Cyware Daily Threat Intelligence
Daily Threat Briefing • Dec 12, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Dec 12, 2023
Using navigation in Google Maps for Android could lead to data compromise. You heard that right! The latest Android versions are impacted with a lock screen bypass flaw that could expose sensitive data in users’ Google accounts. It only gets severe if the DRIVING MODE is activated. Insider threats are on the rise. A CrowdStrike report has recently highlighted that over 50% of corporate insiders are using privilege escalation exploits. What’s more distressing is that despite the patches, individuals with insider access can still acquire elevated privileges through alternative methods.
Lazarus APT group is back with its set of fresh tactics under the banner Operation Blacksmith. Security experts have reported the threat actor abusing the Log4Shell vulnerability to deploy three new malware families, including two RATs. Global manufacturing, agricultural, and physical security companies are its prime targets.
LockBit group claims attack on healthcare entity
Healthcare device manufacturer LivaNova PLC is reportedly the latest victim of a cyberattack orchestrated by the LockBit ransomware group. The attack, detected on December 9, 2023, has allegedly exposed a substantial 2.2TB of sensitive data, including product specifications, employee information, financial documents, and more. The threat actor has uploaded the pilfered data on a leak site and set a deadline for its potential public release.
Toyota exposes sensitive customer data
Toyota Financial Services (TFS) warned customers about a November data breach, confirming that sensitive personal and financial information was exposed in an un unauthorized access to some of its systems in Europe and Africa. The Medusa ransomware group had claimed responsibility for the attack and demanded an $8 million ransom. It appears that negotiations with the ransomware group did not go well as the stolen data, including names, addresses, contact information, and bank account details, is now available on the attackers’ extortion portal.
Americold confirms ransomware attack
Cold storage giant Americold confirmed a cyberattack from April, which affected nearly 130,000 people. While the company did not explicitly mention ransomware, it stated that the cybersecurity incident involved the deployment of malware on certain systems. The breach exposed sensitive information, including names, addresses, SSNs, financial account details, and health insurance information. This is the second cyberattack faced by Americold within three years.
Fake job applicants drop backdoor
Recruiters are falling prey to spear-phishing attacks conducted by the threat actor, identified as TA4557, masquerading as job applicants. Criminals initiate the attack with an innocuous inquiry email regarding the availability of a job position. Subsequent emails provide links to fake resume websites, which leads to the download of a ZIP file containing a malicious shortcut file (LNK). Once executed, the file carries out a series of actions, ultimately delivering a backdoor onto the victim's system.
Lazarus APT deploys new malware strain
North Korean hacking group Lazarus was spotted leveraging the Log4Shell vulnerability to deploy three new malware families written in the D programming language. The malware includes two RATs, named NineRAT and DLRAT, as well as a malware downloader named BottomLoader. This campaign, dubbed Operation Blacksmith, began around March and targets manufacturing, agricultural, and physical security companies globally.
Apple releases iOS and iPadOS updates
Apple has released iOS 17.2 and iPadOS 17.2, addressing at least 11 documented security vulnerabilities. Some of these flaws are deemed serious and could lead to arbitrary code execution or app sandbox escapes. The security patches cover issues in ImageIO, WebKit rendering engine, Accounts, AVEVideoEncoder, Extension Kit, and Siri. Apple also released iOS 16.7.3 and iPadOS 16.7.3 for older devices, including fixes for previously documented WebKit zero-days that were exploited in the wild.
Lock screen bypass bug affects Android 14 and 13
Security researcher Jose Rodriguez has identified a lock screen bypass vulnerability in Android 14 and 13, allowing an attacker with physical access to a device to access photos, contacts, browsing history, and more. Rodriguez reported the issue to Google in May, and as of the end of November, there was no scheduled date for a security update. The impact varies depending on the user's installation and configuration of Google Maps, with severity increasing if DRIVING MODE is activated.
Insider threats leverage privilege escalation
A report by CrowdStrike highlights the increasing threat of insider attacks, with 55% of such threats relying on privilege escalation exploits. Through these attacks, cybercriminals can gain administrative privileges, allowing them to perform unauthorized actions. The report identifies several commonly exploited flaws for local privilege escalation, including CVE-2017-0213, CVE-2022-0847 (DirtyPipe), CVE-2021-4034 (PwnKit), CVE-2019-13272, CVE-2015-1701, and CVE-2014-4113.
WordPress plugin flaw allows RCE
A critical vulnerability has been discovered in the Backup Migration WordPress plugin, affecting versions up to 1.3.6 and exposing more than 90,000 installations. Tracked as CVE-2023-6553, the flaw enables unauthenticated attackers to execute remote code and take full control of vulnerable websites. Despite the patch being available, nearly 50,000 WordPress sites remain vulnerable, highlighting the importance of timely updates.
ICS Patch Tuesday: multiple advisories out
Siemens and Schneider Electric have issued their Patch Tuesday advisories for December 2023, addressing multiple vulnerabilities across their respective product lines. Siemens disclosed 12 advisories covering over 30 vulnerabilities, including critical and high-severity flaws affecting products such as LOGO! V8.3 BM controllers, Sinec INS, Scalance M-800/S615, Sinumerik ONE and MC, Simatic S7-1500, Sinamics S210 and S120, and User Management Component (UMC). Meanwhile, Schneider Electric released three advisories detailing four vulnerabilities, with a critical flaw in the Redis database in the Plant iT/Brewmaxx process control system being the most critical.