Cyware Daily Threat Intelligence

Daily Threat Briefing • Aug 31, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Aug 31, 2023
China-linked threat actors were spotted launching a spyware campaign targeting victims primarily in Germany, Poland, and the U.S., and potentially extending to other countries. It is being distributed via trojanized Signal and Telegram apps on Google Play Store and Samsung Galaxy Store. In other news, a flaw in a popular WordPress data migration plugin lets unauthorized users manipulate token settings in extensions. This could allow attackers to redirect website migration data to their cloud accounts or restore harmful backups.
A widespread package tracking text scam, originating from China, is taking over the U.S. The adversaries impersonate legitimate postal services, such as the USPS, Royal Mail, and Correos to perform identity theft and credit card fraud as the end goal.
Fashion retailer informs victims
Forever 21, a fast fashion retailer, started informing roughly 540,000 customers impacted by a cyberattack on its infrastructure. The compromised files contained personal information, including names, birth dates, SSNs, bank account numbers, and health plan data. The company has no evidence that the stolen information was misused for fraud or identity theft.
Ransomware attack strikes electricity organization
The LockBit ransomware group made headlines yet again with an attack on the Commission des services electriques de Montréal (CSEM). The 100-year-old municipal entity responsible for managing Montreal's electrical infrastructure suffered a ransomware attack on August 3. The attackers threatened to leak stolen data on the same day they claimed responsibility. The victim firm revealed that its IT infrastructure has already been rebuilt.
Paramount Global exposes individual’s PII
Entertainment giant Paramount Global has reported a data breach, revealing that attackers accessed Personally Identifiable Information (PII). The breach occurred between May and June, with less than 100 individuals affected. Stolen data may include names, dates of birth, Social Security numbers, and other government-issued identification details. While specific details remain undisclosed, the breach was not caused by ransomware.
Spyware-laden Android Apps discovered
Malicious Android apps impersonating Signal and Telegram have been identified in a campaign distributing the BadBazaar spyware via Google Play Store and Samsung Galaxy Store. Slovakian firm ESET attributes the operation to the China-linked group GREF. The spyware-laden apps, Signal Plus Messenger and FlyGram, gather personal data, including call logs and SMS messages, and link the victim's smartphone to the attacker's Signal account for covert surveillance.
Malware evades detection via ghost files
Deep Instinct security researcher Daniel Avinoam uncovered a novel malware detection evasion technique exploiting the Windows Container Isolation Framework. Microsoft's container architecture leverages dynamically generated images to separate file systems and conserve space. Avinoam's concept involves utilizing "ghost files" in these images, which essentially point to another system volume, confusing security solutions. These fabricated containers can be used to manipulate files on the system without triggering security alerts.
Severe flaw in WordPress plugin
All-in-One WP Migration, the WordPress plugin with over 5 million active installations, was found affected by a serious security vulnerability, potentially leading to unauthorized access and data breaches. Exploiting the vulnerability, an attacker could compromise user details, website data, and proprietary information. The issue, tagged CVE-2023-40004, specifically affects premium extensions for third-party cloud storage platforms, such as Box, Google Drive, OneDrive, and Dropbox.
Flawed ArubaOS switches
ArubaOS-Switch Switches have been identified housing several vulnerabilities that can allow unauthenticated threat actors to launch stored XSS attacks, execute arbitrary code, and cause a DoS condition. The flaws—CVE-2023-39266, CVE-2023-39267, and CVE-2023-39268—were fixed for a series of switches, whereas upgrading to a newer version is the only option for some models.
Package tracking scam against U.S. citizens
Security firm Resecurity has identified a substantial smishing campaign primarily targeting US citizens, using iMessage to deliver package tracking scams. The group, dubbed the Smishing Triad consists of Chinese-speaking cybercriminals that impersonate legitimate postal services such as USPS, Royal Mail, and Correos. Victims receive deceptive iMessage texts, encouraging them to provide personal and payment information. The stolen data is then used for identity theft and credit card fraud.
Phishing campaign warns of internet activity
Nordics are being targeted in a cyberattack targeting email addresses of various user profiles. The campaign, dubbed the National Danish Police phishing attack, uses social engineering to threaten users with an email containing a summoning letter and a PDF detailing the legal implications of their internet activity. The email was sent from a Danish TLD associated with the work email address of an alleged member of the Danish General Court.