VIEH Daily Threat Analysis

Here we bring daily threat intelligence from all over the world

VIEH Daily Threat Analysis, 29 | November 2024

Leave a Comment / VIEH Daily Threat Analysis /

Hackers are rewriting the rules of game development with malicious intent. By embedding the GodLoader malware into assets of the popular Godot game engine, attackers have compromised over 17,000 systems globally. Disguised within GitHub repositories, the malware steals credentials, installs crypto miners, and targets developers and gamers alike. WhatsApp’s trust is being turned against its users. The PixPirate malware, which began in Brazil, now spans countries like India, Italy, and Mexico. Spreading through social engineering on YouTube and malicious WhatsApp messages, it manipulates contacts, creates spam groups, and exploits its victims’ trust in the messaging platform. Unpatched software remains an open door for cybercriminals. A critical authentication bypass flaw in ProjectSend is enabling attackers to upload webshells and remotely access servers. Despite the availability of a patch since May 2023, most instances remain vulnerable, highlighting the importance of timely updates. Top Malware Reported in the Last 24 Hours Hackers abuse Godot to deploy GodLoader Hackers utilized the GodLoader malware, taking advantage of the popular Godot game engine to infect over 17,000 systems across multiple platforms. By exploiting the engine’s flexibility and GDScript capabilities, they embedded harmful scripts in game asset files to execute malicious code. The malware enables theft of credentials and the download of additional payloads, including a crypto miner. The attackers utilized the Stargazers Ghost Network to distribute the malware through seemingly legitimate GitHub repositories, targeting developers and gamers. APT-C-60 targets Japan with SpyGrace South Korea-linked cyber-espionage group APT-C-60 conducted a cyberattack on an organization in Japan using a job application theme to deliver the SpyGlace backdoor. The attack employed legitimate services like Google Drive, Bitbucket, and StatCounter. A phishing email disguised as a job application was sent to the organization’s recruiting contact, which led to malware infection. The attack involved an RCE vulnerability in WPS Office, which initiated the infection chain through a file hosted on Google Drive. SpyGlace allowed the attackers to steal files and execute commands by connecting to a C2 server.  PixPirate resurfaces, spreads via WhatsApp The PixPirate malware, originally targeting financial services in Brazil, has evolved to spread through WhatsApp and now affects countries like India, Italy, and Mexico. It uses social engineering tactics on YouTube to trick users into installing it and then spreads through malicious WhatsApp messages. The malware hides itself on devices and exploits WhatsApp’s trust-based system to send and delete messages, manipulate contacts, and create spam groups.  Top Vulnerabilities Reported in the Last 24 Hours Microsoft re-releases Exchange updates Microsoft re-released the November 2024 security updates for Exchange Server after initially pulling them due to email delivery issues caused by custom mail flow rules. The re-released update, called Nov 2024 SUv2, resolves the mail delivery problems and provides more granular control over email headers. Admins are advised to install the re-released update and run the Exchange Health Checker script after installation. The update also adds detection and warnings for a high-severity Exchange Server vulnerability (CVE-2024-49040).  ProjectSend flaw under exploit Threat actors are actively exploiting a critical authentication bypass flaw (CVE-2024-11680) in ProjectSend, allowing them to upload webshells and gain remote access to servers. Despite a patch being available since May 16, 2023, the majority of ProjectSend instances (99%) remain vulnerable. Public exploits released in September 2024 have led to an increase in exploitation, with attackers altering system settings, enabling user registrations, and deploying webshells. It’s crucial for users to upgrade to ProjectSend version r1750 to mitigate the widespread attacks. Top Scams Reported in the Last 24 Hours “You’re Fired!” Beware of this new scam A new phishing campaign deceives people into thinking they have lost their jobs. It starts with an email that looks like a legal notice of termination. Cloudflare observed this attack targeting 14 customers, indicating a single actor behind it. One email subject, “Action Required: Tribunal Proceedings Against You,” threatens legal action and prompts users to click a link to download malware. This attack mainly targets Windows users, downloading harmful software, including a banking trojan, named Ponteiro, that steals credentials. Wanna be a hacker: Make it your profession: Click here Credit: Checkpoint, thehackersnews, securityintelligence, bleeping computer, the register, cyware

VIEH Daily Threat Analysis, 29 | November 2024 Read More »

