Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 18, 2020

Impersonation scams are highly successful in hitting their targets and this time, one such scam has affected at least 100 U.K business owners. The scam tricked the recipients into believing that the email was from Her Majesty’s Revenue and Custom (HMRC) and pilfered personal information from them.

Several healthcare firms have been added to the list of victims in the massive Blackbaud ransomware attack. The newly added organizations are Children’s Minnesota, Allina Health, Regions Hospital, and Gillette Children’s Specialty Healthcare.

Meanwhile, the infamous Maze ransomware gang has been found to add a new evasion technique to its arsenal. It has adopted a technique of the Ragnar Locker gang that involves hiding the malware in a Virtual Machine.

Top Breaches Reported in the Last 24 Hours

Children’s Minnesota affected

Children’s Minnesota disclosed that the personal information of over 160,000 patients and donors were compromised in the attack on Blackbaud. The cloud computing company, which managed databases for the firm, was hit in a ransomware attack in May. Children’s Minnesota has notified the affected patients about the data breach. The newly added victim organizations also include Allina Health, Regions Hospital, and Gillette Children’s Specialty Healthcare.

Top Malware Reported in the Last 24 Hours

Maze goes Ragnar Locker’s way

Maze ransomware operators have borrowed an evasion technique from Ragnar Locker operators to spread its malware faster across the network. It involves hiding the malware payload inside a virtual machine, a technique that was adopted by Ragnar Locker attackers this May. The Maze gang had leveraged the method in one of its attacks in July.

Top Vulnerabilities Reported in the Last 24 Hours

XSS bug in Ruby Gem

A potential cross-site scripting (XSS) bug found in the popular Ruby Gem, Action View, has been fixed with the release of the latest versions. The flaw is in Action View’s translation helpers, which attempts to translate user input. It can allow attackers to inject malicious code into the web application framework. The XSS issue has been patched in Rails versions 6.0.3.3 and 5.2.4.4, as well as the project’s master, 6-0-stable, and 5-2-stable branches on GitHub.

Drupal addresses multiple flaws

Drupal has addressed multiple information disclosure and XSS vulnerabilities in the popular CMS. The most severe of these is CVE-2020-13668 and affects Drupal versions 8 and 9. The flaw can be exploited by leveraging the way HTML is rendered for affected forms.

Top Scams Reported in the Last 24 Hours

Business owners targeted

U.K business owners have been targeted in a new phishing scam that attempts to pilfer sensitive information from them. The scammers impersonate Her Majesty’s Revenue and Custom (HMRC) and send emails to victims, informing that their VAT deferral has been rejected. The email further asks the recipients to fill a form enquiring about their personal information. At least, 100 business owners have so far been affected by the scam.

Related Threat Briefings

Feb 7, 2025

Cyware Daily Threat Intelligence, February 07, 2025

North Korean hackers are refining their phishing playbook, now using the forceCopy malware to hijack credentials. The Kimsuky hacking group is targeting victims with deceptive emails containing Windows shortcut files disguised as Microsoft Office or PDF documents. The attack also involves the usage of additional malware. CISA has added critical vulnerabilities to its KEV catalog, signaling an urgent need for patching. The list includes flaws in Microsoft Outlook and Sophos XG Firewall, both carrying a CVSS score of 9.8. Federal agencies have until February 27 to patch these. A long-standing Chinese cyber-espionage group, GreenSpot APT, is running a phishing campaign that preys on users of the popular Chinese email service 163[.]com. The group, which has been active since 2007, has registered fake domains to steal login credentials from government and military personnel

Feb 6, 2025

Cyware Daily Threat Intelligence, February 06, 2025

Cybercriminals are getting more sophisticated, turning search engines into traps. A fake Google ad for Cisco AnyConnect led unsuspecting users to a counterfeit website, mimicking a German university to evade security filters. The fraudulent site redirected victims to a spoofed Cisco download page, pushing NetSupport RAT as the legitimate AnyConnect installer. Russian organizations are under fire as attackers distribute NOVA stealer, a new variant of SnakeLogger, through phishing emails. Advertised on underground forums as MaaS for as little as $50 per month, NOVA is designed for credential theft, keylogging, and clipboard data extraction. Cisco has patched two critical vulnerabilities in its Identity Services Engine, which could allow remote attackers to execute commands and manipulate system configurations. Exploited through specially crafted API requests, these flaws pose significant risks for enterprises using ISE for authentication and network control.

