Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing September 12, 2023

A new information stealer called MetaStealer has joined a growing list of stealer families to target macOS systems. A key component of the payload is an obfuscated Go-based executable that can harvest data from iCloud Keychain and extract saved passwords. A dark cloud of threats also hovers over Windows users as security researchers uncovered a phishing campaign delivering Agent Tesla, OriginBotnet, and RedLine Clipper via maldocs. Attackers can extract a wide range of data from compromised systems, such as credentials, crypto wallet data, and other sensitive information.

With another Chrome zero-day coming under attack, it marks the fourth zero-day vulnerability fixed in Chrome this year. This flaw allows for heap buffer overflow, potentially leading to crashes or arbitrary code execution.

Top Breaches Reported in the Last 24 Hours

Criminals claim massive data theft

Members of the BianLian ransomware gang allegedly stole about 7 TB of files from Save The Children International, a renowned non-profit operating in 116 countries. It comprised international HR records, personal information, 800 GB of financial data, emails, and health records. The group appears poised to leak or sell this information unless a ransom is paid. Earlier this year, BianLian switched from ransomware attacks to pure extortion. It typically uses the Go programming language to evade detection.

MGM Resorts investigates cybersecurity incident

A cyberattack on MGM Resorts prompted its IT team to shut down some of its systems to protect data. The incident, which began on Sunday, impacted hotel reservation systems across the United States and other critical IT systems, including casino floors. As of Monday afternoon, the company's homepage remained inaccessible. MGM Resorts owns well-known properties such as Mandalay Bay, Bellagio, MGM Grand, Aria, Luxor, and the Cosmopolitan.

Top Malware Reported in the Last 24 Hours

Attackers drop Sponsor backdoor

ESET researchers have exposed a sophisticated cyber campaign orchestrated by the Ballistic Bobcat (aka Charming Kitten) APT group across Brazil, Israel, and the United Arab Emirates. This operation, known as the Sponsoring Access campaign, employs a newly identified backdoor named Sponsor. Ballistic Bobcat’s attack vectors involve exploiting vulnerabilities in Microsoft Exchange servers. So far, at least 34 victims have been recorded in the targeted countries.

New info-stealer targets macOS users

Operators of the new MetaStealer info-stealer were spotted infecting macOS systems and dropping malicious payloads. The threat actors employ social engineering tactics, disguising themselves as potential design clients and distributing MetaStealer via rogue application bundles in DMG format. The malware's main component is an obfuscated Go-based executable designed to harvest data, including iCloud Keychain information and passwords. Some versions also target Telegram and Meta services.

Phishing campaign deploys trio of threats

A sophisticated phishing campaign has been observed employing a deceptive Microsoft Word document lure to deliver a triple threat - Agent Tesla, OriginBotnet, and RedLine Clipper. The campaign begins with a phishing email containing a deliberately blurred image and a fake reCAPTCHA prompt. Clicking the image initiates the delivery of a loader, which then distributes OriginBotnet for keylogging and password retrieval, RedLine Clipper for cryptocurrency theft, and Agent Tesla for harvesting sensitive information.

Top Vulnerabilities Reported in the Last 24 Hours

Emergency patch for Chrome 0-day

Google has issued an urgent security update for its Chrome web browser to address a critical vulnerability (CVE-2023-4863) actively exploited in the wild. The flaw, described as a heap buffer overflow in the WebP component, could allow attackers to execute arbitrary code or cause a crash. Apple’s recently uncovered buffer overflow issue, CVE-2023-41064, could also be a part of this exploitation chain. Since both issues are related to image processing, experts speculate a potential connection between them.

Critical flaws found in Socomec UPS devices

Cybersecurity researcher Aaron Flecha Menendez from S21sec discovered seven vulnerabilities, including XSS, plaintext password storage, code injection, and more, in the MODULYS GP series of Socomec UPS devices. These vulnerabilities pose a significant risk, potentially allowing attackers to disrupt UPS management and backup power provision. While no directly exposed internet-facing devices are affected, attackers within an organization's network could exploit the flaws for higher impact.

Top Scams Reported in the Last 24 Hours

'MrTonyScam' hits Facebook business accounts

A phishing attack campaign named MrTonyScam is using Facebook Messenger to entice victims to click on malicious RAR and ZIP archive attachments. These attachments deploy a multi-stage infection process that ultimately leads to the exfiltration of cookies and login credentials from various web browsers. The threat actors then take control of victims' accounts by changing their passwords using the stolen cookies. Despite requiring user interaction, the campaign has seen a relatively high success rate.

Related Threat Briefings