VIEH Daily threat analysis | 28 October 2024

Leave a Comment / VIEH Daily Threat Analysis /

Threat actors are refining their methods, transforming even the most familiar apps and games into dangerous tools of deception. The latest version of Qilin ransomware now boasts stronger encryption, advanced evasion techniques, and the power to block data recovery efforts. Meanwhile, WrnRAT is hiding in plain sight, masquerading as popular gambling games, giving attackers full control over infected systems to steal data and disrupt processes. In other news, the White House released a memo to advance safe AI development for national security interests. Read on for more. 01 Halcyon researchers discovered a new version of the Qilin ransomware, named Qilin.B, with enhanced encryption, improved evasion tactics, and the ability to disrupt data recovery methods. 02 The WrnRAT malware is being distributed disguised as gambling games like Badugi, Go-Stop, and Texas Hold’em. The malware controls infected systems to steal information, capture user screens, and terminate processes. 03 Aqua Security discovered a critical vulnerability in the AWS Cloud Development Kit that could result in a full account takeover. The exploit involves creating a bucket with a predictable name, known as ‘S3 bucket namesquatting’ or ‘bucket sniping’. 04 The White House released a National Security Memorandum (NSM) focused on advancing safe, secure, and trustworthy AI development for US national security interests. It includes steps to track and counter adversary development and the use of AI. 05 Siemens issued a security advisory for its InterMesh wireless alarm reporting system, highlighting multiple vulnerabilities, including CVE-2024-47901, CVE-2024-47902, CVE-2024-47903, and CVE-2024-47904. 06 The U.K government introduced a new Data Use and Access Bill, aiming to reform the country’s data privacy regime and potentially boost the economy by £10 billion over the next decade. 07 NVIDIA released a security bulletin concerning vulnerabilities in its GPU Display Driver for Windows and Linux that attackers could exploit for code execution, privilege escalation, and DoS attacks. 08 The CISA added a high-severity deserialization vulnerability in Microsoft SharePoint, tracked as CVE-2024-38094, to its Known Exploited Vulnerabilities (KEV) Catalog. 09 Rome-based cybersecurity awareness training platform Cyber Guru raised $25 million in Series B funding led by Riverside Acceleration Capital, with participation from Educapital, Adara Ventures, and P101 Ventures. 10 Managed cybersecurity service provider RKON Technologies announced its acquisition of Bridge Security Advisors, a solution provider focused on cloud security, governance risk and compliance (GRC), and identity and access management. Wants to get expertise in cybersecurity Join our Training cum internship Program. Click here Post Credit: Halcyon, ahnlab, aquasec, therecord, siemens, custhelp, dark reading, eu startups, crn, cyware

VIEH Daily threat analysis | 28 October 2024 Read More »

