Cyware Daily Threat Intelligence
Daily Threat Briefing • Jul 12, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jul 12, 2023
Meet the first publicly documented Python-based fileless attack targeting cloud workloads. Dubbed PyLoose, the malware leverages the Linux fileless technique to load an XMRig miner directly into memory. In another headline, Microsoft patched over 100 security bugs, including five zero-days that were said to be actively exploited in the wild. Others in line to address security issues on their platform include Fortinet, SAP, and Citrix. A Fortinet bug that concerns FortiOS and FortiProxy was patched in an earlier version but the firm didn’t announce it until recently.
Separately, security researchers have uncovered a never-before-seen malicious driver named RedDriver, which specifically targets Chinese-speaking users. It was discovered that a previous version of RedDriver was bundled with software intended for use in internet cafes.
Outage after cyberattack
The justice ministry in Trinidad and Tobago is coping with a hack that has disrupted operations. Criminals targeted the country’s Attorney General’s Office and Ministry of Legal Affairs (AGLA) in an attack that knocked the facility’s IT systems offline. The ministry has shared alternative email addresses for people to transmit court paperwork. Meanwhile, the cybersecurity department alerted other organizations regarding a similar cyberattack.
Over 750,000 individuals impacted
It is estimated that a significant data breach at Lansing Community College, Michigan, may have exposed SSNs and other personal data of 757,832 employees, students, and vendors. It had reportedly shut down operations for multiple days in March to respond to a cybersecurity incident. An investigation into the breach is still ongoing.
RedDriver - a browser hijacker
Cybercriminals have been observed targeting Chinese-speaking Microsoft users with a tool named RedDriver. Security experts have detected multiple versions of RedDriver, which they believe has been in use since at least 2021. The tool allows attackers to intercept web browser traffic by hijacking Windows Filtering Platform (WFP). An earlier version of RedDriver was also found packaged with software used in internet cafes.
New fileless malware threat
Security experts at Wiz uncovered a fileless malware called PyLoose, specifically targeting cloud workloads. This attack involves Python code that utilizes the memfd technique to load an XMRig miner directly into memory. Around 200 instances of this technique were spotted being used for cryptomining. PyLoose was first detected on June 22, after it gained initial access through a publicly accessible Jupyter Notebook service.
Microsoft Patch Tuesday
Microsoft addressed a total of 130 vulnerabilities listed across its products, it revealed on the eve of Patch Tuesday. It is worth noting that five of these vulnerabilities have already been exploited in real-world attacks. The patches are for Windows, Office, .NET, Visual Studio, Azure Active Directory and DevOps, Dynamics, printer drivers, Redmond's DNS Server, and Remote Desktop.
Patched but no details in public
Citrix released patches for a critical vulnerability found in the Secure Access client for Ubuntu. This vulnerability, tracked as CVE-2023-24492, could be exploited for remote code execution. While Citrix has not disclosed technical details about it, it has released version 23.5.2 of the Secure Access client for Ubuntu, effectively addressing the vulnerability.
Fortinet patches silently
A sensitive security issue affecting FortiOS and FortiProxy has been resolved by Fortinet. If exploited, the bug could cause remote code execution on targeted systems via specially crafted packets. Identified as CVE-2023-28001, the flaw exists because an “existing websocket connection persists after deleting API admin.” According to Fortinet, the bug in question was addressed in a previous release without making any disclosure.
SAP releases 16 security notes
SAP’s newly released security notes have collectively addressed 16 security flaws - the most critical of them is an OS command injection vulnerability in SAP ECC and S/4HANA (IS-OIL). The flaw, CVE-2023-36922 (with a CVSS score of 9.1), enables an authenticated attacker to inject arbitrary operating system commands into an unprotected parameter within a vulnerable transaction and program.