Cyware Daily Threat Intelligence
Daily Threat Briefing • Mar 9, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Mar 9, 2023
Cybercriminals are well aware that automation servers are a crucial aspect of the software development workflow. Any mishap there can leave a not-so-good lasting experience. Researchers have discovered some irregularities in the way Jenkins handles the available plugins that could lead to security issues like XSS or RCE attacks. 8220 Gang is back with a new crypter up its sleeves. Named ScrubCrypt, the malware is readily available to other hackers on an underground marketplace, making its use case more severe for potential targets with vulnerable Oracle WebLogic servers.
A critical flaw has also been reported by Fortinet that can give remote access to an unauthenticated user. Rated 9.3 out of 10, the vulnerability lies in FortiOS and FortiProxy administrative interface which can be abused with specifically crafted requests if not patched on time.
Medusa adds MPS as its victim
The Minneapolis Public Schools (MPS) district reportedly fell victim to a Medusa ransomware attack and is threatening to publish all data by March 17 if the ransom demand of one million isn’t met. Threat actors behind the ransomware have listed MPS as a victim on their Tor data leak site. Meanwhile, the organization has announced that it isn’t planning to pay the ransomware actors.
Hackers raid health insurance marketplace
DC Health Link, an online health insurance marketplace used by members of Congress and residents of Washington, D.C, appears to have suffered a breach. A hacker was found offering the stolen data of the clients on a public forum. Furthermore, federal investigators could purchase stolen congressional data from the forum.
Remcos in top 10 malware list
Check Point’s Global Threat Index for February 2023 has reviewed its malware ranking that now includes the Remcos trojan in the list of top ten malware threats. Remcos made it to the top 10 list for the first time since December 2022 owing to being often used by criminals targeting Ukrainian government entities through phishing attacks. Recently, attackers posed as Ukrtelecom JSC in a phishing attack and used a malicious RAR attachment to spread the trojan.
**ScrubCrypt by 8220 Gang **
Chinese 8220 Gang deployed the new ScrubCrypt payload exploiting an Oracle Weblogic Server in a specific URI between January and February 2023, revealed security experts at Fortinet. The ScrubCrypt crypter allows a hacker to secure applications with a unique BAT packing technique. It was found to be available for sale on dark web forums.
CloudBees bugs in Jenkins server
Aqua Nautilus researchers uncovered a chain of vulnerabilities affecting Jenkins servers in a way that can fully compromise them. Dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905), the bugs are also a threat to self-hosted Jenkins servers. A skilled hacker can abuse the bugs to run arbitrary code on the victim's servers.
Fortinet fixes over a dozen bugs
Fortinet has addressed 15 security flaws across its range of products. Experts emphasized on urgently patching a critical vulnerability that could let threat actors take control of affected FortiOS and FortiProxy user systems. Tagged as CVE-2023-25610, the buffer underwrite flaw could make way for RCE or DoS conditions when exploited. As workarounds, Fortinet recommended disabling the HTTP/HTTPS administrative interface or limiting IP addresses reaching it.
Veeam discloses critical bug
All versions of Veeam’s Backup & Replication software were spotted suffering a high-severity flaw tracked as CVE-2023-27532. The vulnerability allows a third party to obtain the credentials stored in the VeeamVBR configuration database and abuse them to gain access to hosts in the backup infrastructure. For those unable to apply a security fix immediately, the vendor recommends blocking external connections to port TCP 9401 in the backup server firewall.
Security overlooked in Bitwarden?
Flashpoint has reported an issue in Bitwarden's credentials autofill feature that could allow bad actors to embed malicious iframes in trusted websites and harvest user credentials. Surprisingly, Bitwarden initially learned of the security issue in 2018 but continued to accommodate it so that legitimate sites can continue using iframes. Studying the issue further, researchers stumbled across another issue wherein Bitwarden also auto-fills credentials on subdomains of the base domain matching a login.