Cyware Daily Threat Intelligence

Daily Threat Briefing • Nov 9, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Nov 9, 2023
Another day, another report on zero-day exploitation. This time, it’s SysAid IT service management software. It has been found that the Lace Tempest threat actor exploited a path traversal flaw in the software to launch attacks. Hence, organizations using the software are urged to update to the latest version to stay safe. Along the same line, the CISA has updated its KEV catalog with a high-severity flaw affecting the SLP protocol, which indicates an active exploitation of the vulnerability.
In a newly discovered threat, the MuddyWater group has shifted to a new malware framework, replacing the PhonyC2 framework, to launch recent attacks. Dubbed MuddyC2Go, it is used to generate PowerShell payloads that can be used to conduct post-exploitation activities.
Sberbank hit by one million RPS DDoS attack
Russian financial organization Sberbank disclosed suffering the most powerful DDoS attack two weeks ago. The attack reached one million requests per second, which was roughly four times the size of the most powerful DDoS attacks that Sberbank had experienced up until then. Hacktivists from the ‘DumpForums’ group and the Ukrainian Cyber Alliance took responsibility for the attack while claiming to have stolen 31GB of data.
OpenAI suffers DDoS attacks
OpenAI confirmed that it suffered periodic outages due to DDoS attacks on its API and ChatGPT services. While the company is in the process of restoring the affected services, a threat actor known as Anonymous Sudan has taken to its Telegram channel to claim responsibility. It further added that the Skynet botnet was used to launch attacks.
**Zhefengle exposes 3.3 million order details **
An unprotected database belonging to Zhefengle, a China-based e-commerce store for importing goods from overseas, was found leaking more than 3.3 million order details placed by Chinese citizens between 2015 through 2020. The leaked order details also included shipping addresses, phone numbers, as well as government-issued identity card numbers. Many of the orders also included uploaded copies of the customers identity cards.
MuddyC2Go framework from MuddyWater
The Iran-based MuddyWater threat actor has added a new C2 framework called MuddyC2Go to its arsenal. Written in the Go language, the framework is responsible for generating PowerShell payloads that can be used to conduct post-exploitation activities. Researchers believe that the framework may have been existing since 2020, replacing the PhonyC2 framework in recent attacks.
Malvertising campaign spreads RedLine Stealer
Threat actors are leveraging the Windows news portal to promote a malicious installer for the popular processor tool CPU-Z. As part of the attack, the targeted victim is redirected to a download page that contains a digitally signed MSIX installer to evade detection. Once the user clicks on the installer, a malicious PowerShell script named FakeBat gets executed on the system, which further downloads RedLine Stealer.
CISA adds SLP flaw to its KEV catalog
The CISA added a high-severity flaw in the Service Location Protocol (SLP) to its KEV catalog, citing evidence of active exploitation. Tracked as CVE-2023-29552, the flaw has a CVSS score of 7.5 and can be weaponized to launch massive DDoS amplification attacks. The exact details surrounding the nature of exploitation are currently unknown.
Zero-day SysAid vulnerability exploited
Widespread exploitation of a zero-day vulnerability (CVE-2023-47246) affecting SysAid IT service management software has come to notice of researchers. A threat actor named Lace Tempest (aka DEV-0950) has been found exploiting the flaw in a recent attack. Updating its customers about the attack, the firm also informed that the flaw has been addressed in version 23.3.36 of the software.