Cyware Daily Threat Intelligence

Daily Threat Briefing • Aug 2, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Aug 2, 2023
Industrial organizations in Eastern Europe have become targets of Chinese state-sponsored threat actors, who have introduced a new malware strain that steals data from air-gapped systems. Hackers, reportedly, employed a minimum of 15 distinct implants during their attacks, with each serving a specific stage of the operation. Despite advancements in email threat detection, malicious emails continue to evolve. A sophisticated phishing campaign was spotted exploiting a Salesforce zero-day flaw to send targeted emails, which has been contained effectively now.
Mozilla has rolled out Firefox 116! In this release, Mozilla has tackled 14 security issues with an overall high severity rating. The critical bugs addressed allowed attackers to execute code and install software without requiring any user interaction.
**Data extortion attack on medical institute **
The Chattanooga Heart Institute, Tennessee, disclosed a cyberattack incident that affected more than 170,000 individuals. The victims are being notified about the potential theft of their sensitive personal and medical information. Patient data, including names, birthdates, Social Security numbers, health insurance information, medical conditions, and more, may have been compromised. The Karakurt cybercrime group reportedly claimed responsibility for the hack.
Healthcare workers’ information exposed
A data breach at the Health Employers Association of BC (HEABC) has compromised the personal information of thousands of healthcare workers. The breach involved approximately 240,000 email addresses linked to passport information, driver's licenses, birthdays, and social insurance numbers. The affected websites include Health Match BC, BC Care Aide and Community Health Worker Registry, and Locums for Rural BC.
Multiple attempts on retail chain
Cybercriminals launched a wave of credential-stuffing attacks on Hot Topic, an apparel retail chain, using stolen account credentials to access its rewards platform multiple times. The cyberattacks occurred on various dates between February and June 2023. While the company confirmed that it was not the source of the compromised credentials, it could not identify the origin. Potentially exposed information includes customers’ personal records, order history, shipping addresses, and partial payment card details.
AWS software used as RAT
Cybersecurity researchers at Mitiga stumbled across a new post-exploitation technique in Amazon Web Services that allows attackers to use the AWS Systems Manager Agent as a remote access trojan on Windows and Linux environments. The SSM Agent, a legitimate tool used by admins, can be repurposed by attackers who have gained privileged access on an endpoint with SSM Agent installed. It enables attackers to maintain persistent access and perform various malicious activities.
APT31 hits Europe using new malware
Chinese state-sponsored APT31 has been observed targeting industrial organizations with a new malware tool capable of stealing data from air-gapped systems. The multi-stage attacks, which began in April 2022, involve the use of distinct implants for each stage. The malware used in the attacks has four modules that profile removable drives, infect them, collect data, and upload it to the attackers' command and control servers.
Firefox 116 out with fixes
Mozilla released Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14, patching multiple high-severity vulnerabilities, including memory safety bugs. Among the issues addressed are a cross-origin restrictions bypass, incorrect value usage during WASM compilation, and permission request bypass via clickjacking. Other vulnerabilities include out-of-bounds read, race conditions, and stack buffer overflow, potentially leading to crashes, use-after-free, or sandbox escape.
Saleforce zero-day under attack
A sophisticated Facebook phishing campaign was observed exploiting a zero-day flaw in Salesforce's email services to craft targeted phishing messages using the company's domain name and infrastructure. The phishing emails appeared to come from Meta but were sent from a "@salesforce.com" domain, claiming that recipients’ Facebook accounts were under investigation. After responsible disclosure, Salesforce addressed the zero-day vulnerability, preventing the use of its email addresses.