Cyware Daily Threat Intelligence
Daily Threat Briefing • Jan 12, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jan 12, 2024
Cybercriminals displayed their camouflaging skills once again by disguising a malicious Python package as 'sellpass' to distribute the Blank-Grabber info-stealer. The malware poses various security risks, including credential theft and unauthorized access. In other news, a flawed WordPress plugin has been found affecting nearly 150,000 WordPress sites owing to a critical authorization bypass flaw and a cross-site scripting issue.
A new Python-based hacking tool—developed for credential harvesting and account hijacking—has surfaced. Named FBot, it aligns with the trend of bespoke ‘private bots’ tailored for individual buyers in the realm of cloud attack tools. Meanwhile, AgentTesla is back in the picture; stay alert.
Athleisure brand blurts out customer records
Hong Kong-based athleisure clothing brand Halara is investigating a potential data breach after the alleged leak of almost 950,000 customer records on a hacking forum. The attacker claimed to have obtained the data by exploiting a bug in an API on Halara's website. The leaked data reportedly includes customer names, phone numbers, addresses, and other details.
Phishing attack on laptop manufacturer
California-based manufacturer of modular laptops Framework Computer fell victim to a data breach following a phishing attack on its accounting service provider, Keating Consulting Group. An attacker impersonated Framework's CEO, tricking a Keating Consulting accountant into sharing a spreadsheet containing customers' PII, including full names, email addresses, and outstanding balances. Affected customers are advised to be vigilant against phishing risks and report any suspicious emails.
Turkish attackers target MS SQL servers
Turkey-based cybercriminals launched a financially motivated campaign named Re#Turgence, targeting Microsoft SQL servers in the U.S., Europe, and Latin America. The hackers employ brute-force attacks to gain access to the servers. The campaign either deploys the Mimic ransomware or proceeds with the sale of access to infected hosts on online cybercrime markets. The Mimic ransomware is linked to the now-defunct Conti ransomware group's leaked source code.
Indonesia's elections data at risk
Cybersecurity researchers have identified an increase in cyber threats targeting Indonesia ahead of the upcoming presidential election, scheduled for February. Both foreign and domestic actors have been exploiting voter data obtained through network intrusions. One notable breach involved the leak of 6.8 million voter records related to the 2017 Jakarta gubernatorial election.
Saudi’s ministry network breached
A significant data breach was reported at the Saudi Ministry of Foreign Affairs, exposing the personal details of over 1.4 million affiliated employees. The breach, disclosed on the dark web by a threat actor named "zelda," involves a 600MB file with records of ID numbers, Arabic names, contact information, and job titles. Additionally, claims of a data breach at the Holy Makkah Municipality have emerged, with an individual offering sensitive government data for sale.
Team Liquid's e-sports platform targeted
Team Liquid's e-sports platform, Liquipedia, disclosed that a publicly accessible MongoDB database laid bare the personal information of approximately 119,000 users. The leak revealed users’ email addresses, authentication details, and administrator-level information such as social media secrets and private RSA keys. The breach reportedly poses risks of fraudulent activities.
AgentTesla malware targets Windows
AgentTesla operators have resurfaced to compromise Windows machines, revealed security experts at BitSight. The malware spreads through phishing emails, using loaders like GuLoader and PureCrypter, to harvest sensitive data such as credentials, keystrokes, clipboard data, and screenshots. The researchers discovered over 1,500 recent AgentTesla configurations, with 75% using email for exfiltration. The U.S., China, and Germany were identified as the most targeted countries.
Cloud and payment services under attack
A new Python-based hacking toolkit called FBot was found targeting web servers, cloud services, CMS, and SaaS platforms, such as AWS, Microsoft 365, PayPal, Sendgrid, and Twilio. The tool's purpose is to hijack these services and harvest credentials to obtain initial access and monetize it by selling the access to other threat actors. Besides, the tool contains multiple utilities, such as an IP address generator and port scanner.
Malicious PyPI package distributes info-stealer
Imperva Threat Research uncovered a malicious Python package named 'sellpass-sdk' on the PyPI index. The package masqueraded as 'sellpass' and distributed the Blank-Grabber infostealer malware. The attacker used deceptive tactics, including mimicking the original author's name, uploading multiple versions to appear credible, and replicating information from the genuine package. The package was downloaded 488 times in a week before being removed from PyPI.
Site takeover flaws in WordPress plugin
Two critical vulnerabilities have been discovered in the POST SMTP Mailer WordPress plugin, potentially impacting around 300,000 websites. The first vulnerability (CVE-2023-6875) is an authorization bypass flaw, allowing an attacker to reset the API key and gain access to sensitive log information, including password reset emails. The second vulnerability (CVE-2023-7027) is a cross-site scripting (XSS) issue, enabling attackers to inject arbitrary scripts into an affected site's webpages.
Warning against critical privilege escalation flaw
The U.S. CISA added a critical vulnerability in Microsoft SharePoint Server to its exploited vulnerabilities catalog. Tracked as CVE-2023-29357, the flaw allows attackers to gain administrator privileges through the exploitation of spoofed JWT authentication tokens. Microsoft released patches in June 2023, and evidence of active exploitation prompted CISA to issue a warning, urging federal agencies to apply the patches by January 31, 2024.
Phishing via fake government websites
Police and local businesses in the UAE issued warnings about a surge in phishing scams using counterfeit websites, particularly impersonating Dubai's Road and Transport Authority (RTA) and tourist sites. These fake websites are promoted through black hat SEO tactics. The scams display characteristics of watering-hole attacks, tricking users into entering credentials, which are then harvested.
Fake work-from-home job offers on Facebook
Cybersecurity firm Qualys warned of an ongoing cyber scam where attackers advertise fake work-from-home job offers on Facebook, impersonating Qualys recruiters. The scammers compromise the accounts of legitimate Facebook users and target their connections in group chats, leading victims to private messages. The attackers, posing as recruiters, request personal information, and government-issued IDs, and instruct victims to digitally cash checks for fraudulent job offers.