Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 13, 2023

Security experts took the wraps off of a massive phishing campaign delivering Remcos RAT. Over 40 organizations across various industries in Colombia have faced the wrath of this attack that came allegedly from trusted entities, including reputable financial institutions and corporations operating within Colombia. In other headlines, Mozilla patched the same, under-attack zero-day issue as Google did a day before. A critical flaw in Adobe has also been reportedly exploited in limited attacks. The flaw could allow arbitrary code execution. Immediate patching is recommended!

Parallely, a one-of-a-kind attack campaign has emerged to deploy a new ransomware strain - 3AM. The new ransomware family sprang into action after LockBit was blocked on a targeted network. The malware is written in Rust, and it’s unclear if its authors have links to known cybercrime groups.

Top Breaches Reported in the Last 24 Hours

Lazarus Group behind $55 Million CoinEx hack

CoinEx experienced substantial fund outflows to an unfamiliar address, prompting suspicions of a breach. Blockchain security firm SlowMist now estimates the losses to exceed $55 million. SlowMist and investigator ZachXBT have attributed the attack on the exchange to the North Korean hacking group Lazarus. The group's connection was discovered when they mistakenly linked their address to previous hacks. Deposits and withdrawals have been temporarily suspended for enhanced security.

Criminals use bots to steal vehicle data

A cybercriminal group employed automated bots to infiltrate customer accounts at undisclosed major automakers, subsequently harvesting critical information about thousands of vehicles. The stolen data for about 15,000 accounts were put for sale on Telegram. While the automakers were not named, one operates in Europe, and two are based in the U.S. Researchers suspect a multi-step process, involving stolen login information from other sites and credential stuffing, was used to capture the account details.

Top Malware Reported in the Last 24 Hours

Colombian Corporations hit with Remcos RAT

Check Point researchers uncovered an attack campaign striking over 40 prominent Colombian companies in just two months. The attackers aimed to discreetly plant the dangerous Remcos RAT, granting them complete control over compromised systems. Deceptive emails, purportedly from trustworthy sources like financial institutions, lured victims with urgent notifications or enticing offers. The attackers used seemingly harmless archive file attachments, containing highly obfuscated BAT files with PowerShell commands, to deliver their payload.

New MidgeDropper variant

FortiGuard Labs Threat Research has identified a new variant of the MidgeDropper malware, which employs a sophisticated infection chain involving code obfuscation and sideloading. Although the initial infection vector remains unclear, it is suspected to involve phishing emails. Once executed, the malware drops various files, including "IC.exe" and "VCRUNTIME140_1.dll," which allow it to download additional payloads from a command and control server. The final payload, however, remains undisclosed.

Lockbit stopped, 3AM deployed

A brand-new ransomware family going by the name of 3AM has appeared. After the deployment of LockBit on a targeted network was thwarted, the attackers turned to this new strain. The Rust-written malware family 3AM makes several attempts to shut down different services on an affected machine before beginning with the encryption process. After encryption is finished, attackers attempt to delete Volume Shadow (VSS) copies. The attack could not be attributed to any known cybercrime groups.

Top Vulnerabilities Reported in the Last 24 Hours

Race condition exploited for repojacking attacks

A recently discovered vulnerability in GitHub's repository creation and username renaming processes could have allowed attackers to exploit a race condition, potentially leading to repojacking attacks. This marks the fourth instance of a unique method that could bypass GitHub's "Popular repository namespace retirement" mechanism. Successful exploitation of this flaw could have impacted over 4,000 code repositories in languages like Go, PHP, and Swift, as well as GitHub Actions, including several highly-starred repositories.

Siemens and Schneider Electric fix ICS flaws

Siemens has published seven advisories detailing a total of 45 vulnerabilities affecting their industrial products. QMS Automotive faces 10 medium and high-severity vulnerabilities, including session hijacking and arbitrary code execution issues. Meanwhile, Schneider Electric issued one advisory regarding a high-severity vulnerability in its IGSS product. This missing authentication issue could permit a local attacker to manipulate update sources, potentially leading to remote code execution when applying malicious content updates.

Mozilla patches zero-day bug

Mozilla has released security updates to address a critical zero-day vulnerability, CVE-2023-4863, in Firefox and Thunderbird, which has been actively exploited in the wild. The flaw is a heap buffer overflow issue in the WebP image format, potentially leading to arbitrary code execution when processing a specially crafted image. Mozilla has acknowledged that this vulnerability has been exploited in other products as well. Google fixed the same flaw in Chrome, with reports of active exploitation.

Adobe warns of actively exploited flaw

Adobe has issued a warning about an actively exploited vulnerability, CVE-2023-26369, in its Adobe Acrobat and Reader software. This out-of-bounds write memory safety issue affects both Windows and macOS installations and can lead to arbitrary code execution. While Adobe did not specify the targeted operating system, it acknowledged that this vulnerability has been actively exploited in limited attacks. The Patch Tuesday release also includes fixes for several documented vulnerabilities across other Adobe products.

Microsoft's Patch Tuesday addresses sensitive bugs

A total of 65 new patches have been released by Microsoft, covering various Microsoft products, including Windows, Exchange Server, Office, .NET, Visual Studio, Azure, Microsoft Dynamics, and Windows Defender. This includes five critical security vulnerabilities and two zero-days that are actively exploited. Additionally, the update includes fixes for third-party issues, including a critical Chromium zero-day vulnerability affecting Microsoft Edge.

Related Threat Briefings