Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Skip to main content

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Nov 15, 2023

A highly critical authentication bypass bug has been found in VMware Cloud Director (VCD) Appliance for which no patch is yet available. Due to the absence of an immediate fix, the firm urged users to follow mitigation steps provided in the latest security advisory (VMSA-2023-0026). Along the same lines, administrators worldwide are urged to apply a sensitive Intel update to patch a privilege escalation vulnerability in multiple chip families. Dubbed Redundant Prefix, the bug concerns server and personal computer chips of the present time.

In a fresh finding, a cybersecurity expert warned against the rise of a dynamic malware threat known as SystemBC. The malware’s acceptance and usage among infamous ransomware groups—with consistent annual incidents—pose a serious risk to security teams. Separately, law enforcement agencies dismantled the IPStorm botnet network.

Top Breaches Reported in the Last 24 Hours

Virtual pharmacy platform suffered data breach

A hacking incident at Hayward-based virtual pharmacy Truepill affected 2.36 million patients. The firm reported that the breach occurred on October 30 and threat actors accessed pharmacy management and fulfillment services files between August 30 and September 1. Compromised data included patient names, medication details, and demographic information, with no impact on their SSNs. The incident has invited at least six proposed federal class action lawsuits.

Logistic operations disrupted across Australian ports

A cyberattack on logistics giant DP World triggered significant disruptions in major Australian ports, impacting operations at terminals in Sydney, Melbourne, Fremantle, and Brisbane. The attack led to the disconnect of its systems from the internet while affecting an estimated 30,000 shipping containers. Though the incident suggests a possible ransomware attack, the company hasn't confirmed the details.

Casino user data exposed

Strendus, a major Mexican-licensed online casino, left 85GB of authentication logs exposed to the internet. The data included usernames, names, government ID numbers, phone numbers, email addresses, home addresses, dates of birth, gender, KYC status, IP addresses used for registration and login, deposit and withdrawal amounts, and notes submitted by admins and customer support agents. The data was publicly accessible for an extended period.

Top Malware Reported in the Last 24 Hours

FBI dismisses IPStorm botnet proxy service

The FBI, in collaboration with international partners, has successfully dismantled the IPStorm botnet proxy service, a network enabling cybercriminals to route malicious traffic through compromised devices globally. Sergei Makinin, a Russian-Moldovan national, pleaded guilty to computer fraud charges related to IPStorm, facing a maximum prison sentence of 10 years. The botnet, operational since at least June 2019, allowed cybercriminals to anonymize their activities.

Malicious shortcut files impersonating public organizations

AhnLab detected a targeted campaign distributing malicious shortcut files disguised as emails from a public organization. The threat actor targets individuals in the fields of Korean reunification and national security, employing topics like honorarium payments to lure victims. The malware, delivered through HTML files, compromises user information and downloads additional malware. The operation involves legitimate Hangul Word Processor (HWP) documents alongside malicious shortcuts (LNK).

Ransomware groups leverage SystemBC

SystemBC malware has been actively used by various ransomware groups since 2018, demonstrating consistent popularity in underground markets, revealed cybersecurity researcher REXor. The versatile SystemBC (aka Coroxy or DroxiDat) functions as a proxy, bot, backdoor, and RAT, adapting to attackers' needs. Used by groups such as Conti, Ryuk, Hive, and Maze Team, the malware employs diverse infiltration methods, including reconnaissance, lateral movement, and spear-phishing campaigns.

Top Vulnerabilities Reported in the Last 24 Hours

Authentication bypass flaw in VMware Cloud Director

VMware disclosed a critical and unpatched authentication bypass vulnerability, CVE-2023-34060, impacting VCD Appliance. The flaw affects VCD Appliance 10.5 versions that were upgraded from the previous version. The bug allows unauthenticated attackers for remote exploitation without user interaction, posing a significant security risk. While VMware works on a patch, a temporary workaround has been provided for affected versions, involving the deployment of a custom script.

Intel addressed privilege escalation bug

Intel issued an out-of-band security update (INTEL-SA-00950) to fix a privilege escalation bug affecting recent server and personal computer chips, including Sapphire Rapids, Alder Lake, and Raptor Lake chip families. Designated "Redundant Prefix," the flaw was initially considered for a March 2024 patch but was expedited due to its potential for privilege escalation. Intel has published 31 advisories covering roughly 105 vulnerabilities.

SAP rolls out critical updates

SAP released six new and updated security notes on its November Patch Day, featuring two HotNews Notes and four Medium Priority Notes. Notably, SAP Security Note #3340576, received a minor update. The new HotNews Note, #3355658, addressed an improper access control vulnerability in SAP Business One's installation process, potentially exposing SMB shared folders. Additionally, two Medium Priority Security Notes patched information disclosure vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform.

AMD fixes 27 security issues

AMD issued five security advisories highlighting a total of 27 vulnerabilities affecting various components, including a significant CPU flaw named CacheWarp (CVE-2023-20592). CacheWarp poses a risk to virtual machines (VMs) by potentially allowing attackers to hijack control flow, breach encrypted VMs, and escalate privileges. This vulnerability impacts AMD Secure Encrypted Virtualization (SEV). Other advisories cover security holes in Secure Processor (ASP), System Management Unit (SMU), and graphics drivers.

Microsoft patches zero-days

Microsoft has released security updates to address 63 vulnerabilities in its software for November. Among the flaws, three are rated as Critical, 56 as Important, and four as Moderate. Three of the vulnerabilities were found to be actively exploited in the wild. Notable zero-days include CVE-2023-36025 (a Windows SmartScreen Security Feature Bypass vulnerability) and CVE-2023-36033 and CVE-2023-36036 (both Windows elevation of privilege flaws). The CISA also added the actively exploited bugs to its KEV catalog.

Critical SQL injection flaw in WP plugin

The WP Fastest Cache WordPress plugin, used by over a million sites to speed up page loads, has been found containing a critical SQL injection flaw (CVE-2023-6063) that allows unauthenticated attackers to read a site's database contents. The flaw affects all versions prior to 1.2.2, and more than 600,000 websites are still running a vulnerable version, as per WordPress stats. An attacker exploiting the vulnerability could gain unauthorized access to sensitive information stored in the WordPress database.

Related Threat Briefings