Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Feb 6, 2024

Multiple factory automation products by Mitsubishi Electric are vulnerable to high-severity flaws that may lead to gaining high-privileged access to engineering workstations. Patches are pending; users are advised to implement cybersecurity measures. Additionally, QNAP Systems addressed two dozen security issues, including high-severity flaws allowing command execution. Vulnerabilities impact various QNAP products and require authentication for exploitation. No known attacks; patches are available on QNAP's security advisories page.

A significant cyber operation by ResumeLooters was found compromising several job search and retail websites across Asia Pacific. The campaign has infiltrated at least 65 websites, stealing over 2 million user records.

Top Breaches Reported in the Last 24 Hours

Breach puts millions at fraud risk

Viamedis, responsible for managing third-party payments for 84 top-up insurance providers, suffered a data breach affecting over 20 million individuals. The breach exposed sensitive information including names, SSNs, and insurance provider details. Although bank details were unaffected, the breach poses phishing risks. The impacted program has been disconnected, some third-party payments may be affected.

HPE investigates alleged data breach

A threat actor, named IntelBroker, allegedly stole HPE credentials and sensitive data and offered it for a price. While no evidence of intrusion has been found, HPE has taken the claims seriously. The incident follows a recent disclosure of a breach in HPE's Microsoft Office 365 email environment by the Russian APT29 hacking group. HPE urges caution and continues its investigation. An update from HPE indicates that the data offered for sale was obtained from a test environment, not production systems.

Escalating API secret sprawl

Escape's security research team uncovered over 18,000 exposed API secrets, with 41% posing high financial risks. The findings, spanning diverse platforms like Stripe, GitHub, AWS, and more, underline the growing challenge of API secret sprawl. GitGuardian's report noted a 67% surge in secret exposure on GitHub alone in 2023. The research firm emphasized the need for comprehensive security measures beyond code repositories.

Top Malware Reported in the Last 24 Hours

Info-stealer served via Facebook ads

During an investigation, Trustwave SpiderLabs uncovered Ov3r_Stealer, an infostealer distributed via Facebook ads and phishing emails. The malware targets credentials and crypto wallets and sends data to a monitored Telegram channel. Utilizing various distribution methods, including weaponized links and disguised PowerShell scripts, the malware establishes persistence and exfiltrates sensitive information like geolocation, passwords, and credit card details.

Top Vulnerabilities Reported in the Last 24 Hours

QNAP releases two dozen patches

Taiwan-based QNAP Systems issued patches for 24 vulnerabilities affecting various products, including two high-severity flaws enabling command execution. The duo, (CVE-2023-45025 and CVE-2023-39297) impact QTS, QuTS hero, and QuTScloud versions. One flaw allows RCE without authentication, while another requires authentication. Additionally, QNAP addressed CVE-2023-47567 and CVE-2023-47568, both requiring admin authentication for exploitation and affecting the aforementioned products.

LFI bug in WordPress plugin

A Local File Inclusion (LFI) vulnerability was discovered in the Shield Security WordPress plugin, impacting versions up to 18.5.9. Tracked as CVE-2023-6989, the flaw allowed unauthenticated attackers to execute arbitrary PHP files on the server. This could be exploited by attackers who could upload PHP files but lacked direct access to execute them. The flaw reportedly stemmed from the insecure implementation of the plugin's file template rendering functionality.

Critical flaws in Mitsubishi products

Mitsubishi Electric disclosed two potentially serious flaws in its Factory Automation (FA) products, including an authentication bypass and a critical RCE flaw. The impacted products include EZSocket, FR Configurator2, GT Designer3, GX and MT Works, MELSOFT Navigator, and MX. While patches are not yet available, users are advised to implement general cybersecurity measures. Additionally, the CISA and Mitsubishi published advisories regarding another authentication bypass issue affecting MELSEC WS series Ethernet interface modules.

Mass exploitation of Ivanti SSRF bug

A critical SSRF vulnerability (CVE-2024-21893) in Ivanti Connect Secure and Policy Secure is being actively exploited by multiple attackers, allowing bypass of authentication and access to restricted resources. Initially flagged as a zero-day flaw on January 31, with limited exploitation, the threat has escalated with 170 distinct IP addresses targeting vulnerable devices. Nearly 22,500 Ivanti Connect Secure devices are exposed to the internet, according to ShadowServer.

Top Scams Reported in the Last 24 Hours

ResumeLooters arrives in APAC region

Group-IB discovered a large-scale malicious campaign targeting job search and retail websites primarily in the APAC region. Dubbed ResumeLooters, the group employed SQL injection and XSS attacks to compromise at least 65 websites between November and December 2023. The stolen data included over 2 million unique emails and other records. The group utilized penetration testing frameworks and open-source tools to execute their attacks.

Related Threat Briefings