Threat Alerts

Your place for the latest CyberProof cyber threat intelligence alerts and updates

Speak with an Expert
All

Critical Vulnerability in Fluent Bit Logging Utility Threatens Cloud Infrastructure

27-May-2024
Label: Vulnerability
Threat Level: Medium

Researchers uncovered a severe memory corruption critical flaw, named Linguistic Lumberjack, in Fluent Bit’s HTTP server, used widely across cloud services for log data handling.

This vulnerability, tracked as CVE-2024-4323 (CVSS 9.8), resent in versions from 2.0.7 to 3.0.3, could lead to denial of service (DoS), unauthorized data disclosure, or remote code execution (RCE).

CLOUD#REVERSER Leverages Cloud Services to Compromise Systems

27-May-2024
Label: Malware
Threat Level: Medium

A new malware campaign, CLOUD#REVERSER, has been discovered using Google Drive and Dropbox to stage attacks and steal sensitive data. This sophisticated method embeds malicious scripts in these cloud platforms to maintain access and blend into normal network traffic.

The attack begins with a phishing email prompting the user to download a zip file, which contains a single executable file that has been modified to look like a Microsoft Office Excel file icon. Additionally, it uses Left to Right override characters to obfuscate the fact that it is an executable extension instead of an Excel file.

Once the attackers gain persistence on the infected system, they proceed to execute an array of commands to establish a hidden connection with their C2 server to further deploy scripts on the infected host.

Evading Security: The Emergence of the D3F@ck Loader Threat

27-May-2024
Label: Malware
Threat Level: Medium

A newly identified Malware-as-a-Service (MaaS) Loader, known as D3f@ck Loader, has been detected by cybersecurity researchers. This malicious loader is specifically engineered to evade detection from several security protocols, including those from Google Chrome, Microsoft Edge, Windows Defender, and Microsoft SmartScreen. Notably, the loader has been instrumental in the distribution of well-known malware such as Raccoon Stealer and Danabot.

The sophistication of D3f@ck Loader lies in its use of Extended Validation (EV) certificates, which are typically trusted due to their rigorous validation processes. Malware authors abuse this trust by using EV certificates to diminish the effectiveness of SmartScreen warnings. The loader’s use of these certificates, which were tied to three identified malicious signatures, allowed it to bypass common security defenses until the certificates were revoked following their discovery.

D3f@ck Loader’s method of infiltration involves duplicitous websites that imitate legitimate software applications. Once a victim is lured in, the loader initiates a complex infection chain that involves Inno Setup—a script-driven installation system—leveraging Base64-encoded strings to discreetly deploy the malware. It is also capable of suppressing command echoes to hide its activities, downloading further malicious components, circumventing Windows Defender, and facilitating malware injection. Throughout the process, the loader maintains communication with a command and control server to coordinate the download of the final payload.

This case underscores the persistent evolution of MaaS operations and their innovative use of trusted entities like EV certificates to subvert advanced security measures.

New SamStealer Information Stealer Targets Windows Systems

27-May-2024
Label: Malware
Threat Level: Medium

Security researchers recently discovered a new malware – SamsStealer, which poses a significant threat to Windows users. This information-stealing malware targets various browsers and applications to collect sensitive data such as passwords, cookies, and cryptocurrency wallet information. The malware’s sophisticated data extraction and exfiltration methods potentially allows unauthorized access to various online accounts.
SamsStealer begins its operation by creating a temporary folder in the system’s directory to store extracted information. It then makes asynchronous calls to gather various types of sensitive data, including IP and system information, passwords, cookies, session data from messaging applications like Telegram, and Discord account details. The malware targets multiple browsers to steal passwords and cookies. It uses concurrency for efficient data extraction and removes unnecessary files from the stolen data to optimize the exfiltration process. The gathered information is stored in text files within the temporary folder.

After collecting the desired data, SamsStealer compresses it into a ZIP file and uploads it to an online file-sharing service. The malware then sends the download link to the attacker via a Telegram message.

Surge in CatDDoS-Related Gangs Activity

27-May-2024
Label: Malware
Threat Level: Medium

The CatDDoS botnet, a variant of Mirai, has been exploiting over 80 vulnerabilities across various devices and vendors, impacting sectors globally like education, cloud services, and public administration. Notably, these attacks have heavily targeted countries such as the US, France, Germany, Brazil, and China. Despite an apparent shutdown in December 2023, new variants like RebirthLTD and Komaru have emerged, sharing similar communication and encryption methods, indicating the botnet’s resilience and adaptability.

CatDDoS botnet groups commonly engage in “Template Sharing,” where different groups utilize the same source code with minor modifications, leading to similar encryption and communication methods across different botnet families. This practice is prevalent in IoT botnets and has been observed in variants like v-2.0.4(CatDDoS) and v-Rebirth (RebirthLTD). The botnet targets other variants by attacking each other’s control servers, reflecting ongoing conflicts among operators within the IoT botnet ecosystem.

The botnet’s evolution includes notable variants such as v-snow_slide, which has connections to other botnets like Fodcha, indicating possible code reuse and adaptation. These variants, often managed by different groups, maintain similar encryption methods, such as the use of the chacha20 algorithm. Overall, CatDDoS-related gangs continue to pose significant cybersecurity challenges, with their ability to adapt and persist in the threat landscape despite efforts to mitigate their activities.

Critical Chrome Vulnerabilities Patched: Google Addresses Recent Zero-Days

27-May-2024
Label: Vulnerability
Threat Level: Medium

Google has addressed a recently discovered zero-day vulnerability, tracked as CVE-2024-5274 (CVSS 7.5), which is found in the Chrome browser and is currently being exploited.

This high-severity security flaw stems from a type confusion error in the V8 JavaScript and WebAssembly engine. Type confusion issues are particularly dangerous as they can be leveraged by cybercriminals to access memory out of bounds, resulting in system crashes and unauthorized code execution.

This recent vulnerability is part of a series of zero-day flaws Google has tackled in the past two weeks, with a total of four addressed. Among them is CVE-2024-4761, a serious out-of-bounds write vulnerability with a higher CVSS score of 8.8, also within the V8 engine, which could be exploited to corrupt data and facilitate arbitrary code execution.

NEWS AND RESOURCES

What’s on at CyberProof

Speak with a cybersecurity expert

Speak with an expert

Explore how CyberProof can help you anticipate, prevent, and mitigate ever-evolving cyberattacks in hybrid and cloud-native environments.

SPEAK WITH AN EXPERT