Cyware Daily Threat Intelligence

Daily Threat Briefing • Jan 4, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jan 4, 2024
Developers be careful! In the shadowy alleys of the digital underworld, researchers unearthed a treacherous trio of PyPI packages that surreptitiously deploy a CoinMiner executable on Linux devices. In an update, HealthEC disclosed that around 4.5 million individuals were impacted in a former breach. The breach also had consequences for 17 healthcare service providers.
Remember the recent Terrapin vulnerability disclosure? Research reveals that around 11 million SSH servers are still awaiting patches. Most of these servers are based in the U.S., with others spread worldwide.
HealthEC data breached
A data breach at HealthEC impacted close to 4.5 million individuals who received care through one of the company’s customers. The breach occurred between July 14 and 23, 2023, when attackers gained unauthorized access to some of its systems and stole sensitive data. This includes names, dates of birth, SSNs, taxpayer identification numbers, and medical record numbers.
Estes Express Lines discloses breach
Private freight shipper Estes Express Lines notified over 20,000 customers that their personal information, including names and SSNs, was stolen in a cyberattack. The company discovered unauthorized access to its IT network and deployed ransomware but chose not to pay the ransom. The ransomware crew, Lockbit, later claimed responsibility and leaked stolen data.
Malicious PyPI packages deploy coinminer
FortiGuard identified three malicious PyPI packages that deploy a CoinMiner executable on Linux devices. These packages, named modularseven-1.0, driftme-1.0, and catme-1.0, are created by an author known as "sastra" and have similarities to the previously discovered "culturestreak" package. The attack methodology involves concealing the payload, downloading a configuration file and CoinMiner executable from remote URLs, and executing them in the background.
**Cisco ASA flaw on sale **
A threat actor named ‘xc7d2f4’ is allegedly selling remote command injection vulnerability (CVE-2023-20214) for Cisco Adaptive Security Appliance (ASA) on the dark web. The flaw affects all 55XX series of the Cisco ASA and allows malicious actors to execute arbitrary commands on the affected Cisco device from a remote location and potentially take over critical infrastructure.
Terrapin attack puts 11 million SSH servers at risk
A recent report by Shadowserver warned that nearly 11 million SSH servers on the public web are vulnerable to Terrapin attacks. A majority of vulnerable systems were found in the U.S., followed by China, Germany, Russia, Singapore, and Japan. To successfully execute the Terrapin attack, attackers must be in a position where they can intercept and modify the handshake exchange, also known as an adversary-in-the-middle position.
Mandiant hacked in cryptocurrency scam
Google Cloud subsidiary Mandiant had its X (Twitter) account compromised for more than six hours in a cryptocurrency scam. It’s currently not clear how the account was breached but the hacked Mandiant account was renamed as ‘@phantomsolw’ to impersonate the Phantom crypto wallet service. Scammers advertised an airdrop scam, created counterfeit websites, and urged users to click on a bogus link and earn free tokens, with a follow-up message to ‘change password please’ and ‘check bookmarks when you get account back.’
Twitter Gold accounts under target
Twitter Gold accounts, which have a prestigious verification badge, are being targeted by cybercriminals who are selling compromised accounts on the dark web. These accounts are being used for scams and disinformation campaigns. The compromise methods include brute-forcing passwords and malware, while scams involve phishing links and disinformation campaigns.