Cyware Daily Threat Intelligence

Daily Threat Briefing • Aug 22, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Aug 22, 2023
A new threat is hovering over macOS devices in work environments in the form of an XLoader variant. This version of XLoader comes hidden within an Apple disk image labeled OfficeNote.dmg and is signed by the developer’s signature. In another revelation, cybersecurity experts have uncovered a new threat group launching supply chain attacks and infecting victims with PlugX malware. By compromising the code-signing certificates of legitimate software vendors, the group manages to distribute malicious software with authentic digital signatures, raising significant concerns about the security of software supply chains.
Over the past year, threat actors have misused Google ads to distribute malware, sometimes leading to ransomware attacks. There is yet another fake Amazon ad that traps victims in a loop by restoring previously closed malicious pages, reopening the scam.
Luxury watchmaker targeted
The BlackCat ransomware group claimed responsibility for a cyberattack on Japanese watchmaker Seiko. The luxury watch company confirmed a data breach after discovering unauthorized access to one of its servers. While the investigation is still in progress, the company has urged customers and business partners to reach out if they encounter any unexpected emails or notifications.
French town possibly hit by ransomware attack
The French town of Sartrouville has been recovering from a recent cyberattack that impacted city servers. Although the city's statement does not explicitly mention ransomware, the Medusa ransomware gang claimed responsibility for the attack and posted the city's details on its leak site. While the local police department was spared, the attackers gained access to sensitive financial information, budgets, banking details, medical records, and school data.
Cyberattack on Australian firm
Wholesale energy software provider Energy One disclosed a cyberattack, affecting certain corporate systems in Australia and the U.K. The attack, which occurred on August 18, led to a disconnect in its corporate and customer-facing systems. The initial attack vector and the attackers' identity remain unknown. The company is actively working to resolve the incident and provide updates as more information becomes available.
Online voting disrupted
Ecuador's national election faced challenges as citizens living abroad encountered difficulties while attempting to vote online. The country's election agency reported that cyberattacks originating from seven different countries—India, Bangladesh, Pakistan, Russia, Ukraine, Indonesia, and China—impacted the online voting system created for absentee voters. Approximately 120,000 Ecuadoreans living outside the country were registered to vote online, but many experienced access issues.
XLoader variant disguised as OfficeNote app
A fresh variant of the XLoader malware targeting Apple macOS has surfaced, masquerading as an OfficeNote app. This latest version evades previous limitations by employing programming languages such as C and Objective C instead of relying on Java. The disk image file containing the malware is signed with a revoked signature from July 17. XLoader is designed to harvest clipboard data and browser-related information, except for Safari.
Supply chain attack delivers PlugX
A novel threat cluster known as Carderbee was observed employing a software supply chain attack to distribute the PlugX malware. Targeting organizations primarily in Hong Kong, the attacks utilize a trojanized version of the legitimate software, EsafeNet Cobra DocGuard Client. The attackers exploit a Microsoft-signed certificate to deliver their payload, allowing for unauthorized access, command execution, keystroke capture, and more.
Adobe ColdFusion flaw under exploitation
The CISA has included a critical security vulnerability affecting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of ongoing exploitation. The flaw, identified as CVE-2023-26359 with a CVSS score of 9.8, pertains to a deserialization vulnerability present in ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier). This vulnerability could potentially allow arbitrary code execution without requiring user interaction.
Urgent security patches by Ivanti
Ivanti issued critical patches to address a severe vulnerability in Ivanti Sentry. This vulnerability could be exploited by malicious actors to gain access to sensitive API data and configurations, execute system commands, or write files onto the system. Sentry versions 9.18 and earlier are affected by the flaw identified as CVE-2023-38035. Although the bug has a high CVSS score, the risk is lower for customers who don't expose port 8443 to the internet. Ivanti advises limiting access to internal networks.
Fake Amazon ad on Google search
A fraudulent advertisement disguised as a legitimate Amazon ad in Google search results has been found redirecting users to a tech support scam. The ad displayed Amazon's authentic URL, however, when clicked, led users to a fake Microsoft Defender alert claiming infection with malicious software. The tech support scam would enter full-screen mode, making it difficult for users to exit the page without terminating the browser process.