We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 26, 2023

Over the past few years, Fortinet devices have been an appealing target for multiple threat actors. Now, the organization is urging an immediate patch for the users of its zero-trust access solution, FortiNAC. The patch addresses a high-severity security issue leading to RCE attacks. In another headline, whitehat researchers demonstrated a way to deliver malware to an organization via Microsoft Teams which has about 280 million monthly active users. They did it by manipulating the system into perceiving an external user as an internal user.

Vulnerable Linux and IoT devices are being targeted in an ongoing cryptomining campaign, revealed Microsoft. The campaign also involves hijacking SSH credentials, hiding malicious SSH connections, launching DDoS attacks, and more.

Top Breaches Reported in the Last 24 Hours

Top airlines suffer breaches

Major global airlines American Airlines and Southwest Airlines disclosed data breaches resulting from a hack at a third-party vendor, Pilot Credentials. On April 30, an unauthorized individual reportedly infiltrated Pilot Credentials' systems and illicitly obtained documents containing sensitive information. As a result, personal information belonging to 5,745 pilots from American Airlines and 3,009 pilots from Southwest Airlines has been affected.

MOVEit bug strikes New York City Schools

The sensitive information of approximately 45,000 students, along with school employees and service providers, was exposed in a breach incident affecting New York City public schools. According to the city’s education department, attackers accessed 19,000 documents through the MOVEIt file transfer system, resulting in the theft of 9,000 SSNs. Additionally, the stolen confidential data encompasses dates of birth, employee IDs, and OSIS numbers.

Top Malware Reported in the Last 24 Hours

Cryptomining via exposed devices

According to Microsoft, there’s an active cryptojacking campaign abusing and breaking into Internet-exposed Linux and IoT devices through brute-force attacks. Once inside a system, the attackers utilize a modified OpenSSH package to create a backdoor on the compromised devices and illicitly obtain SSH credentials, enabling them to maintain persistence. Criminals also deploy Reptile and Diamorphine open-source LKM rootkits, which essentially conceal their malicious actions on the compromised systems.

Delivering malware via Microsoft Teams

Despite restrictions on external file sources, security researchers at Jumpsec Red Team discovered a method of dropping a malicious payload to a target organization’s network by exploiting Microsoft Teams. They could circumvent the system's restrictions by changing the internal and external recipient ID in the POST request of a message, thus disguising an external user as an internal one.

JokerSpy claims Japanese cryptoexchange

An unnamed cryptocurrency exchange in Japan fell victim to a cyberattack wherein threat actors employed an Apple macOS backdoor called JokerSpy to install Swiftbelt (a Swift-based enumeration tool inspired by an open-source utility called SeatBelt) on the compromised network. A crucial element of the toolkit includes a self-signed multi-architecture binary referred to as xcc.

Meet the new JS dropper

Cybersecurity firm Deep Instinct identified a new variant of JavaScript dropper, dubbed PindOS, that can deliver subsequent payloads such as Bumblebee and IcedID. It can, further, retrieve malicious executable files from a remote server. PindOS's source code contained Russian comments, suggesting the potential for ongoing collaboration between Russian cybercrime groups behind Conti, Emotet, and IcedID.

Multiple malware in Super Mario game

Cybercriminals are distributing a trojanized Super Mario Bros game installer for Windows users, as uncovered by Cyble Research and Intelligence Labs. The infected version of the game contains multiple forms of malware, including an XMR miner, SupremeBot mining client, and the open-source Umbral stealer. Its wide range of capabilities includes capturing webcam images, acquiring Roblox cookies and Minecraft session files, and more.

Top Vulnerabilities Reported in the Last 24 Hours

FortiNAC updated for RCE bug

Fortinet patches a sensitive security vulnerability in its FortiNAC product. An attacker could abuse the bug, tracked as CVE-2023-33299, for RCE attacks that require no user interaction. No mitigation step was suggested for the critical flaw. Besides, it also fixed a low-severity flaw identified as CVE-2023-33300. The flaw relates to an improper access control problem that impacted FortiNAC versions 9.4.0 through 9.4.3, as well as FortiNAC versions 7.2.0 through 7.2.1.

Critical flaw in Grafana app

Multiple versions of Grafana, an open-source analytics and interactive visualization app, received security updates for a variety of flaws. This includes a critical severity bug that allows attackers to bypass authentication and gain control of any Grafana account through Azure Active Directory. It can potentially expose private customer data and sensitive information from a compromised user's account.

BIND 9 had multiple issues

The Internet Systems Consortium (ISC) issued patches to resolve security holes found in various versions of BIND 9 - a widely employed open-source software package that offers internet domain name system services. Remote attackers could launch denial-of-service attacks by exploiting the bugs. The vulnerabilities addressed by ISC include CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911, all of which have the potential for remote exploitation.

Related Threat Briefings