Cyware Daily Threat Intelligence

Daily Threat Briefing • Sep 11, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Sep 11, 2024
Crimson Palace is making moves in Southeast Asia, with its trio of hacker clusters—Alpha, Bravo, and Charlie—quietly infiltrating government networks. The group’s new tool, Tattletale, is helping it steal sensitive data while flying under the radar of security tools.
On another note, Microsoft’s September 2024 Patch Tuesday release fixed 79 vulnerabilities, including actively exploited flaws that pose remote code execution risks. Not to be left behind, Adobe released fixes for 28 vulnerabilities across multiple products, warning users of potential code execution and privilege escalation attacks.
Crimson Palace keeps targeting Southeast Asia
Sophos detailed an ongoing cyberespionage attack by Crimson Palace, targeting government organizations in Southeast Asia. Crimson Palace is a cluster of three Chinese clusters, namely, Cluster Alpha, Cluster Bravo, and Cluster Charlie. The hackers have adapted, using a new malware, Tattletale, to gather information and infiltrate networks. Cluster Charlie targeted government organizations, stealing sensitive data and authentication keys. The attackers focused on evading security tools and gaining deeper access within victim networks. They compromised at least 11 other organizations in the region, delivering malware under the guise of trusted access points.
RansomHub abuses Kaspersky TDSSKiller
The RansomHub ransomware gang has been using the legitimate TDSSKiller tool from Kaspersky to disable EDR services on target systems. Once the defenses are down, the attackers use the LaZagne credential-harvesting tool to extract logins from application databases. Through these tools, attackers can move laterally and access sensitive data. Notably, TDSSKiller was observed using the -dcsvc flag to target specific services, like MBAMService.
Microsoft patches 79 vulnerabilities
Microsoft announced three new security vulnerabilities affecting Windows, which are being actively exploited, as part of the September 2024 Patch Tuesday update. This release addressed a total of 79 vulnerabilities, with seven rated critical, 71 important, and one moderate. Additionally, 26 flaws in the Chromium-based Edge browser were also fixed. The exploited vulnerabilities include CVE-2024-38014, CVE-2024-38217, and CVE-2024-38226, along with CVE-2024-43491. These flaws can lead to security feature bypasses and remote code execution. Microsoft recommended installing the September 2024 Servicing stack update and the Windows security update to mitigate the risks.
Adobe patches flaws in multiple products
Adobe released patches for 28 security vulnerabilities in various products, warning Windows and macOS users of code execution attacks. The most critical issue affects Acrobat and PDF Reader, with two memory corruption vulnerabilities allowing arbitrary code execution. Two bugs, CVE-2024-41869 and CVE-2024-45112, pose a high risk of privilege escalation. A major update for Adobe ColdFusion fixes a critical flaw (CVE-2024-41874) exposing businesses to code execution attacks. Adobe also addressed issues in Photoshop, Media Encoder, Audition, After Effects, Premiere Pro, and Illustrator.
Siemens patches critical UMC bug
Siemens issued a critical security advisory for the User Management Component (UMC), revealing a heap-based buffer overflow vulnerability (CVE-2024-33698) with a CVSS score of 9. 3. This flaw could be exploited by remote attackers to execute arbitrary code on affected systems. The UMC is a vital component in Siemens products like SIMATIC PCS neo, SINEC NMS, and Totally Integrated Automation Portal, widely used in critical infrastructure
Novel audio-based side-channel threat
The new PIXHELL attack exploits LCD screen noise to steal data from air-gapped computers by utilizing the sound generated by pixels on the screen. Malicious code can manipulate the frequencies produced by coils and capacitors in the screen to transmit sensitive information without the need for specialized audio hardware. Akin to the recently reported RAMBO attack, the PIXHELL attack also uses malware to create an acoustic channel to leak data from audio-gapped systems.
Reputation hijacking technique for phishing
Cyble researchers identified a new tactic used by threat actors to bypass Smart App Control (SAC) called Reputation Hijacking with JamPlus. They discovered a phishing site posing as a CapCut download page, with malicious software hidden within a legitimate CapCut-signed application. The attackers utilize the JamPlus build utility to execute malicious scripts and deliver payloads like the NodeStealer, which is designed to extract sensitive user data and send it through a Telegram channel.