Cyware Daily Threat Intelligence
Daily Threat Briefing • Oct 5, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Oct 5, 2023
Supermicro released updates to address multiple vulnerabilities in its BMC firmware that potentially allow remote attackers to gain root access to vulnerable systems. This includes three critical XSS flaws in the BMC server front end, which an attacker can abuse to send phishing links to administrators. In other news, security experts issued fresh warnings about growing supply chain threats in the open-source ecosystem in the form of malicious Python packages. Cybercriminals, through a new campaign that began in April 2023, have been able to accumulate over $100,000 in cryptocurrency using 272 fake packages.
The next round of updates concerns Apple consumers as a zero-day bites Apple for the 17th time this year. Atlassian has also issued patches for a critical zero-day vulnerability in Confluence Data Center and Server, which could be actively exploited to create unauthorized admin accounts.
Do not miss! Qakbot is alive and kicking.
Over 3 million records exposed
A cybersecurity researcher discovered and reported a non-password-protected database containing over 3 million records, including internal invoices, communications, and customer CRM files. The exposed database belonged to global B2B CRM provider Really Simple Systems. The records contained sensitive data, such as PII, medical records, identification documents, legal documents, and more. While some folders were restricted promptly after notification, the researcher could not determine how long the data was exposed or if unauthorized access occurred.
Sony investigates ransomware attacks
Sony is investigating two recent hacking attacks, one involving the RansomedVC ransomware group and another related to the Cl0p ransomware group's exploitation of a zero-day vulnerability in Progress Software's MOVEit managed file transfer (MFT) software. In the RansomedVC incident, Sony identified unauthorized activity on a single server used for internal testing, with no indication of customer or partner data exposure. In the Cl0p incident, Sony informed the Maine attorney general that nearly 6,800 individuals were impacted, with personal information compromised.
Actors deploy data-stealing packages
A sophisticated and evolving attack campaign has been observed planting information-stealing packages on open-source platforms, amassing approximately 75,000 downloads. The campaign deploys Python packages that employ multi-layered obfuscation and detection evasion measures. The packages are capable of stealing sensitive data, including cryptocurrency wallet information, Discord badges, and more. Criminals have stolen around $100,000 in cryptocurrency through this campaign.
Qakbot found distributing ransomware and backdoors
Despite the FBI's takedown of Qakbot infrastructure in late August 2023, threat actors affiliated with the malware have continued their operations, distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. The metadata in LNK files used in the campaign matched previous Qakbot campaigns, strengthening this assessment. The Cisco Talos research team identified this new campaign and believes that the Qakbot operators remain active and may choose to rebuild their infrastructure.
Guyana government hit with DinodasRAT
A cyberespionage campaign named Operation Jacana targeted a governmental entity in Guyana and dropped the DinodasRAT malware. The attack began with a spear-phishing email containing a malicious link related to a Guyanese fugitive in Vietnam. ESET attributes the intrusion to a China-nexus adversary with medium confidence due to the use of the PlugX RAT. The campaign showcases the use of previously unknown tools alongside traditional backdoors, emphasizing the attackers' focus on geopolitical activities.
Play ransomware group adds six new victims
The Play ransomware group has targeted six organizations across different regions, including the U.S., the U.K, and Norway, in its latest attack spree. The victims include Roof Management, Security Instrument Corp, Filtration Control Ltd, Cinépolis Cinemas, CHARMANT Group, and Stavanger Municipality. The PLAY ransomware group, known for targeting small and medium-sized businesses, employs various techniques for network infiltration, including known vulnerability exploits, exposed RDP servers, and valid account credentials.
Apple’s emergency patch for zero-day
Apple has released emergency security updates to address a zero-day vulnerability (CVE-2023-42824) actively exploited in attacks on iOS versions prior to 16.6. The flaw affects the XNU kernel and allows local attackers to escalate privileges on unpatched iPhones and iPads. The company did not disclose the source of the vulnerability report. The update also addresses a zero-day (CVE-2023-5217) related to a heap buffer overflow in the VP8 encoding of the libvpx video codec library.
Cisco bug bypasses authentication
Cisco has released security updates to address a critical vulnerability (CVE-2023-20101) in its Emergency Responder system. The flaw could allow unauthenticated attackers to access affected devices using hard-coded root credentials. The flaw affects CER version 12.5(1)SU4, and Cisco recommends updating to version 12.5(1)SU5 to mitigate the risk. No known incidents or malicious exploits have been reported.
Bugs let attackers take control of BMC systems
A series of vulnerabilities found in Supermicro BMC IPMI Firmware could allow attackers to gain complete control of affected systems. Researchers discovered three cross-site scripting flaws and one command-injection vulnerability in Supermicro BMCs, which, if combined, could enable arbitrary code execution and allow attackers to gain root privileges. Although the vulnerability requires authentication, attackers could use XSS vulnerabilities to create admin accounts with the necessary privileges.
Actively exploited Atlassian zero-day fixed
Enterprise software services provider Atlassian has released patches to address a critical zero-day vulnerability (CVE-2023-22515) in publicly accessible Confluence Data Center and Server instances. This remotely exploitable flaw allows external attackers to create unauthorized administrator accounts and access Confluence servers. The issue only affects Confluence versions 8.0.0 and later. The company has also shared indicators of compromise (IoCs) for detecting potential intrusions.
Crypto scams target high-profile YouTube channels
Cybercriminals have been exploiting high-profile YouTube accounts to perpetrate stream-jacking attacks leading to a sophisticated cryptocurrency scam. These attacks involve impersonating Tesla-related channels, embedding crypto scams in live streams, and manipulating comments. These scams encourage viewers to send cryptocurrency with the promise of doubling their funds. Researchers have found over 1300 videos promoting similar scams, with more than 150 distinct fraudulent websites involved.