Cyware Daily Threat Intelligence

Daily Threat Briefing • Jul 7, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jul 7, 2023
Do you know huge download numbers and rankings of the apps’ on app stores can be used to manipulate users? One such incident has surfaced in the name of a spyware app duo that has impacted nearly 1.5 million users. These apps harvested users’ personal data and transfer it to over one hundred different destinations. Separately, federal agencies in the U.S. and Canada issued warnings regarding the increasing prevalence of incidents involving the Truebot malware. Adversaries using this can exfiltrate large amounts of sensitive information for financial gain.
Meanwhile, a research group has unearthed a "potentially massive campaign" aimed at cloud-native environments, dubbed Silentbob. The attack infrastructure targets exposed JupyterLab and Docker APIs with an army of cloud worms.
Nickelodeon’s 500 GB of data at risk
Iconic American TV channel Nickelodeon revealed it suffered a breach earlier this year.
According to reports on social media, someone dumped 500GB of animation files. All the leaked files were shared on a private Discord server, and many of those were reposted on other platforms. Officials confirmed that the leaked data does not include any user or employee data.
Database exposed confidential records
Kings of Translation, a New York-based company that facilitates the translation of over 120 languages, laid bare over 25,000 records to the internet via a misconfigured database. It blurted out sensitive data of individuals, including passport details, driver's licenses, business documents, denied visa petitions, birth and marriage records, and U.S. federal and state tax filings.
Chinese spyware apps impact millions
Security analysts at mobile security solutions provider Pradeo uncovered details of a couple of spyware apps on the Google Play Store - File Recovery and Data Recovery and File Manager. With a collective download count of over 1.5 million, these apps can automatically start without any input from the device owners and covertly send sensitive user data to multiple malicious servers in China.
Increased Truebot malware activity
A joint advisory from the CISA, the FBI, the MS-ISAC, and the Canadian Centre for Cyber Security (CCCS) discovered a rise in the use of the Truebot malware by threat actors. Notably, these actors are increasingly exploiting the CVE-2022-31199 flaw in Netwrix Auditor to target organizations in the U.S. and Canada with the malware. Cybercriminals associated with Cl0p and Silence are known to utilize the payload to gather and extract information from their victims.
Cloud worm deploys Tsunami
Cloud security firm Aqua uncovered an attack infrastructure that consists of an aggressive cloud worm that targets exposed JupyterLab and Docker APIs. The worm can lead to the deployment of Tsunami malware, hijack cloud credentials, hijack resources, and self-propagate it to other targets. The activity has been dubbed Silentbob and is said to be the brainchild of the infamous cryptojacking group tracked as TeamTNT.
BlackByte 2.0 infection within 5 days
The Microsoft Incident Response team stumbled across a BlackByte 2.0 ransomware infection while investigating an intrusion incident. Researchers observed that the threat actors displayed rapid attack progression and disrupted the networks of the targeted organization within a span of just five days. Criminals reportedly exploited flaws in Microsoft Exchange Servers, namely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
Stealer and also a RAT
An advanced information stealer, named WISE REMOTE Stealer, was spotted in the wild by security experts at Cyfirma. It functions as both a stealer and a RAT. The malware enables stakeholders to have a comprehensive understanding of its operational scope and potential consequences, thereby allowing them to effectively mitigate the associated risks. The sophisticated malware is apparently gaining significant traction through promotion in underground forums.
Mastodon addresses five flaws
The data of millions of Mastodon users were found at risk of exposure owing to multiple critical security issues. Among them, CVE-2023-36460 is the most critical one that could be abused for DoS and arbitrary RCE attacks. At worst, an attacker with abilities to manipulate multiple instances could potentially redirect users to malicious applications or even disrupt the entire Mastodon infrastructure.
More bugs in MOVEit Transfer
The MOVEit Transfer tool has been patched to address three more SQL injection flaws, including a critical-severity vulnerability. The critical bug, earmarked CVE-2023-36934, could allow an unauthorized individual to gain access to the MOVEit Transfer database. The second and third SQL injection flaws are tracked as CVE-2023-36932 and CVE-2023-36933. Users are urged to upgrade to the patched version of the tool at the earliest.