Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing May 2, 2023

In the wake of cybercriminals increasingly attempting to break into iOS, iPadOS, and macOS devices, and with a few exploits reported in the past weeks, Apple has released the first-ever Rapid Security Response (RSR) update to users. The rollout will be achieved within 48 hours of the announcement. In another vein, a North Korean hacking group was observed infecting the devices of Korean-speaking individuals with the ROKRAT malware. While the malware has not undergone significant changes over time, its deployment techniques have progressed.

Watch out for bugs in TP-Link, Apache Log4j2, and Oracle WebLogic Server that are under active exploitation by different cybercriminal groups, warns CISA. FCEB agencies are required to apply vendor-provided fixes by May 22, 2023.

Top Breaches Reported in the Last 24 Hours

T-Mobile’s second hack this year

Cybercriminals reportedly accessed the personal information of 837 customers of T-Mobile for more than a month. According to T-Mobile, although the attackers could not access call records or financial account information, the exposed PII includes sufficient data to facilitate identity theft or phishing attacks. Impacted data may contain full name, contact information, T-Mobile account PIN, SSN, government ID, and more.

Education platform suffers breach

The Royal ransomware apparently crippled the IT networks of public school management and virtual learning provider Edison Learning. The criminals made a dark web post about the data leak claiming it pilfered 20GB of the firm's information, including the personal details of staff and pupils. The ransomware has warned of releasing the data early next week.

Russian ransomware group hits law firm

Australian law firm HWL Ebsworth may have been targeted by the BlackCat (aka ALPHV) ransomware group. The criminals have announced on their leak site that they stole 4TB of company data, such as employee CVs, IDs, financial reports, credit card information, accounting data, client documentation, and a comprehensive network map.

Top Malware Reported in the Last 24 Hours

North Korean actors drop RokRAT malware

ScarCruft, a North Korean threat group, has been attempting to deliver the RokRAT malware since July 2022 using oversized LNK files. The malware is capable of targeting macOS (CloudMensis) and Android (RambleOn), implying that criminals are actively developing and maintaining it. The malware variants are equipped to carry out a range of activities such as credential theft, data exfiltration, command and shellcode execution, file and directory management, and more.

**Malware/ spyware for surviellance **

The law enforcement command of the Islamic Republic of Iran (FARAJA) is allegedly physically deploying a malware strain known as BouldSpy on the devices of a section of people. As per reports, it is in use since at least 2020 and has claimed more than 300 victims to date. The malware serves the purpose of snooping on the activities of minority groups in the country.

Top Vulnerabilities Reported in the Last 24 Hours

Apple releases rapid security updates

Apple released its initial set of rapid security patches that are publicly available and designed to promptly address security issues that are either currently being exploited or pose a significant risk to its customers. Users with iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 will receive the update. Apple has stated that the fixes will be incorporated into future software updates.

CISA adds three flaws to KEV

The CISA, based on proof of active exploitation, has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog for TP-Link, Apache Log4j2, and Oracle WebLogic Server. CVE-2023-1389 is a command injection vulnerability with a CVSS score of 8.8 in TP-Link Archer AX-21. CVE-2021-45046 is a deserialization of untrusted data bug with a CVSS score of 9.0 in Apache Log4j2. CVE-2023-21839 is an unspecified vulnerability with a CVSS score of 7.5 in Oracle WebLogic Server.

TBK DVR devices on a risk

FortiGuard Labs is said to have recorded hacking attempts on TBK DVR devices to exploit CVE-2018-9995, an authentication bypass bug. The five-year-old bug is an issue due to the mishandling of a maliciously crafted HTTP cookie. An attacker may abuse the bug to escalate administrative privileges, and ultimately access camera video feeds. Over 50,000 unique IPS detections were identified last month.

Related Threat Briefings