Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 14, 2023

Recent investigations reveal that the threat actors responsible for RedLine and Vidar have adopted a multifaceted approach, using the same delivery techniques for both info-stealers and ransomware payloads. They were seen utilizing double file extensions to manipulate users into running malicious files. Malvertising remains a potent tool in attackers' arsenals, with security researchers uncovering a campaign that impersonated a popular web conferencing software to deliver DBatLoader, which eventually drops DanaBot on infected systems.

Meanwhile, the health sector received warnings about the Akira ransomware group, targeting organizations lacking VPN multi-factor authentication. Akira employs double-extortion tactics, including data theft and ransomware encryption. Stay vigilant for these threats.

Top Breaches Reported in the Last 24 Hours

Bug-tracking firm compromised

Rollbar, a software bug-tracking company, suffered a data breach where unknown attackers gained access to its systems in early August. The breach was discovered in early September when unusual activity was detected in its data warehouse logs. The attackers sought cloud credentials and Bitcoin wallets while infiltrating Rollbar's systems. They had access for three days, during which they compromised sensitive customer information, including usernames, email addresses, account names, and project details.

Top Malware Reported in the Last 24 Hours

DBatLoader malware evolves to deliver more threats

IBM X-Force has detected an improved version of the DBatLoader malware, showing enhanced features like UAC bypass, persistence, process injection techniques, and shellcode payload support. Additionally, DBatLoader now includes a signed Windows executable vulnerable to DLL-hijacking. Although it experiments with DLL hooking to bypass AMSI, its effectiveness is limited due to implementation issues. Email campaigns delivering the DBatLoader executable use ISO images or various archive formats like 7-Zip, Tar, Zip, or RAR.

RedLine and Vidar operators now drop ransomware

Threat actors behind RedLine and Vidar have streamlined their operations by adding well-established tactics to deceive victims. The victim initially receives an info stealer with Extended Validation (EV) code signing certificates, but later starts receiving ransomware payloads through the same channel. Their spear-phishing emails create a sense of urgency while focusing on health and hotel-related themes. LNK files further aid in evading detection. In one case study, a victim received a ransomware payload masquerading as a TripAdvisor complaint email attachment.

Webex Users targeted with BatLoader

A new malvertising campaign has surfaced, targeting corporate users downloading popular web conferencing software Cisco Webex with BatLoader. Webex itself has not been compromised; rather, threat actors are exploiting brand impersonation to distribute the malware. The malicious ad impersonating it is displayed on top of Google search results. When victims click on the ad, they are redirected to a malicious website, with BatLoader ultimately delivering the DanaBot malware.

Health sector warned of Akira ransomware

Federal authorities issued a warning to the healthcare sector regarding the Akira RaaS group, which emerged approximately six months ago and has been associated with numerous attacks. Akira appears to favor organizations without multi-factor authentication on their VPNs. The group conducts double-extortion attacks, involving data theft and ransomware encryption. Attack methods include leveraging compromised credentials, exploiting VPN vulnerabilities (especially where multifactor authentication is absent), phishing emails, malicious websites, drive-by download attacks, and trojan infections.

Top Vulnerabilities Reported in the Last 24 Hours

SAP's critical updates

German software manufacturer SAP has unveiled a total of 13 new and updated security notes as part of its September 2023 Security Patch Day. Among these, five have been categorized as 'hot news,' representing the most severe issues. One of these hot news notes addresses a critical vulnerability in BusinessObjects, CVE-2023-40622, potentially leading to a complete application compromise. SAP has also issued updates for vulnerabilities in the Chromium browser in Business Client, BusinessObjects, and NetWeaver.

Storm-0324 distributes ransomware via MS Teams

The Microsoft Threat Intelligence Team exposed the activities of Storm-0324, a financially motivated threat actor that has been aiding ransomware deployment and providing access to compromised networks since 2019. Starting in July 2023, Storm-0324 began exploiting Microsoft Teams chats to distribute payloads and send phishing lures. The attack chain starts with phishing emails referencing fake payments and invoices.

Bugs expose Windows endpoints to RCE

Akamai has identified two high-severity Kubernetes vulnerabilities that pose a significant threat to Windows endpoints in unpatched clusters. These vulnerabilities, CVE-2023-3893 and CVE-2023-3955, follow a previously reported Windows nodes vulnerability, CVE-2023-3676. Once an attacker exploits the initial flaw, they can leverage these command injection bugs to execute code remotely with system privileges. The vulnerabilities stem from insecure function calls and a lack of user input sanitization.

Microsoft Azure patches XSS flaws

Researchers have revealed a set of eight cross-site scripting (XSS) vulnerabilities in Microsoft Azure HDInsight, an open-source analytics service. These flaws could potentially be exploited by threat actors to carry out malicious activities, including data access, session hijacking, and delivering malicious payloads. The vulnerabilities include six stored XSS and two reflected XSS flaws, and they were reported three months after similar weaknesses were discovered in Azure Bastion and Azure Container Registry.

Related Threat Briefings