Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Oct 9, 2023

Several new threats are propagated every day with sophisticated tactics and techniques, making cyber defense an uphill task for security practitioners. Recently, a group of experts noted a rapid evolution in Balada Injector's infrastructure and attack methods, which resulted in a significant number of compromised WordPress sites. In another headline, the cURL data transfer project is in the process of addressing a high-severity security hole, deemed to be one of its worst flaws. Details are yet to be disclosed, but the bug affects recent releases. Users are urged to update promptly upon the October 11 release to protect their systems. In both scenarios, stakeholders have been advised to be extra cautious.

Separately, ConnectedIO's ER2000 edge routers and their linked cloud-based platform were found to contain multiple high-severity vulnerabilities, presenting significant security risks. It could allow attackers to breach the cloud infrastructure, perform remote code execution, and access sensitive data.

Top Breaches Reported in the Last 24 Hours

Flagstar Bank warns of breach

Flagstar Bank, now owned by New York Community Bank, has warned 837,390 U.S. customers about a data breach originating from a third-party service provider, Fiserv, that had suffered a MOVEit Transfer hack. The attackers exploited a zero-day vulnerability to access Fiserv's systems and steal customer data, including names and SSNs. This marks Flagstar Bank's third breach since March 2021, raising concerns about the security of customers’ personal and financial data.

Ransomware group claims two victims

The Rhysida ransomware group targeted the city of Gondomar in Portugal and the Dominican Republic's Migration Agency. Gondomar's municipal services were disrupted, impacting communication with residents for nearly a week. The ransomware group shared samples of passports and other financial documents it allegedly pilfered from the municipality. Meanwhile, attackers stole sensitive data from the Dominican Republic’s Migration Agency, without encrypting its systems.

OrthoAlaska breach impacts 176,000 Individuals

Healthcare company OrthoAlaska disclosed, in a notice to HHS, that an unauthorized party was able to access the sensitive information of 176,203 individuals. While the specific data types compromised have not been publicly revealed, affected parties are urged to take precautions against potential fraud and identity theft. Details about the cause of the breach and the affected individuals remain under investigation.

Voter records at risk

The District of Columbia Board of Elections (DCBOE) is investigating a data leak involving voter records, prompted by claims from a threat actor known as RansomedVC. The breach did not directly affect DCBOE's internal systems but impacted the web server of DataNet, the hosting provider for the D.C. election authority. RansomedVC claimed to have pilfered over 600,000 lines of U.S. voter data, including D.C. voter records, which are now being offered for sale on the dark web.

Top Malware Reported in the Last 24 Hours

Android devices shipped with backdoored firmware

Researchers from Human Security discovered a global network called BADBOX that compromised a Chinese manufacturer's supply chain to install backdoors in over 74,000 Android-based mobile phones, tablets, and Connected TV boxes. Based on the Triada malware, the backdoor was used to conduct ad fraud, create fake Gmail and WhatsApp accounts, and perform other malicious actions. The campaign includes an ad fraud scheme called PeachPit, which infected over 121,000 Android and 159,000 iOS devices.

Balada Injector's campaign targets WordPress themes

Balada Injector was found exploiting an unauthenticated stored XSS flaw in the tagDiv Composer, a companion plugin for popular tagDiv premium themes like Newspaper and Newsmag. This led to waves of malware injections targeting websites using these themes. The attacks injected malicious scripts, created rogue admin users, planted backdoors in the theme's files, and installed malicious plugins. The attackers used various obfuscation techniques and multiple domains and sub-domains, making detection and mitigation challenging.

Top Vulnerabilities Reported in the Last 24 Hours

High-severity bugs in ConnectedIO's routers

Multiple high-severity security vulnerabilities have been exposed in ConnectedIO's ER2000 edge routers and their associated cloud-based management platform. These issues include stack-based buffer overflow, argument injection, and OS command execution vulnerabilities, posing significant risks to global companies and their internal networks. The flaws could be exploited by malicious actors to execute arbitrary code and gain access to sensitive data.

Critical vulnerability in cURL

Maintainers of the cURL data transfer project are rushing to patch a high-severity vulnerability, tracked as CVE-2023-38545, which could be one of the most severe flaws in the open-source tool in years. This critical bug impacts both libcurl and curl, exposing systems using this library to potential exploitation. The details of the vulnerability remain undisclosed, but it's expected to affect all iterations released over the last several years. Organizations are urged to prepare for immediate updates upon the release of curl 8.4.0 on October 11.

Related Threat Briefings