Feb 5, 2025

Cyware Daily Threat Intelligence, February 05, 2025

North Korean hackers are turning fake job interviews into a gateway for cyber espionage. SentinelOne identified new variants of the macOS malware FlexibleFerret, used in the Contagious Interview operation to lure targets with fake job interviews. Victims are tricked into downloading malicious software disguised as virtual meeting tools, allowing attackers to gain control over their systems. Cyberespionage groups are shifting their sights to the backbone of enterprise networks. A newly discovered malware, linked to the DaggerFly APT group, is targeting Linux-based network devices instead of standard endpoints. By hijacking SSH connections and replacing system binaries, the malware ensures long-term persistence while silently extracting sensitive data. A security flaw in AMD processors has raised concerns over hardware-based attacks. This bug could allow attackers with admin access to load malicious microcode, potentially undermining system integrity. This exploit underscores the growing risks of hardware security gaps, where even minor weaknesses can have major consequences.

Feb 4, 2025

Cyware Daily Threat Intelligence, February 04, 2025

Cybercriminals are finding new ways to weaponize everyday tools, and this time, they’re using TryCloudflare to hide their tracks. Researchers uncovered a phishing campaign that stealthily delivers AsyncRAT via Python scripting and cloud tunnels. The attack starts with a Dropbox link leading to a maze of scripts that ultimately drop a harmful payload. Even AI developers aren’t safe from deception. Threat actors have infiltrated PyPI with two malicious packages disguised as legitimate tools for DeepSeek. These fraudulent packages steal sensitive data, from user credentials to API keys, proving once again that trust in open-source repositories can be a double-edged sword. One small vulnerability, one massive risk. Russian cybercriminals exploited a zero-day in 7-Zip to deliver SmokeLoader in attacks on Ukrainian entities. By bypassing Windows Mark-of-the-Web protections, the attackers tricked victims into executing malware-laden files.

Feb 3, 2025

Cyware Daily Threat Intelligence, February 03, 2025

Cybercriminals are exploiting trust and social engineering at scale, preying on unsuspecting victims across industries. The Russian-speaking cybercrime gang Crazy Evil has been linked to over 10 social media scams, tricking users into installing malware like StealC and AMOS. Operating primarily through Telegram, the group specializes in identity fraud, cryptocurrency theft, and info-stealers. A wedding invitation should bring good news, not malware. Hackers in Malaysia and Brunei are targeting users with fake wedding invites spread via WhatsApp and Telegram, tricking them into installing a new Android malware called Tria. The campaign resembles UdangaSteal but focuses on new social engineering tactics. Even the tightest security can come undone with a race condition. Apple patched a critical vulnerability in macOS Sonoma, Sequoia, and iPadOS, which allowed hackers to escalate privileges and run code at the kernel level. Apple fixed the issue by improving memory management, but this serves as another reminder that even the most secure systems need constant vigilance.

Jan 31, 2025

Cyware Daily Threat Intelligence, January 31, 2025

Cybercriminals are sharpening their tactics, and Brazilian financial firms are the latest target. The Coyote banking trojan is on the prowl, using malicious Windows LNK files to execute PowerShell scripts that steal data and compromise systems. Meanwhile, a new browser-based threat is emerging—syncjacking. This attack exploits malicious extensions to hijack browsers, disable security settings, and access stored credentials. In its final stage, attackers gain full control of devices, including cameras and audio, without detection. Speaking of hidden threats, users of Microsoft Ads are being tricked by fraudulent Google ads leading to phishing pages designed to steal their login credentials. This campaign has persisted for two years, slipping past security filters and mimicking Microsoft’s login process with deceptive precision. For detailed Cyber Threat Intel, click ‘Read More’.

Jan 29, 2025

Cyware Daily Threat Intelligence, January 29, 2025

Cybercriminals are refining their tactics, blending deception with persistence to breach defenses. A financially motivated threat actor has been running a phishing email campaign since last year, targeting users in Poland and Germany. The attacks use payloads like Agent Tesla, Snake Keylogger, and a new backdoor named TorNet. Zyxel CPE Series devices are under siege as researchers uncover an actively exploited zero-day vulnerability. This flaw allows attackers to execute remote commands, potentially leading to system takeovers, data loss, and network intrusions. The attacks, originating primarily from Taiwan, have compromised over 1,500 devices, sparking urgent calls for users to apply security updates. Phishing scams continue to evolve, with a new campaign exploiting PDF documents to steal Amazon Prime credentials. Victims receive emails warning of an expired membership, leading them to a fake Amazon login page where they unknowingly hand over personal and credit card information.

