Cyware Daily Threat Intelligence
Daily Threat Briefing • Jan 18, 2024
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jan 18, 2024
More than 6,700 WordPress websites have fallen victim to the Balada Injector malware and there are hundreds of thousands more vulnerable. To secure themselves, admins need to patch a vulnerability (CVE-2023-6000) in their Popup Builder plugin. Today marks the first known instance of a malware campaign deploying the 9Hits Traffic Exchange viewer application as a payload. Unlike traditional Docker attacks, this campaign doesn't attempt to break out of the container but leverages the 9Hits app for traffic-boosted cryptomining.
GPUs from the likes of Apple, Qualcomm, AMD, and Imagination were found to be affected by a vulnerability named LeftoverLocals. Exploiting this vulnerability allows attackers to access sensitive information, such as data and responses from LLMs, stored in a GPU's memory.
Insurance broker exposed customer emails
Toyota Tsusho Insurance Broker India (TTIBI), a joint venture between India and Japan, exposed more than 650,000 customer emails due to a misconfigured server. The issue was discovered while examining an Android app created by Eicher Motors, an Indian vehicle manufacturer, that included an API interface connecting to the TTIBI website. The misconfigured API allowed unauthorized access to the Microsoft-hosted email account used for sending automated emails to customers.
LockBit group attacks semiconductor manufacturer
Foxsemicon, one of Taiwan's major semiconductor manufacturers, reportedly suffered a cyberattack by the LockBit ransomware group. The attackers defaced the company's website with a threatening message, claiming to have stolen 5TB of data and threatening to publish it on their darknet site if a ransom is not paid. They also included a threatening message for employees about losing their jobs.
Millions of email addresses affected
Have I Been Pwned added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware.
Espionage campaign strikes Indian Air Force
The Indian Air Force was targeted in a new campaign using a variant of the Go Stealer, an open-source information-stealing malware. Threat actors sent phishing emails containing a malicious ZIP file, purportedly containing data about Su-30 fighter jets that India approved for procurement last year. The malware features additional capabilities such as targeting various browsers (Firefox, Google Chrome, Edge, and Brave) and exfiltrating data using Slack for covert communications.
Mint Sandstorm introduces new malware
Microsoft reported Mint Sandstorm, an Iranian APT35 subgroup, using spear-phishing to target researchers and university staff in the U.S., Belgium, France, Gaza, Israel, the and U.K. Employing custom phishing lures, the hackers deliver a new, evasive backdoor called MediaPl. This malware disguises itself as Windows Media Player, utilizing encrypted communication channels to interact with its command-and-control server.
Docker servers targeted in new campaign
Cado Security researchers have uncovered an attack campaign targeting vulnerable Docker servers, deploying two containers – a regular XMRig miner and the 9Hits Traffic Exchange viewer application. This is the first documented case of a malware payload leveraging the 9Hits application. It is believed that the attacker could be using Shodan or a separate server for scanning.
Bug bugs several GPU manufacturers
LeftoverLocals, a vulnerability present in GPU drivers by Apple, Qualcomm, AMD, and Imagination could allow attackers to steal significant amounts of data from a GPU's memory, exposing sensitive information such as queries and responses generated by large language models. The Apple iPhone 12 and M2 MacBook Air are impacted by the bug. While Apple, Qualcomm, and AMD have acknowledged the issue, fixes are still in progress or planned.