Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 22, 2023

Apple on Wednesday resolved three zero-day vulnerabilities that were being actively exploited in attacks aimed at installing the TriangleDB spyware implant on iPhones. These vulnerabilities were specifically leveraged through iMessage zero-click exploits, allowing adversaries to infiltrate devices without any user interaction. On the malware side, experts at Check Point laid bare a Chinese APT operation using a self-propagating USB malware called WispRider. A European healthcare institution fell victim to it after an employee used an infected USB drive on the hospital’s system.

In other news, online shoppers for car mount and mobile accessories have been hit by a Magecart attack. The attackers managed to stay hidden within an online store for about two months before the infection was spotted.

Top Breaches Reported in the Last 24 Hours

Three more MOVEit zero-day victims

The Metro Vancouver Transit Police, the University of Missouri, and a state agency in Colorado have confirmed investigating breach incidents related to the exploitation of their MOVEit Transfer instances. Hackers reportedly accessed 186 files from the networks of the Metro Vancouver Transit Police. Since the past week, the Cl0p group has claimed responsibility for attacking numerous high-profile victims and has publicly posted information about these alleged attacks.

Philadelphia healthcare facility breach

Vincera, a healthcare facility based in Philadelphia, disclosed that a ransomware attack cripple its network to impact sensitive patient data, including personal and medical information. The leaked data from the ransomware attack on Vincera includes a range of sensitive information such as contact details, SSNs, dates of birth, medical histories, treatment records, insurance information, and potentially more.

iOttie exposes customers information

A Magecart attack hit car mount and mobile accessory maker iOtti between April 12 and June 2. Customers who made purchases during this period may have had their credit card and personal details stolen by cybercriminals. The firm has not disclosed the specific number of affected customers. Such data in the wrong hands can be abused in many ways to conduct financial fraud or identity theft or could be sold to other threat actors on dark web marketplaces.

Ransomware hits Hawaii campus

University of Hawaii officials announced that Hawaii Community College has experienced a ransomware attack resulting in a network outage. While the type of data compromised during the incident isn’t clear, the ransomware group responsible for the attack is most probably the NoEscape group. Going by the claim, Hawaii Community College is the sole UH campus affected by this incident.

Top Malware Reported in the Last 24 Hours

USB malware by Chinese APT

Camaro Dragon, the China-backed APT actor, is infecting victims with a new strain of self-propagating malware called WispRider through compromised USB drives. It was reportedly used against a European healthcare facility. The infection process also involves a Delphi launcher, HopperTick, distributed through USB drives, along with its main payload, WispRider. WispRider’s variants can help bypass the Indonesian antivirus solution, Smadav.

New strain with big aspirations

Fortinet dissected Fluhorse - an Android malware family that emerged in May 2023. The differentiating factor for the malware is its utilization of Flutter, an open-source, cross-platform Software Development Kit (SDK). The malware was deployed via a dummy app that faked a legitimate electronic toll system app used in Southern Asia. It can perform a range of operations from stealing credentials and 2FA codes to accessing incoming SMS messages.

Top Vulnerabilities Reported in the Last 24 Hours

Apple fixes a set of zero-days

Apple addressed three zero-day bugs, namely CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439, being exploited in attacks installing Triangulation spyware on iPhones via iMessage zero-click exploits. CVE-2023-32434 is an integer overflow issue that impacts the kernel while enabling an application to execute arbitrary code with kernel privileges. CVE-2023-32435 is a memory corruption issue in WebKit that paves the way for code execution. CVE-2023-32439 is a type confusion bug in the WebKit browser engine that can result in arbitrary code execution.

Millions of GitHub repo at risk

RepoJacking, a type of supply chain attack, has the potential to exploit millions of software repositories hosted on GitHub, according to security firm Aqua. Owing to the abuse, it is possible for threat actors to take over abandoned organizations or user accounts and publish trojanized versions of repositories to spread malicious code. Google/mathsteps, formerly owned by Socratic (acquired by Google in 2018), is an example of such a repository.

Related Threat Briefings