Jan 28, 2025

Cyware Daily Threat Intelligence, January 28, 2025

Even the sleekest systems have their cracks. Apple has patched a critical CoreMedia vulnerability that hackers have already exploited to target devices. The flaw, which impacts how audio and video are processed, had been actively used against earlier versions of iOS prior to iOS 17.2. Apple’s fix is now available for iPhones XS and later, select iPads, and the company’s latest hardware. Security shouldn’t feel like Swiss cheese. Yet, SonicWall’s SMA1000 appliances are under siege, with attackers exploiting a critical vulnerability to install malware without requiring credentials. Despite a patch being available, over 5,000 devices remain exposed, allowing hackers to hijack SSL VPN sessions remotely. Think twice before clicking on that delivery notification. Phishers posing as USPS are sending fraudulent SMS messages claiming a package couldn’t be delivered due to “incomplete address information.” With over 630 phishing pages spanning 50 countries, the campaign targets unsuspecting individuals at an alarming scale. In today’s digital landscape, not all deliveries are worth opening - especially the fraudulent ones.

Jan 27, 2025

Cyware Daily Threat Intelligence, January 27, 2025

Once again proving there’s no honor among thieves, hackers were found preying on script kiddies via a trojanized XWorm RAT builder, compromising over 18,000 devices globally. The fake builder allowed operators to steal data and issue commands through a Telegram-based C2. LTE and 5G networks face a critical challenge as researchers uncover 119 vulnerabilities that could disrupt services or breach core networks. These flaws, linked to buffer overflows and memory corruption, leave mobile users exposed to potential monitoring and targeted attacks. A deceptive malware campaign leverages fake CAPTCHA pages and clipboard hijacking to spread Lumma Stealer across industries in multiple regions. The malware uses advanced evasion tactics to outmaneuver security defenses while stealing sensitive data.

Jan 24, 2025

Cyware Daily Threat Intelligence, January 24, 2025

Hackers are crafting convincing traps by mimicking trusted platforms. Nearly 1,000 fake web pages imitating Reddit and WeTransfer are being used to distribute Lumma Stealer. Fraudsters fake Reddit discussions and provide malicious WeTransfer links, creating an illusion of authenticity. Juniper edge devices are under attack by J-magic, a stealthy malware that activates only when it detects a specific magic packet. Targeting multiple industries J-magic’s reverse shell remains dormant until triggered, enabling covert communications. A flaw in Cloudflare's CDN exposes users’ locations via images sent through apps like Signal and Discord. By exploiting this vulnerability, attackers can pinpoint a target’s location within a 250-mile radius, leveraging Cloudflare's caching system to silently gather data.

Jan 23, 2025

Cyware Daily Threat Intelligence, January 23, 2025

Cybercriminals are finding new ways to exploit the cloud. The financially driven TRIPLESTRENGTH group has been targeting platforms like Google Cloud and AWS for cryptojacking and ransomware, often leveraging stolen credentials from malware infections. The QakBot loader has a new ally: BackConnect (BC) malware. Researchers uncovered its use in tandem with tools like DarkVNC and KeyHole, bolstering system data theft and remote access capabilities. This innovation is linked to Storm-1811 and the deployment of Black Basta ransomware. AIRASHI, an AISURU botnet variant, has been exploiting zero-day vulnerabilities in Cambium Networks cnPilot routers to deliver DDoS attacks reaching up to 3 Tbps. Its operators flaunt their capabilities on Telegram, with compromised devices found across the globe.

Jan 22, 2025

Cyware Daily Threat Intelligence, January 22, 2025

A covert supply chain attack compromised a South Korean VPN provider, with the China-linked APT group PlushDaemon embedding its SlowStepper backdoor into a malicious installer. Active since 2019, this espionage campaign leverages a sophisticated toolkit, hijacked app updates, and server vulnerabilities to target victims across multiple nations. The Murdoc botnet has emerged as a formidable threat, exploiting vulnerabilities in AVTECH IP cameras and Huawei routers to infect over 1,370 systems in Southeast Asia and Latin America. With its roots in Mirai, this botnet uses shell scripts tailored to IoT architectures, aiming to power massive DDoS campaigns. Oracle’s latest Critical Patch Update addresses 318 vulnerabilities, including a severe flaw in its Agile Framework. With critical risks spanning products like JD Edwards and Communications Routers, organizations are urged to update immediately to mitigate the danger of exploitation.