We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 19, 2023

In the ever-evolving landscape of cyber threats, the PikaBot malware loader has taken on a new guise, shifting from malspam campaigns to a malvertising strategy, specifically to target users in search of legitimate software. The loader is associated with threat actor TA577. Additionally, the China-linked 8220 Gang is on a different attack expedition to deploy stealers and crypto-mining malware by abusing a high-severity Oracle WebLogic Server bug. The campaign targets various sectors, including healthcare and financial services, globally.

Technical details have been revealed about two already addressed security flaws in Microsoft Windows that could be chained together to achieve remote code execution on Outlook without user interaction. Patch now! Also, watch out for this new YouTube scam.

Top Breaches Reported in the Last 24 Hours

Xfinity breach impacts 35 million

Comcast's Xfinity disclosed a data breach after attackers breached one of its Citrix servers in October. The breach, which involved the exploitation of the Citrix Bleed vulnerability (CVE-2023-4966), led to the exfiltration of data belonging to 35,879,455 customers. The stolen data includes usernames and hashed passwords, and for some customers, additional information such as names, contact information, last four digits of social security numbers, dates of birth, and secret questions and answers.

Mortgage firm exposes data trove of millions

Mortgage company Mr. Cooper confirmed a data breach that exposed the personal information of over 14.6 million customers. The breach, detected on October 31, involved unauthorized access to certain systems. The compromised customer information includes names, addresses, phone numbers, SSNs, dates of birth, and bank account numbers. This led to the immediate shutdown of systems and changing account passwords.

**Ransomware cripples Cloud service provider **

Italian cloud service provider Westpole suffered an alleged ransomware attack by the Lockbit 3.0 operators, impacting Westpole's client PA Digitale, which provides services to various local and government organizations. The incident paralyzed services for many public administrations and municipalities. The Italian cybersecurity agency is working to recover data for the affected entities, while the extent of the damage remains uncertain.

VF Corporation files data theft report

Owner of popular apparel brands, such as Supreme, Vans, Timberland, and The North Face, VF Corporation, disclosed that cybercriminals accessed personal information while encrypting some of its IT systems. The company is still assessing the extent of the security breach and its potential impact on financials and operations. The incident is likely to have a material impact on VF Corporation's business operations until recovery efforts are completed.

Over 70% of gas stations affected

A hacking group known as Gonjeshke Darande, or Predatory Sparrow, associated with Israel, claimed responsibility for a cyberattack that disrupted gas stations across Iran. The group stated that it targeted payment systems, central servers, and management systems, causing significant operational disruption. Iranian state media reported that nearly 70% of gas stations were affected.

Top Malware Reported in the Last 24 Hours

PikaBot malware delivered via malvertising

PikaBot, a malware loader, is being distributed through a malvertising campaign that targets users searching for legitimate software, such as AnyDesk. The malvertising campaign involves a fake Google ad for AnyDesk, leading to a website that hosts the malicious installer. The attackers use fingerprinting techniques to redirect only clean IP addresses to the next attack stage. The malware functions both as a loader and a backdoor.

Top Vulnerabilities Reported in the Last 24 Hours

8220 Gang exploits Oracle WebLogic Server bug

Threat actors associated with the 8220 Gang reportedly exploited a high-severity flaw in the Oracle WebLogic Server to propagate malware. The security vulnerability, CVE-2020-14883 (CVSS score: 7.2), allows remote authenticated attackers to execute code on vulnerable servers. Attackers deploy stealer and coin mining malware, such as Agent Tesla, rhajk, and nasqa. Targets of the campaign include various countries' healthcare, telecommunications, and financial services sectors.

Chained vulnerabilities in Windows allow RCE

Technical details have emerged about two now-patched security flaws—CVE-2023-35384 and CVE-2023-36710—in Microsoft Windows that could be chained by threat actors to achieve RCE on the Outlook email service without any user interaction. Akamai security researcher Ben Barnea, who discovered the flaws, highlighted that an attacker on the internet can chain the vulnerabilities to create a full, zero-click RCE exploit against Outlook clients.

Critical bug in Perforce Helix Core

Microsoft's security review of Perforce Helix Core laid bare four vulnerabilities, with one rated critical. The flaws, including unauthenticated remote code execution as LocalSystem, can potentially lead to arbitrary code execution and denial of service attacks. While there's no evidence of exploitation in the wild, the severity of the vulnerabilities necessitates prompt action, especially in sectors like gaming, government, military, and technology relying on the Perforce solution.

Top Scams Reported in the Last 24 Hours

Scammers lure victims with remote jobs

Scammers are using fake remote job listings to defraud internet users, promising payment for simply liking YouTube videos. Researchers at Bitdefender Labs discovered a scam that promises payment for liking videos on YouTube. The scammers gain victims' trust by actually paying small amounts initially but then lure them into joining a VIP group that promises higher returns. To join the VIP group, victims are asked to pay a fee, after which the communication stops.

Related Threat Briefings