Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Aug 28, 2023

The rising cyberattacks on spyware apps continue to highlight the risks of destructive attacks on users. In the latest event, a threat actor exploited WebDetetive spyware, which had compro 76,000 Android phones in South America. Additionally, they deleted user devices from the spyware network. More on malware threats - KmsdBot has been upgraded to target IoT devices with Telnet scanning capabilities with a wider CPU architecture coverage. The actively maintained botnet malware poses threats beyond gaming servers and utilizes commonly unaltered default credentials.

A significant security flaw within Microsoft Power Platform has also been exposed by security researchers. This flaw involved a vulnerability in an Azure AD application that enabled attackers to achieve privilege escalation through the takeover of reply URLs.

Top Breaches Reported in the Last 24 Hours

SIM swapping attack on Kroll employee

A cybercriminal performed a highly sophisticated SIM-swapping attack on a T-Mobile account owned by an employee of Kroll. Apparently, T-Mobile transferred the employee's phone number to the attacker. As a result, the attacker gained access to the personal information of bankruptcy claimants associated with BlockFi, FTX, and Genesis. While the matter is still under investigation, Kroll asserted that no other systems or accounts suffered any harm.

Ransomware targets medical holdings firm

The Rhysida ransomware group has admitted to orchestrating a large-scale cyberattack on U.S. healthcare company Prospect Medical Holdings (PMH), responsible for operating multiple hospitals and outpatient clinics. The attack resulted in the theft of 500,000 SSNs, corporate documents, and patient records and led to network shutdowns. The group threatens to sell the stolen data for 50 Bitcoins (approximately $1.3 million) on its data leak site.

History museum and research center suffered data breach

Ohio History Connection (OHC), responsible for managing Ohio's primary history museum and various historical sites, disclosed a ransomware attack that led to the theft and subsequent online posting of personal information belonging to numerous individuals. The LockBit ransomware group claimed to have exfiltrated this data from OHC's internal servers. The stolen information encompasses names, addresses, and SSNs of both current and former employees, as well as third-party vendors.

Poland railway network disrupted

Poland's security agency and national police are looking into a hacking incident on the state's railway network. The attack disrupted rail traffic overnight and was attributed to unauthorized usage of the system controlling rail traffic. The attack is suspected to be part of broader offensive cyber activities conducted by Russia and Belarus. Saboteurs used "radio-stop" commands to trigger emergency stops in targeted trains, exploiting the lack of encryption or authentication in Poland's railway radio system.

Top Malware Reported in the Last 24 Hours

KmsdBot malware actors target IoT Devices

KmsdBot - a malware botnet previously known for targeting private gaming servers and cloud hosting providers, has evolved to target IoT devices. The updated version includes support for Telnet scanning and the ability to cover more CPU architectures commonly found in IoT devices. This expansion of capabilities allows the botnet to target a wider range of devices, taking advantage of commonly used weak passwords and default credentials often found in IoT devices.

Top malware loaders in H1

ReliaQuest has identified the top malware loaders that have been causing trouble for SOC teams. These loaders are often used by threat actors to gain initial access to a network and drop payloads for further exploitation. The top seven most observed malware loaders from January 1 to July 31, 2023, include QakBot, SocGholish, Raspberry Robin, Gootloader, Guloader, Chromeloader, and Ursnif. The presence of these loaders doesn't necessarily mean compromise; many were detected and stopped at an early stage in the kill chain.

WebDetetive spyware compromise Android devices

WebDetetive, a Portuguese-language spyware, has been exploited by hackers who gained access to the company's servers and user databases. This compromised data, involving over 76,000 infected Android phones across South America, laid bare customers' email addresses, purchase history, device data, and more. The hackers claimed to have deleted victim devices from the spyware network. Much of WebDetetive’s roots can be traced back to another spyware app called OwnSpy.

Top Vulnerabilities Reported in the Last 24 Hours

More details out on Juniper Networks bugs

Security researchers have delved into the RCE vulnerabilities affecting Juniper Networks' SRX firewalls and EX switches. The flaws were divided into two categories as per their impact. The researchers successfully exploited the flaws and automated the whole process in a PoC exploit. With the PoC exploit has been developed, experts anticipate the vulnerabilities could be exploited on a larger scale given the critical role Junos OS devices play in networks.

Critical issue in Microsoft Power Platform

Security researchers have uncovered a critical vulnerability in Microsoft Power Platform that could potentially allow threat actors to carry out privilege escalation attacks. The vulnerability, known as a reply URL takeover bug, was discovered by Secureworks in an Azure Active Directory (AD) application related to the low-code Power Platform. While Microsoft swiftly addressed the issue within 24 hours of discovery, users are being urged to monitor for abandoned reply URLs as a precaution.

Related Threat Briefings