Cyware Daily Threat Intelligence
Daily Threat Briefing • May 25, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • May 25, 2023
Threat actors are preparing the arsenal to abuse misconfigured web applications. An effort by the developers of the Legion malware has been detected wherein they have introduced an enhanced version of the malware with capabilities to target misconfigured servers and steal Amazon Web Services (AWS) credentials linked to CloudWatch and DynamoDB services. A cross-site scripting (XSS) vulnerability in a popular WordPress plugin is also under fire; it is currently installed on more than 40,000 websites. Parallely, security experts also uncovered a pair of sensitive bugs impacting Zyxel firewall and VPN products.
Another malware is dreaming big. Meanwhile, Buhti ransomware actors have decided to dump their encryptor and build a new one using leaked LockBit and Babuk source code.
Operation Magalenha in Portugal
Brazilian cybercriminals have infiltrated dozens of Portuguese banks this year under Operation Magalenha, revealed SentinelLabs. Their aspiration is to harvest login information and extract users' personal details that can be utilized for malicious purposes in the future. In this operation, actors deploy two types of backdoors that have been collectively dubbed PeepingTitle. The campaign is believed to be connected to ongoing cybercrime activities that have been observed since at least 2021.
Illinois healthcare facility leaked PII
Unauthorized access to the networks of Morris Hospital & Healthcare Centers, Illinois, has potentially compromised the PHI of patients. Morris Hospital has stated that the investigation is currently in progress, and their focus is on identifying specific files within the affected servers. They are yet to ascertain the type of other sensitive data that has been compromised in the incident.
Latest iteration of Legion
An updated version of the Python-based, cloud-focused hack tool called Legion—which can extract credentials from vulnerable web servers—has surfaced. The updated variant incorporates the Paramiko module to exploit SSH servers. Furthermore, it can now retrieve specific AWS credentials associated with CloudWatch, DynamoDB, and AWS Owl from Laravel web applications.
Ransomware goes the easy way
Experts at Symantec observed that the operators behind the emerging Buhti ransomware have apparently abandoned their own customized malware and instead utilized the leaked versions of the LockBit and Babuk ransomware families to target both Windows and Linux operating systems. In the past, threat actors behind the ransomware have exploited bugs in Zoho ManageEngine, IBM's Aspera Faspex file exchange application, and even in PaperCut servers.
Zero-day address in Barracuda SEG
Barracuda Networks patched a zero-day flaw in its email security gateway (ESG) product. Identified as CVE-2023-2868, the flaw resides in a module responsible for screening incoming email attachments. NIST describes it as an input validation issue for user-supplied TAR files that could potentially grant unauthorized users remote access to affected systems.
WordPress plugin bug under attack
An XSS flaw in the WordPress cookie consent plugin called Beautiful Cookie Consent Banner is being exploited in the wild. The vulnerability allows attackers to execute malicious JavaScript on vulnerable websites. The impact of the ongoing attacks can be significant as it may lead to unauthorized access, data theft, or other malicious activities. The plugin has over 40,000 site installations.
High severity flaw hits GitLab
GitLab issued an emergency update to its version 16.0.0, to address a path traversal vulnerability that has a maximum severity rating of 10.0. The bug, earmarked CVE-2023-2825, impacts GitLab Community Edition (CE) and Enterprise Edition (EE); other older versions aren't affected. The bug can potentially expose sensitive data on the server such as proprietary software code, user credentials, files, tokens, and other private data.
Pair of bugs in Firewall and VPN products
Multiple Zyxel firewalls and VPN products were found to be affected by two critical security holes tracked as CVE-2023-33009 and CVE-2023-33010. These buffer overflow flaws posed a significant risk as an attacker could abuse these without the need for authentication. The successful exploitation of bugs broadly results in denial-of-service (DoS) conditions and RCE on compromised devices.