Cyware Daily Threat Intelligence
Daily Threat Briefing • Nov 16, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Nov 16, 2022
Leaked personal information is a potential treasure trove for cybercriminals. Recently, hundreds of databases on Amazon RDS were found exposing PII. Another incident where personal information was accidentally revealed came to light. This carelessness by the Suffolk police put hundreds of sexual assault victims’ information at risk.
In the past 24 hours, researchers have also reported several new malware threats, such as the DTrack backdoor, RapperBot, and BatLoader. While DTrack is used to target organizations in Europe and South America, RapperBot is leveraged to launch DDoS attacks on game servers, and BatLoader is distributed via compromised websites using SEO poisoning methods to infect users with various payloads.
In other news, a critical vulnerability was found impacting Spotify’s Backstage software catalog and developer portal platform, and a new attack technique was discovered that affects time-sensitive networking technology used by spacecraft and aircraft.
Amazon RDS instances leak user data
According to new findings, hundreds of databases on Amazon Relational Database Service (Amazon RDS) are exposing PII, including names, phone numbers, email addresses, marital status, dates of birth, car rental information, and even company logins. The reason behind the leaks stems from a feature called public RDS snapshots, which allows the creation of a backup of the entire database environment running in the cloud and can be accessed by all AWS accounts.
Suffolk police publish victim information
Suffolk police accidentally published the personal information of hundreds of sexual assault victims on its website. The published information contained victims’ names, addresses, dates of birth, and details of the alleged sexual offenses committed. The data was accessible to the general public for a short period of time before being quickly removed after the breach came to notice.
Ransomware attack on public schools
A ransomware attack forced all public schools in Jackson and Hillsdale counties to remain closed. After discovering suspicious activity, the Jackson Intermediate School District (ISD) took down its systems to contain the incident and reached out to external cybersecurity advisors and law enforcement to investigate and assist in the restoration of its systems.
New version of DTrack backdoor
The North Korean state-sponsored Lazarus APT group is deploying a newer version of the DTrack backdoor far more widely to target organizations in Europe and South America. Besides spying, the new backdoor can run commands to execute file operations, collect additional payloads, steal files and data, and implement processes on the compromised device.
RapperBot launches DDoS attacks
Researchers have discovered new samples of the RapperBot malware, which are used to build a DDoS botnet to target game servers. The latest variant uses the same C2 network protocol of previous samples but it supports additional commands to assist Telnet brute-force attacks. Also, the recent samples include the code to maintain persistence, which is rarely implemented in other Mirai-derived variants.
BatLoader on the rise
Infecting systems worldwide, the new malware loader—BatLoader—has the capability to determine its presence on a business system as well as a personal computer. Its operators use the dropper to distribute a variety of malware tools, including a banking trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. They host the malware on compromised websites and lure users to those sites using SEO poisoning methods.
The downgrade of Mirai Botnet?
In a recent analysis of collected samples, researchers discovered a Mirai-based botnet variant using a new decryption function called ‘xor_init’ that allocates a block of memory, decrypts all the information in a single go, and does not re-encrypt later. Over the last few months, at least three different encryption keys—pazdanoisqt, megacatnet, and fakamebotnet—have been used. This is a significant and unnecessary downgrade from the original Mirai functionality.
Flaw in Spotify’s Backstage
Researchers discovered a critical remote code execution flaw in Spotify’s open-source developer portal platform, Backstage, with a CVSS score of 9.8. The issue could be exploited by triggering a recently disclosed sandbox escape vulnerability (CVE-2022-36067 aka Sandbreak) in the vm2 third-party library. Reported via Spotify’s bug bounty program, the vulnerability was quickly fixed with the release of version 1.5.1.
PCspooF impacts networking tech
A new attack method, dubbed PCspooF, affects Time-Triggered Ethernet (TTE), a networking technology used in safety-critical infrastructure. This vulnerability is designed to break TTE's security guarantees and induce TTE devices to lose synchronization for up to a second, potentially causing the failure of time-sensitive systems powering spacecraft and aircraft.
Already on Mastodon?
In the last few weeks, Mastodon gained popularity as a replacement for Twitter. But recently a vulnerability was discovered in Glitch, a fork of Mastodon, which could allow attackers to steal user credentials. Attackers can inject form elements and spoof a password form which, when combined with Chrome autofill, would allow them access to the credentials.