We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Mar 9, 2023

Cybercriminals are well aware that automation servers are a crucial aspect of the software development workflow. Any mishap there can leave a not-so-good lasting experience. Researchers have discovered some irregularities in the way Jenkins handles the available plugins that could lead to security issues like XSS or RCE attacks. 8220 Gang is back with a new crypter up its sleeves. Named ScrubCrypt, the malware is readily available to other hackers on an underground marketplace, making its use case more severe for potential targets with vulnerable Oracle WebLogic servers.

A critical flaw has also been reported by Fortinet that can give remote access to an unauthenticated user. Rated 9.3 out of 10, the vulnerability lies in FortiOS and FortiProxy administrative interface which can be abused with specifically crafted requests if not patched on time.

Top Breaches Reported in the Last 24 Hours

Medusa adds MPS as its victim

The Minneapolis Public Schools (MPS) district reportedly fell victim to a Medusa ransomware attack and is threatening to publish all data by March 17 if the ransom demand of one million isn’t met. Threat actors behind the ransomware have listed MPS as a victim on their Tor data leak site. Meanwhile, the organization has announced that it isn’t planning to pay the ransomware actors.

Hackers raid health insurance marketplace

DC Health Link, an online health insurance marketplace used by members of Congress and residents of Washington, D.C, appears to have suffered a breach. A hacker was found offering the stolen data of the clients on a public forum. Furthermore, federal investigators could purchase stolen congressional data from the forum.

Top Malware Reported in the Last 24 Hours

Remcos in top 10 malware list

Check Point’s Global Threat Index for February 2023 has reviewed its malware ranking that now includes the Remcos trojan in the list of top ten malware threats. Remcos made it to the top 10 list for the first time since December 2022 owing to being often used by criminals targeting Ukrainian government entities through phishing attacks. Recently, attackers posed as Ukrtelecom JSC in a phishing attack and used a malicious RAR attachment to spread the trojan.

**ScrubCrypt by 8220 Gang **

Chinese 8220 Gang deployed the new ScrubCrypt payload exploiting an Oracle Weblogic Server in a specific URI between January and February 2023, revealed security experts at Fortinet. The ScrubCrypt crypter allows a hacker to secure applications with a unique BAT packing technique. It was found to be available for sale on dark web forums.

Top Vulnerabilities Reported in the Last 24 Hours

CloudBees bugs in Jenkins server

Aqua Nautilus researchers uncovered a chain of vulnerabilities affecting Jenkins servers in a way that can fully compromise them. Dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905), the bugs are also a threat to self-hosted Jenkins servers. A skilled hacker can abuse the bugs to run arbitrary code on the victim's servers.

Fortinet fixes over a dozen bugs

Fortinet has addressed 15 security flaws across its range of products. Experts emphasized on urgently patching a critical vulnerability that could let threat actors take control of affected FortiOS and FortiProxy user systems. Tagged as CVE-2023-25610, the buffer underwrite flaw could make way for RCE or DoS conditions when exploited. As workarounds, Fortinet recommended disabling the HTTP/HTTPS administrative interface or limiting IP addresses reaching it.

Veeam discloses critical bug

All versions of Veeam’s Backup & Replication software were spotted suffering a high-severity flaw tracked as CVE-2023-27532. The vulnerability allows a third party to obtain the credentials stored in the VeeamVBR configuration database and abuse them to gain access to hosts in the backup infrastructure. For those unable to apply a security fix immediately, the vendor recommends blocking external connections to port TCP 9401 in the backup server firewall.

Security overlooked in Bitwarden?

Flashpoint has reported an issue in Bitwarden's credentials autofill feature that could allow bad actors to embed malicious iframes in trusted websites and harvest user credentials. Surprisingly, Bitwarden initially learned of the security issue in 2018 but continued to accommodate it so that legitimate sites can continue using iframes. Studying the issue further, researchers stumbled across another issue wherein Bitwarden also auto-fills credentials on subdomains of the base domain matching a login.

Related Threat Briefings