We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jan 18, 2024

More than 6,700 WordPress websites have fallen victim to the Balada Injector malware and there are hundreds of thousands more vulnerable. To secure themselves, admins need to patch a vulnerability (CVE-2023-6000) in their Popup Builder plugin. Today marks the first known instance of a malware campaign deploying the 9Hits Traffic Exchange viewer application as a payload. Unlike traditional Docker attacks, this campaign doesn't attempt to break out of the container but leverages the 9Hits app for traffic-boosted cryptomining.

GPUs from the likes of Apple, Qualcomm, AMD, and Imagination were found to be affected by a vulnerability named LeftoverLocals. Exploiting this vulnerability allows attackers to access sensitive information, such as data and responses from LLMs, stored in a GPU's memory.

Top Breaches Reported in the Last 24 Hours

Insurance broker exposed customer emails

Toyota Tsusho Insurance Broker India (TTIBI), a joint venture between India and Japan, exposed more than 650,000 customer emails due to a misconfigured server. The issue was discovered while examining an Android app created by Eicher Motors, an Indian vehicle manufacturer, that included an API interface connecting to the TTIBI website. The misconfigured API allowed unauthorized access to the Microsoft-hosted email account used for sending automated emails to customers.

LockBit group attacks semiconductor manufacturer

Foxsemicon, one of Taiwan's major semiconductor manufacturers, reportedly suffered a cyberattack by the LockBit ransomware group. The attackers defaced the company's website with a threatening message, claiming to have stolen 5TB of data and threatening to publish it on their darknet site if a ransom is not paid. They also included a threatening message for employees about losing their jobs.

Millions of email addresses affected

Have I Been Pwned added almost 71 million email addresses associated with stolen accounts in the Naz.API dataset to its data breach notification service. The Naz.API dataset is a massive collection of 1 billion credentials compiled using credential stuffing lists and data stolen by information-stealing malware.

Espionage campaign strikes Indian Air Force

The Indian Air Force was targeted in a new campaign using a variant of the Go Stealer, an open-source information-stealing malware. Threat actors sent phishing emails containing a malicious ZIP file, purportedly containing data about Su-30 fighter jets that India approved for procurement last year. The malware features additional capabilities such as targeting various browsers (Firefox, Google Chrome, Edge, and Brave) and exfiltrating data using Slack for covert communications.

Top Malware Reported in the Last 24 Hours

Mint Sandstorm introduces new malware

Microsoft reported Mint Sandstorm, an Iranian APT35 subgroup, using spear-phishing to target researchers and university staff in the U.S., Belgium, France, Gaza, Israel, the and U.K. Employing custom phishing lures, the hackers deliver a new, evasive backdoor called MediaPl. This malware disguises itself as Windows Media Player, utilizing encrypted communication channels to interact with its command-and-control server.

Docker servers targeted in new campaign

Cado Security researchers have uncovered an attack campaign targeting vulnerable Docker servers, deploying two containers – a regular XMRig miner and the 9Hits Traffic Exchange viewer application. This is the first documented case of a malware payload leveraging the 9Hits application. It is believed that the attacker could be using Shodan or a separate server for scanning.

Top Vulnerabilities Reported in the Last 24 Hours

Bug bugs several GPU manufacturers

LeftoverLocals, a vulnerability present in GPU drivers by Apple, Qualcomm, AMD, and Imagination could allow attackers to steal significant amounts of data from a GPU's memory, exposing sensitive information such as queries and responses generated by large language models. The Apple iPhone 12 and M2 MacBook Air are impacted by the bug. While Apple, Qualcomm, and AMD have acknowledged the issue, fixes are still in progress or planned.

Related Threat Briefings