Cyware Daily Threat Intelligence

Daily Threat Briefing • Nov 3, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Nov 3, 2023
Cisco published nearly two dozen advisories for several of its network security products, including a critical command injection bug, CVE-2023-20048, in Firepower Management Center (FMC). In a different warning, Cisco also highlighted a vulnerability-trio discovered in the Identity Services Engine. Cybercriminals can abuse these for arbitrary file upload and to launch denial of service attacks. The threat of supply chain attacks within open-source environments has soared once again with 48 newly found malicious packages in the npm ecosystem. These contained obfuscated JavaScript code designed to trigger a reverse shell during package installation.
Moving on. A cyberattack wave was found using SharePoint to distribute the multifaceted DarkGate malware, which exploits Microsoft Teams and SharePoint vulnerabilities. DarkGate has gained notoriety among cybercriminals for its versatile feature set, including HVNC, keylogging, data theft, and the ability to download additional payloads.
Russian cybercrime service hacked
A major Russia-based cybercrime service for laundering stolen goods, SWAT USA Drop Service, suffered a breach, exposing internal operations, finances, and structure. The service, which relies on over 1,200 employees across the United States, knowingly or unknowingly involved in reshipping expensive consumer goods bought with stolen credit cards, enables cybercriminals to cash out by reselling these goods in regions flagged for credit card fraud. Adversaries recruit people typically through job boards.
BlackCat ransomware strikes healthcare giant
The BlackCat ransomware group allegedly infiltrated the networks of Henry Schein, a major healthcare solutions provider, to seize 35 TB of sensitive data. The cyberattack forced the Fortune 500 company to temporarily disable some systems. The group asserted that they had re-encrypted the company's devices after a failed negotiation with the victim firm, who nearly completed system restoration. Additionally, threat actors have threatened to release internal payroll and shareholder data on a daily basis.
Data of Okta employees and dependents exposed
A data breach affected nearly 5,000 current and former Okta employees and their dependents after a cyberattack on Rightway Healthcare, a third-party provider used by Okta for healthcare services. The breach occurred on September 23, and the compromised data included names, SSNs, and health insurance plan numbers. Okta clarified that the incident does not impact its services or customer data and that its services remain secure.
DarkGate operators exploit SharePoint
Netskope Threat Labs observed a surge in cyberattacks utilizing SharePoint as a delivery platform for the DarkGate malware. DarkGate, a versatile and evolving threat, offers features like keylogging, information theft, and hidden VNC capabilities. The attack campaign leverages vulnerabilities in Microsoft Teams and SharePoint, posing a significant risk. The attack typically begins with a phishing email containing a fake invoice and leads to the download of malicious files.
Reverse shell threat concealed in npm packages
Security firm Phylum has uncovered 48 malicious packages in the npm repository. These counterfeit packages, attributed to an npm user named hktalent, deploy a reverse shell on compromised systems post-installation. These packages triggered an installation hook in the package.json file, executing JavaScript code to establish a reverse shell connection to rsh.51pwn[.]com. This would provide attackers with unauthorized access to compromised systems, potentially leading to further exploitation and data breaches.
Atlassian's Confluence bug requires immediate patching
Software vendor Atlassian revealed that a public exploit has been published for a critical vulnerability found in the popular Confluence workspace tool. The flaw, CVE-2023-22518, is listed as an improper authorization vulnerability affecting all versions of Confluence Data Center and Server. Although no active exploits have been reported so far, it emphasized the need for immediate patching. The vulnerability could potentially allow an attacker to wipe data in affected Confluence environments, making it a significant threat.
Cisco patches dozens of flaws
Cisco issued software updates to address 27 vulnerabilities in its Adaptive Security Appliance (ASA), Firepower Management Center (FMC), and Firepower Threat Defense (FTD) products. These vulnerabilities were described in 22 security advisories, which cover critical, high, and medium-severity flaws. Separately, Cisco revealed multiple vulnerabilities in its Identity Services Engine, tagged with CVEs CVE-2023-20195, CVE-2023-20196, and CVE-2023-20213, relating to arbitrary file upload and denial of service.