We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Nov 16, 2022

Leaked personal information is a potential treasure trove for cybercriminals. Recently, hundreds of databases on Amazon RDS were found exposing PII. Another incident where personal information was accidentally revealed came to light. This carelessness by the Suffolk police put hundreds of sexual assault victims’ information at risk.

In the past 24 hours, researchers have also reported several new malware threats, such as the DTrack backdoor, RapperBot, and BatLoader. While DTrack is used to target organizations in Europe and South America, RapperBot is leveraged to launch DDoS attacks on game servers, and BatLoader is distributed via compromised websites using SEO poisoning methods to infect users with various payloads.

In other news, a critical vulnerability was found impacting Spotify’s Backstage software catalog and developer portal platform, and a new attack technique was discovered that affects time-sensitive networking technology used by spacecraft and aircraft.

Top Breaches Reported in the Last 24 Hours

Amazon RDS instances leak user data

According to new findings, hundreds of databases on Amazon Relational Database Service (Amazon RDS) are exposing PII, including names, phone numbers, email addresses, marital status, dates of birth, car rental information, and even company logins. The reason behind the leaks stems from a feature called public RDS snapshots, which allows the creation of a backup of the entire database environment running in the cloud and can be accessed by all AWS accounts.

Suffolk police publish victim information

Suffolk police accidentally published the personal information of hundreds of sexual assault victims on its website. The published information contained victims’ names, addresses, dates of birth, and details of the alleged sexual offenses committed. The data was accessible to the general public for a short period of time before being quickly removed after the breach came to notice.

Ransomware attack on public schools

A ransomware attack forced all public schools in Jackson and Hillsdale counties to remain closed. After discovering suspicious activity, the Jackson Intermediate School District (ISD) took down its systems to contain the incident and reached out to external cybersecurity advisors and law enforcement to investigate and assist in the restoration of its systems.

Top Malware Reported in the Last 24 Hours

New version of DTrack backdoor

The North Korean state-sponsored Lazarus APT group is deploying a newer version of the DTrack backdoor far more widely to target organizations in Europe and South America. Besides spying, the new backdoor can run commands to execute file operations, collect additional payloads, steal files and data, and implement processes on the compromised device.

RapperBot launches DDoS attacks

Researchers have discovered new samples of the RapperBot malware, which are used to build a DDoS botnet to target game servers. The latest variant uses the same C2 network protocol of previous samples but it supports additional commands to assist Telnet brute-force attacks. Also, the recent samples include the code to maintain persistence, which is rarely implemented in other Mirai-derived variants.

BatLoader on the rise

Infecting systems worldwide, the new malware loader—BatLoader—has the capability to determine its presence on a business system as well as a personal computer. Its operators use the dropper to distribute a variety of malware tools, including a banking trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. They host the malware on compromised websites and lure users to those sites using SEO poisoning methods.

The downgrade of Mirai Botnet?

In a recent analysis of collected samples, researchers discovered a Mirai-based botnet variant using a new decryption function called ‘xor_init’ that allocates a block of memory, decrypts all the information in a single go, and does not re-encrypt later. Over the last few months, at least three different encryption keys—pazdanoisqt, megacatnet, and fakamebotnet—have been used. This is a significant and unnecessary downgrade from the original Mirai functionality.

Top Vulnerabilities Reported in the Last 24 Hours

Flaw in Spotify’s Backstage

Researchers discovered a critical remote code execution flaw in Spotify’s open-source developer portal platform, Backstage, with a CVSS score of 9.8. The issue could be exploited by triggering a recently disclosed sandbox escape vulnerability (CVE-2022-36067 aka Sandbreak) in the vm2 third-party library. Reported via Spotify’s bug bounty program, the vulnerability was quickly fixed with the release of version 1.5.1.

PCspooF impacts networking tech

A new attack method, dubbed PCspooF, affects Time-Triggered Ethernet (TTE), a networking technology used in safety-critical infrastructure. This vulnerability is designed to break TTE's security guarantees and induce TTE devices to lose synchronization for up to a second, potentially causing the failure of time-sensitive systems powering spacecraft and aircraft.

Already on Mastodon?

In the last few weeks, Mastodon gained popularity as a replacement for Twitter. But recently a vulnerability was discovered in Glitch, a fork of Mastodon, which could allow attackers to steal user credentials. Attackers can inject form elements and spoof a password form which, when combined with Chrome autofill, would allow them access to the credentials.

Related Threat Briefings