Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 29, 2023

The North Korean Lazarus group has unleashed a new malware in an attempt to expand its ongoing Operation Dreamjob campaign. The malware, dubbed LightlessCan, is being used as a backdoor against an aerospace company located in Spain. Speaking of novel malware threats, the China-based Budworm APT has added a new version of its SysUpdate backdoor to its arsenal, which was used in attacks on a Middle Eastern telecommunications organization and an Asian government.

Moving on, a new set of vulnerabilities affecting a file transfer tool from the MOVEit maker, Progress Software, has surfaced recently. An advisory issued by the company warns of eight new vulnerabilities affecting all versions of the WS_FTP Server and, hence, customers are urged to upgrade to the patched version to stay safe.

Top Breaches Reported in the Last 24 Hours

WBSC inadvertently exposes sensitive information

A misconfigured AWS bucket used by the World Baseball Softball Confederation (WBSC) exposed nearly 50,000 files, out of which 4,600 were national passports. Overall, these files contained a significant amount of personal information, such as full names, dates of birth, and unique passport numbers.

DDoS attack against Russian booking site

A massive DDoS attack on Leonardo, a Russian flight booking system, delayed several operations at airports. The incident also impacted the operations of several Leonardo customers, including Russian air carriers Rossiya Airlines, Pobeda, and the country’s flag carrier Aeroflot, making them temporarily unavailable for users. The Ukrainian hacktivist group IT Army claimed responsibility for the attack.

Top Malware Reported in the Last 24 Hours

Update on Budworm APT’s malware

The Budworm APT used a previously unseen variant of SysUpdate backdoor, known as SysUpdate DLL inicore_v2.3.30.dll, to target a Middle Eastern telecommunications organization and an Asian government. The malware provides attackers with various capabilities, such as capturing screenshots, command execution, and service manipulation.

New LightlessCan backdoor by Lazarus

A previously undocumented backdoor malware named LightlessCan has been attributed to the Lazarus group. The attackers are using the malware as part of the Operation Dreamjob campaign to target employees of an aerospace company located in Spain. The malware is a successor to BlindingCan and is deployed alongside miniBlindingCan (another variant of BlindingCan) via the NickelLoader malware.

Malicious ads injected into Bing Chat

Malwarebytes shared details on a new malvertising campaign that uses Bing Chat to distribute malware. Threat actors are injecting malicious ads that redirect to fake download sites into Bing Chat responses to trick users searching for certain software. In one such instance, researchers came across several fake download websites for the Advanced IP scanner being displayed in the responses of Bing Chat.

New trend in ransomware attacks

The FBI issued a new private industry notification to warn organizations of new trends in ransomware attacks. It highlights that threat actors are deploying two ransomware variants against victim organizations in close date proximity to one another, leading to a mixture of data encryption, exfiltration, and financial losses associated with ransom payments. Some of the ransomware used in this trend are AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal.

Top Vulnerabilities Reported in the Last 24 Hours

Eight flaws in Progress WS-FTP Server patched

Progress Software– the company behind the widely-exploited MOVEit file transfer tool – issued an advisory to warn customers of eight new vulnerabilities impacting all versions of its WS_FTP Server. The most severe of these issues, tracked as CVE-2023-40044 and CVE-2023-42657, carry CVSS scores of 10 and 9.9 respectively. Customers have been urged to upgrade the software to version 8.8.2 to stay safe.

Apache NiFi RCE flaw addressed

A critical RCE vulnerability (CVE-2023-34468) in Apache NiFi can be abused by attackers to gain unauthorized access to systems, exfiltrate sensitive data, and execute malicious code remotely. The bug impacts NiFi versions 0.0.2 through 1.21.0 and has been addressed with the release of NiFi version 1.22.0. Meanwhile, CyFirma notes that there are roughly 2,700 Apache NiFi instances that are still vulnerable to the flaw.

Top Scams Reported in the Last 24 Hours

Credential harvesting through Dropbox

Avanan researchers discovered a sophisticated phishing attack that leveraged the popular Dropbox file-sharing service to steal user credentials. Around 5,440 phishing emails, pretending to be from Dropbox, were sent in the first two weeks of September, prompting recipients to reply or comment on the content by clicking on a link. Once clicked, the link redirected victims to a legitimate Dropbox page that included another link to an external page designed to steal their credentials.

Booking.com users targeted

Booking.com users were the target of a large-scale phishing attack, wherein their personal data, including names, booking dates, hotel details, and partial payment methods, was stolen by attackers. The attackers utilized the stolen data to craft personalized messages designed to play on the fears and urgency of potential victims.

Related Threat Briefings