Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Skip to main content

Cyware Weekly Threat Intelligence - May 20–24

Cyware Weekly Threat Intelligence - May 20–24 - Featured Image

Weekly Threat Briefing May 24, 2024

The Good

In a dramatic sweep against the shadowy underbelly of the internet, authorities have dismantled several dark web marketplaces in Operation SpecTor, seizing drugs, firearms, counterfeit currencies, and cryptocurrency. Meanwhile, the White House has rolled out a framework to safeguard U.S. workers from AI risks, emphasizing health, safety, and job transition support.

  • Authorities have successfully dismantled several dark web marketplaces offering illicit goods in a coordinated global crackdown known as Operation SpecTor. The operation, led by Europol, involved authorities from the U.S., U.K, Germany, and Australia. Authorities targeted several high-profile dark web markets, seizing servers, arresting key operators, and confiscating vast amounts of illegal goods including drugs, firearms, counterfeit currencies, and stolen data. Significant amounts of cryptocurrency used for dark web transactions were also confiscated.
  • The White House unveiled a framework to protect U.S. workers from the risks posed by AI in the workplace, emphasizing the importance of health and safety rights, governance, human oversight, and transparency as organizations adopt emerging technologies. The principles also encourage employers to upskill workers whose jobs are replaced or transitioned due to AI technologies. The AI safety framework is voluntary, similar to other recent AI frameworks and best practices released by the White House.
  • The U.K government has published voluntary guidance to help AI developers and vendors secure their AI models. The guidance includes recommendations such as monitoring AI system behavior, performing model testing, and procuring secure software components from verified third-party developers. It also emphasizes the need to ensure the integrity of training data and to provide security training for AI developers.
  • The U.K government is investing £8.5 million ($10.8 million) to fund new AI safety research aimed at tackling cyber-threats, including deepfakes, to better protect society from AI risks and harness the technology's benefits. The research aims to generate ideas on how to adapt infrastructure and systems for a world where AI is embedded in everything.

The Bad

In a brazen cyberattack, JAVS courtroom software was compromised, affecting over 10,000 installations worldwide. Simultaneously, Apple’s Wi-Fi Positioning System is facing scrutiny for potential privacy abuses, enabling global tracking. Meanwhile, the GitCaught campaign, exploiting GitHub and FileZilla, is spreading malware, raising alarms about sensitive data theft by possible Russian-speaking threat actors.

  • The JAVS courtroom recording software was recently targeted in a supply chain attack where attackers backdoored the installer with malware, allowing them to compromise systems. The compromised software, containing a malicious fffmpeg.exe binary, was distributed to over 10,000 installations in courtrooms, legal offices, correctional facilities, and government agencies worldwide.
  • Apple's Wi-Fi Positioning System can be abused to create a global privacy nightmare by allowing the tracking of individuals and groups, even those not using Apple devices, through the collection and analysis of Wi-Fi access point (AP) location data. This data can be used to identify individual homes, businesses, military units, and other sensitive locations.
  • Recorded Future's Insikt Group discovered a campaign dubbed GitCaught, exploiting legitimate services like GitHub and FileZilla to distribute an array of malware. Perpetrators, possibly Russian-speaking threat actors, utilize fake profiles and repositories on GitHub to host counterfeit software, aiming to steal sensitive data. The malware distributed included Atomic, Vidar, and Octo.
  • A consumer-grade spyware app, pcTattletale, has been discovered on check-in systems at three Wyndham hotels in the U.S., exposing sensitive data. The spyware, intended for remote monitoring, captured screenshots containing sensitive information like guest names and partial payment card numbers. It was found exposing these screenshots publicly due to a security flaw.
  • Attackers exploited the obscure Dessky Snippets WordPress plugin to inject server-side malware into a WooCommerce store, stealing credit card details. The malware, disguised within PHP code, manipulates billing forms to capture sensitive information. It then sends the captured data to a third-party URL, bypassing browser autocomplete warnings to avoid suspicion.
  • An unidentified threat actor was found exploiting known vulnerabilities in Microsoft Exchange Server to deploy a keylogger malware, targeting entities across Africa and the Middle East. Russian cybersecurity firm Positive Technologies revealed over 30 victims, including government agencies, banks, and educational institutions, with compromises dating back to 2021. The attack exploits ProxyShell flaws, allowing attackers to bypass authentication and execute remote code.

New Threats

In a digital cloak and dagger, researchers unveiled Hijack Loader's new anti-analysis tactics, bypassing defenses and distributing potent malware. Meanwhile, two students exposed a vulnerability in CSC’s laundry machines, triggering cycles without payment via a flawed API. Additionally, over 20,000 WordPress sites using the UserPro plugin face a critical security flaw, risking unauthorized access through compromised password resets.

  • Zscaler ThreatLabz reported a new version of Hijack Loader incorporating updated anti-analysis methods for stealthier operations. The loader now bypasses Windows Defender, UAC, and employs process hollowing. It delivers various malware families, including Amadey, and utilizes PNG image decryption for payload loading. Recent iterations also feature additional modules for enhanced capabilities, posing a significant threat in malware distribution campaigns.
  • Two UC Santa Cruz students Alexander Sherbrooke and Iakov Taranenko uncovered a vulnerability affecting over a million internet-connected laundry machines. They could remotely command the laundry machines to start cycles without payment. The flaw lies in the insecure API used by CSC's mobile app, lacking proper security checks. CSC reportedly reset the students' account balance of several million dollars but failed to fix the bug.
  • The UserPro plugin by DeluxeThemes, used by over 20,000 WordPress sites for creating user profiles and community portals, was found to have a critical security vulnerability. Discovered by Patchstack, the flaw resides in the password reset mechanism within the userpro_process_form function, allowing unauthenticated users to change others' passwords under certain conditions. Identified as CVE-2024-35700, the issue stemmed from improper handling of the “secret key” during password resets, enabling unauthorized access.
  • Google has patched the eighth zero-day vulnerability in Chrome this year that was being actively exploited. The vulnerability, tracked as CVE-2024-5274, is a high-severity 'type confusion' flaw in Chrome's V8 JavaScript engine. Google has updated Chrome to version 125.0.6422.112/.113 for Windows and Mac, and version 125.0.6422.112 for Linux to fix the vulnerability.
  • Intel disclosed a critical vulnerability in its Intel Neural Compressor software for AI model compression that allows remote attackers to execute arbitrary code on affected systems. The vulnerability, designated as CVE-2024-22476, is caused by improper input validation in the software. It allows unauthenticated attackers to remotely execute arbitrary code on systems running affected versions of Intel Neural Compressor. Intel has given the vulnerability a maximum severity score of 10 on the CVSS scale.
  • Sentinel One researchers revealed a shift in tactics among cybercriminal groups increasingly deploying ransomware to disrupt and draw attention to political causes, targeting Philippine entities. Groups such as Ikaruz Red Team (IRT), Turk Hack Team, and Anka Underground leverage leaked builders, hijack branding from government agencies like CERT-PH, intertwining cyberattacks with geopolitical tensions.

Related Threat Briefings

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.