well-known ransomware gang in an attempt to boost its credibility. It is believed that CosmicBeetle may have connections to the RansomHub gang.

Top Vulnerabilities Reported in the Last 24 Hours

FreeBSD issues emergency advisory

The FreeBSD Project warned of a critical vulnerability (CVE-2024-43102) that affects multiple versions of its operating system. This flaw could allow attackers to trigger a kernel panic or execute arbitrary code, potentially leading to a complete system compromise. The vulnerability is related to the _umtx_op system call and can result in a use-after-free condition. Exploiting this, attackers could bypass security measures and potentially compromise systems.

CISA adds three flaws to KEV catalog

The CISA added vulnerabilities in SonicWall SonicOS, ImageMagick, and the Linux Kernel to its KEV catalog. The ImageMagick flaw, tracked as CVE-2016-3714, allows attackers to execute code via crafted images. The Linux Kernel flaw, CVE-2017-1000253, enables privilege escalation by applications built as Position Independent Executables (PIEs). SonicWall SonicOS vulnerability, CVE-2024-40766, poses an access control risk. Federal agencies must address these vulnerabilities by September 30.

RAMBO - new side-channel attack identified

A new side-channel attack, named RAMBO (Radiation of Air-gapped Memory Bus for Offense), exploits electromagnetic radiation from a device's RAM to transmit data from air-gapped computers used in high-security environments. Despite their isolation, these systems are vulnerable to malware introduced by rogue employees or sophisticated supply chain attacks. The attack manipulates memory access patterns to generate controlled electromagnetic emissions from the RAM, transmitting data through radio signals at speeds up to 1,000 bits per second. Countermeasures include physical defense enhancements and Faraday enclosures.

Related Threat Briefings