Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Nov 3, 2022

A hacker group could impact over 250 news websites in the U.S. through a single attack on their common service provider. Hackers attempted to push SocGholish malware into the systems of the visitors of those websites. Separately, Sentinel Labs made a revelation about overlapping TTPs—and other operational behavior—of Black Basta ransomware and the financially motivated FIN7 group.

That’s not it! Security researchers are warning against a Gatsby vulnerability in its image CDN functionality. The flaw opened two routes for exploitation, leading an attacker to steal secret keys or sensitive data from the metadata IP address.

Top Breaches Reported in the Last 24 Hours

Crypto-attack risks $28 million

Withdrawals on cryptocurrency derivatives platform Deribit were discontinued in the aftermath of a hot wallet cyberattack on the firm. The victims’ hot wallet was compromised for $28 million worth of cryptocurrency, however, users’ funds are reportedly safe. The incident highlights issues with hot wallets since they aren’t as secure as cold wallets, said an official.

**Misconfiguration blurts out sensitive records **

Urlscan[.]io, a website scan and analysis engine, allegedly exposed a plethora of API data, including password reset links, DocuSign signing requests, setup pages, Telegram bots, meeting invitations, package tracking links, and PayPal invoices in a leak incident. The investigation found a misconfigured Security Orchestration, Automation, and Response (SOAR) playbook, which was integrated with urlscan.io.

Hackers hobbled U.S. news websites

Researchers at Proofpoint discovered a threat actor it tracks as TA569 targeting an unnamed media company with SocGholish malware. The victim firm caters to over 250 news outlets in the U.S. While the numbers could be higher, the affected regions include Boston, New York, Chicago, Miami, Palm Beach, Washington DC, and Cincinnati.

Vodafone Italy discloses breach

Customers of FourB S.p.A., a reseller of Vodafone services in Italy, have begun to receive breach notifications that laid bare their subscription details, identity documents (containing PII), and other details. As per the notice, no account passwords or network traffic data was compromised.

Top Malware Reported in the Last 24 Hours

Emotet’s back after five months

After nearly a five-month hiatus, Emotet malware infection has been detected by the Emotet research group Cryptolaemus. It is being distributed via phishing campaigns containing malicious Excel or Word documents. Once inside a compromised network, it can steal emails for spam campaigns and even drop additional payloads such as Cobalt Strike.

Black Basta and FIN7 are linked

According to Sentinel Labs, the Black Basta ransomware operation has ties with FIN7. Researchers noted that a developer for FIN7 also authored the EDR evasion tools that Black Basta has been using exclusively since June 2022. In other evidence, both groups used similar IP addresses and specific TTPs, although with a gap of a few months.

Top Vulnerabilities Reported in the Last 24 Hours

Fortinet patches 16 flaws

With six high-severity flaws, Fortinet warned its customers about a total of 16 flaws affecting its products. One of the bugs affecting FortiTester lets an attacker execute arbitrary commands. Another product FortiSIEM was affected by a flaw that allowed an unauthenticated attacker access to the Glassfish server. The remaining high-severity flaws were stored and reflected XSS bugs impacting other Fortinet products.

High-severity bug in Gatsby

Gatsby, a React-based JavaScript and open source framework, was seen hosting a critical bug in its Cloud Image CDN service. The vulnerability could allow attackers to carry out server-side request forgery (SSRF) or cross-site scripting (XSS) attacks against cloud-hosted Gatsby websites.

Related Threat Briefings