VIEH Daily threat analysis | 19 September 2024

Leave a Comment / VIEH Daily Threat Analysis /

UNC2970 is turning job hunting into a minefield, using fake job offers from major energy and aerospace companies to deliver a trojanized PDF reader. The North Korean group has been using a new backdoor, MISTPEN, for this purpose. A subtle flaw in Salesforce’s public link system almost became a treasure trove for hackers. The vulnerability allowed blind SOQL injection attacks through the Aura API, threatening to expose customer PII and sensitive data.  Marko Polo’s cybercriminal ring is baiting gaming and cryptocurrency influencers with fake job offers, luring them to malware-laden websites. The group has compromised tens of thousands of people. Top Malware Reported in the Last 24 Hours UNC2970 uses new MISTPEN backdoor A North Korea-linked cyber-espionage group, UNC2970, used phishing lures to target victims in critical infrastructure verticals. The attackers posed as job openings from prominent companies in the energy and aerospace industries. They delivered malicious files containing a backdoor, MISTPEN, via a trojanized version of SumatraPDF. The backdoor was capable of downloading and executing PE files and communicated with Microsoft Graph URLs. Key Group attacks with Chaos ransomware The Russian ransomware group Key Group is using the .NET-based Chaos ransomware to encrypt files, steal data, and demand ransom via Telegram. The ransomware infects by encrypting files with a random extension and disabling system recovery, sparing certain files. A ransom message is displayed upon completion of encryption, directing victims to two URLs for payment. It is cautioned not to engage with the attackers as data recovery is unreliable, increasing the risk of permanent data loss even after payment.  Top Vulnerabilities Reported in the Last 24 Hours Chrome 129 released Chrome 129 has been released to address multiple security vulnerabilities. The update, version 129. 0. 6668. 58 on Linux and 129. 0. 6668. 58/. 59 on Windows and Mac, includes a number of fixes and improvements. Nine security fixes have been included in this release. The security issues range from high to low severity and include issues such as type confusion in V8 (CVE-2024-8904) and inappropriate implementation (CVE-2024-8905) in various parts of the browser.  Broadcom fixes critical RCE bug Broadcom patched a critical VMware vCenter Server vulnerability that could allow attackers to execute remote code on unpatched servers using a network packet. The flaw, CVE-2024-38812, affects vCenter Server, VMware vSphere, and VMware Cloud Foundation products. The security patches are now available for download. Furthermore, a privilege escalation vulnerability (CVE-2024-38813) was also fixed, which could give threat actors root privileges on vulnerable servers.  Bug in Salesforce’s public link  Varonis Threat Labs discovered a vulnerability in Salesforce’s public link feature, which could be exploited by threat actors to access sensitive data. The vulnerability was related to the undocumented Salesforce Aura API and SOQL subqueries, allowing for a blind SOQL injection attack to retrieve customer information, including PII. Salesforce patched the vulnerability in February. The vulnerability affected virtually any public link generated by Salesforce, posing a widespread risk to data exposure.  Top Scams Reported in the Last 24 Hours Marko Polo and scams A cybercrime group known as Marko Polo has compromised tens of thousands of devices worldwide through cryptocurrency and gaming-related scams, targeting high-value individuals like gaming personalities, cryptocurrency influencers, and technology professionals. The group lures victims with fake job opportunities on social media, leading them to malicious websites to download harmful software. Marko Polo is a financially motivated traffic team with members primarily from Russia, Ukraine, and English-speaking countries, using various tactics to deceive victims. They have been involved in social media scams, phishing campaigns, distributing malware, and impersonating legitimate software and services to steal sensitive data and make illicit revenue. Wanna join internship: Click here Entire post Credit: Google, gbhackers, bleeping computer, varonis, the record, cyware.

VIEH Daily threat analysis | 19 September 2024 Read More »

VIEH Daily threat analysis | 18 September 2024

Leave a Comment / VIEH Daily Threat Analysis /

Clipper malware are back in action and the attackers are hunting for cryptocurrency wallets. Binance has issued a warning after detecting a surge in ClipBanker attacks, which swap wallet addresses from clipboards, leading to financial losses for unsuspecting users. Apple’s Vision Pro headset hit a snag with a vulnerability dubbed GAZEploit, which let attackers infer virtual keyboard inputs by analyzing eye movements. Patched in visionOS 1.3, CVE-2024-40865 allowed bad actors to extract sensitive data like passwords using supervised learning models to detect typing sessions. WiFi 6 routers are facing a new security storm. D-Link has patched critical vulnerabilities in popular models like COVR-X1870 and DIR-X5460, preventing remote attackers from exploiting flaws like buffer overflows and telnet service issues—users are urged to update their firmware immediately. Top Malware Reported in the Last 24 Hours RustDoor attributed to North Korean hackers North Korean hackers are targeting cryptocurrency users on LinkedIn using the RustDoor malware. The attacks involve pretending to be recruiters for legitimate decentralized cryptocurrency exchanges like STON.fi, aiming to infiltrate networks under the guise of interviews or coding assignments. RustDoor is a macOS malware designed to steal information and operate as a backdoor with two different command-and-control servers. This campaign, detected by Jamf Threat Labs, is significant because it marks the first time RustDoor has been attributed to North Korean threat actors. Crypto users hit with clipper malware Cryptocurrency exchange Binance alerted users to a surge in clipper malware attacks targeting cryptocurrency holders. This malware, known as ClipBankers, can intercept clipboard data and replace cryptocurrency wallet addresses with those controlled by attackers. Binance issued a warning on September 13, 2024, after noticing a significant rise in malicious activity, causing financial losses for affected individuals. Top Vulnerabilities Reported in the Last 24 Hours D-Link patches critical bugs D-Link has addressed critical vulnerabilities in select WiFi 6 routers and mesh networking systems that could be exploited by remote attackers to run unauthorized code or gain access with hardcoded credentials. The impacted models are popular choices for consumers seeking high-quality networking equipment. The flaws, including buffer overflow and telnet service issues, were found in COVR-X1870, DIR-X4860, and DIR-X5460 routers. D-Link advises users to update their firmware to resolve the vulnerabilities. Apple Vision Pro vulnerability revealed Apple’s Vision Pro headset was affected by a security flaw named GAZEploit, allowing attackers to infer virtual keyboard inputs. The vulnerability, CVE-2024-40865, was patched in visionOS 1.3. Researchers found that analyzing eye movements on a virtual avatar could reveal text entered on the keyboard, compromising user privacy. Threat actors could exploit this to extract sensitive information like passwords, using supervised learning models to differentiate typing sessions from other VR activities. Java applications at risk A critical path traversal vulnerability (CVE-2024-38816) in the widely used Spring Framework poses a severe threat to Java applications. Attackers can exploit this flaw to access sensitive files on the server, risking data breaches and system compromise. The vulnerability affects applications using RouterFunctions with FileSystemResource location for static resource handling. Organizations must promptly update their Spring Framework to versions 5.3.40, 6.0.24, or 6. 1.13 to address this risk. Looking for cybersecurity internship: Click here Entire post Credit: Jamf, binance, Bleeping Computer, the hackers news, Security Online, Cyware

