We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Aug 29, 2023

Typosquatters are back with a new scheme. Cybersecurity experts found the Rust package registry Crates.io in the soup; in a fresh incident, attackers aimed to harvest credentials and sensitive data from infected systems. Meanwhile, large to small government entities and businesses are facing heightened threats from cyber adversaries, owing to numerous arbitrary code execution security vulnerabilities reported in ChromeOS. Users with lower privileges may experience reduced impact compared to those with administrative access. Organizations were advised to run software as a non-privileged user to minimize the impact of a successful exploitation of bug/s.

Parallely, Magecart attacks have come a long way. A recent campaign aimed at OpenCart websites manifested threat actors developing an interest in backend PHP infections rather than traditional JavaScript infections. They also extracted personal information such as the user agent of the victim’s card, email address, and more.

Top Breaches Reported in the Last 24 Hours

Medical meal delivery service suffers data incident

PurFoods, operating as Mom's Meals, disclosed a ransomware breach involving the personal information of 1.2 million customers and employees. The breach occurred between January 16 and February 22, with sensitive data being accessed. The breach impacts recipients of Mom's Meals packages, current and former employees, and independent contractors and their SSNs, financial account information, medical records, and other sensitive information.

**London police systems blurt out data **

The Metropolitan Police Service in London is investigating a breach of one of its suppliers, which allegedly exposed sensitive details of police officers. The breach involved a company responsible for printing the force's warrant cards, which serve as proof of an officer's identity and authority. While personal details like names, photographs, and ranks may have been exposed, the supplier didn't store addresses or phone numbers.

Ransomware hits Spanish police

The National Police of Spain is alerting the public of an ongoing LockBit Locker ransomware attack that uses phishing emails to target architecture firms throughout the nation. The effort is highly sophisticated in nature because victims are unaware of anything until their terminals are encrypted. The emails pretend to be from a photography company while actually coming from the nonexistent domain "fotoprix.eu." The ransomware group claims to be affiliated with the notorious LockBit ransomware operation.

Top Malware Reported in the Last 24 Hours

New 'MalDoc in PDF' attack technique

Japan CERT has uncovered a novel attack technique named 'MalDoc in PDF' that involves embedding a malicious Word file into a PDF document to evade detection. While the file appears as a PDF, it can be opened in Word and execute malicious macros. Whitehat experts used a .doc file extension for this attack. Although the OLEVBA analysis tool can detect these malicious Word files, commonly used PDF analysis tools like 'pdfid' might not be able to identify the threat. JPCERT has shared detection details and a Yara rule in its report.

Malware attack on Crates[.]io developers

The Crates.io Rust package registry was recently targeted in a suspected malware attack targeting developers. Attackers used benign packages initially and attempted to introduce malicious code later, aiming to exploit those who downloaded their packages. The attackers may have aimed to steal sensitive data or secrets. While quick detection and removal prevented further damage, this incident underscores the ongoing threat to developer credentials and sensitive data.

Magecart attack on OpenCart sites

Recent investigations into an attack on OpenCart platforms shed light on a malware strain embedded in a legitimate payment processing file. Although hidden among empty lines of code, the malicious code collected credit card data, including numbers, names, addresses, and CVV. Stolen data was encrypted and dumped into a directory on the compromised website itself, possibly to appear authentic.

New Android banking threat in town

The Trend Micro team discovered a never-before-seen Android banking trojan called MMRat, targeting mobile users in Southeast Asia since late June. MMRat can capture user input and screen content and remotely control victim devices. The malware is primarily downloaded from phishing websites disguised as official app stores, with the exact method of reaching the victim's devices unclear. It uses a custom command-and-control protocol based on Protobuf, an open-source data format.

Top Vulnerabilities Reported in the Last 24 Hours

ChromeOS bugs pose code execution threats

Multiple vulnerabilities have been discovered in ChromeOS, with the potential for arbitrary code execution. Attackers could exploit these flaws to install programs, manipulate data, or create new accounts with full user rights. Affected versions include ChromeOS prior to 116.0.5845.120. Although no known exploits are reported, the risks vary across governments, businesses, and individuals. Google's response involves fixes in various areas, such as impacted AMD and Arm platforms, Linux Kernel, and Chrome Browser security.

Kinsing operators abuse Openfire flaw

The Openfire vulnerability, tagged CVE-2023-32315, is being used in a new campaign to distribute Kinsing malware and a cryptominer, according to Aqua Nautilus. A route traversal attack enabled by this vulnerability allows an unauthorized user access to the Openfire setup environment. This allows the threat actor to upload malicious plugins and create a new admin user. The attacker can eventually gain full control of the victim’s server.

Patched Citrix flaw face exploitation

A threat actor linked to the FIN8 hacking group was found exploiting an RCE flaw to compromise unpatched Citrix NetScaler systems in domain-wide attacks. The security issue, CVE-2023-3519, was discovered in mid-July 2023 as an actively exploited flaw. By August, Shadowserver discovered 640 webshells in compromised servers, and it grew to 1,952 just two weeks later. Over 31,000 Citrix NetScaler instances remained vulnerable by mid-August.

Related Threat Briefings