Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jan 4, 2024

Developers be careful! In the shadowy alleys of the digital underworld, researchers unearthed a treacherous trio of PyPI packages that surreptitiously deploy a CoinMiner executable on Linux devices. In an update, HealthEC disclosed that around 4.5 million individuals were impacted in a former breach. The breach also had consequences for 17 healthcare service providers.

Remember the recent Terrapin vulnerability disclosure? Research reveals that around 11 million SSH servers are still awaiting patches. Most of these servers are based in the U.S., with others spread worldwide.

Top Breaches Reported in the Last 24 Hours

HealthEC data breached

A data breach at HealthEC impacted close to 4.5 million individuals who received care through one of the company’s customers. The breach occurred between July 14 and 23, 2023, when attackers gained unauthorized access to some of its systems and stole sensitive data. This includes names, dates of birth, SSNs, taxpayer identification numbers, and medical record numbers.

Estes Express Lines discloses breach

Private freight shipper Estes Express Lines notified over 20,000 customers that their personal information, including names and SSNs, was stolen in a cyberattack. The company discovered unauthorized access to its IT network and deployed ransomware but chose not to pay the ransom. The ransomware crew, Lockbit, later claimed responsibility and leaked stolen data.

Top Malware Reported in the Last 24 Hours

Malicious PyPI packages deploy coinminer

FortiGuard identified three malicious PyPI packages that deploy a CoinMiner executable on Linux devices. These packages, named modularseven-1.0, driftme-1.0, and catme-1.0, are created by an author known as "sastra" and have similarities to the previously discovered "culturestreak" package. The attack methodology involves concealing the payload, downloading a configuration file and CoinMiner executable from remote URLs, and executing them in the background.

Top Vulnerabilities Reported in the Last 24 Hours

**Cisco ASA flaw on sale **

A threat actor named ‘xc7d2f4’ is allegedly selling remote command injection vulnerability (CVE-2023-20214) for Cisco Adaptive Security Appliance (ASA) on the dark web. The flaw affects all 55XX series of the Cisco ASA and allows malicious actors to execute arbitrary commands on the affected Cisco device from a remote location and potentially take over critical infrastructure.

Terrapin attack puts 11 million SSH servers at risk

A recent report by Shadowserver warned that nearly 11 million SSH servers on the public web are vulnerable to Terrapin attacks. A majority of vulnerable systems were found in the U.S., followed by China, Germany, Russia, Singapore, and Japan. To successfully execute the Terrapin attack, attackers must be in a position where they can intercept and modify the handshake exchange, also known as an adversary-in-the-middle position.

Top Scams Reported in the Last 24 Hours

Mandiant hacked in cryptocurrency scam

Google Cloud subsidiary Mandiant had its X (Twitter) account compromised for more than six hours in a cryptocurrency scam. It’s currently not clear how the account was breached but the hacked Mandiant account was renamed as ‘@phantomsolw’ to impersonate the Phantom crypto wallet service. Scammers advertised an airdrop scam, created counterfeit websites, and urged users to click on a bogus link and earn free tokens, with a follow-up message to ‘change password please’ and ‘check bookmarks when you get account back.’

Twitter Gold accounts under target

Twitter Gold accounts, which have a prestigious verification badge, are being targeted by cybercriminals who are selling compromised accounts on the dark web. These accounts are being used for scams and disinformation campaigns. The compromise methods include brute-forcing passwords and malware, while scams involve phishing links and disinformation campaigns.

Related Threat Briefings