VIEH Daily threat analysis | 18 September 2024 Read More »

VIEH Daily threat analysis | 14 August 2024

Leave a Comment / VIEH Daily Threat Analysis /

In a disconcerting twist of events, CERT-UA has sounded the alarm on a phishing campaign that unleashed the ANONVNC malware and compromised over 100 government computers. The ransomware landscape is growing ever more treacherous with the emergence of DeathGrip, a newly minted RaaS that lures aspiring cybercriminals with sophisticated ransomware capabilities. A troubling set of security vulnerabilities in Google’s Quick Share has come to light, exposing users to the QuickShell attack chain that could enable hackers to take complete control of devices and do more harm.  Top Malware Reported in the Last 24 Hours Phishing campaign targets Ukraine CERT-UA warned of a new phishing campaign impersonating the Security Service of Ukraine to distribute malware called ANONVNC, which allows for unauthorized access to infected computers. More than 100 computers, including those belonging to government bodies, have been infected since July 2024. The agency also noted an increase in campaigns distributing the PicassoLoader malware to deploy Cobalt Strike Beacon, with a threat actor tracked as UAC-0057. DeathGrip: New RaaS emerges A new Ransomware-as-a-Service (RaaS) called DeathGrip has appeared in the ransomware landscape. It is being promoted on underground forums and offers aspiring threat actors sophisticated ransomware tools. The emergence of DeathGrip ransomware highlights the evolving threat landscape, emphasizing the importance of robust cybersecurity measures to safeguard against ransomware attacks. The scream of Banshee Stealer  A new cyber threat called Banshee Stealer targets macOS systems, posing a significant risk to users. This malicious software can extract sensitive information like passwords from Keychain, system data, and browser details. It also targets cryptocurrency wallets and plugins, making it a comprehensive tool for cybercriminals. Click here for internship Top Vulnerabilities Reported in the Last 24 Hours Google patches critical flaw Security researchers discovered critical vulnerabilities in Google’s Quick Share, leading to remote code execution and the potential for attackers to gain full system control. The vulnerabilities could have allowed attackers to force file downloads, hijack Wi-Fi connections, and ultimately gain full system control through a series of exploits known as the QuickShell attack chain. Google has acknowledged the severity of the issue and deployed fixes for the reported vulnerabilities. Patch this FreeBSD bug! The FreeBSD Project has released urgent security updates to fix a high-severity flaw in OpenSSH (CVE-2024-7589), which could allow remote attackers to execute arbitrary code with elevated privileges. The flaw stems from a race condition in the privileged sshd context, caused by calling functions that are not async-signal-safe. Users are urged to upgrade to a supported FreeBSD stable version and restart sshd to mitigate the issue. Top Scams Reported in the Last 24 Hours BEC scam targets Orion SA Orion SA, a Luxembourg-based chemicals and manufacturing company, disclosed in a filing with the U.S. SEC that it fell victim to a criminal wire fraud scheme, potentially losing around $60 million. The incident, believed to be a BEC scheme, involved fraudulent wire transfers to accounts controlled by unknown parties. Orion is working with law enforcement to recover the funds and has not found evidence of further fraudulent activity or unauthorized access to its systems. Post Credit: The hackers news, broadcom, cybersecurity news, safebreach, security affairs, the register, Cyware

VIEH Daily threat analysis | 14 August 2024 Read More »