Cyware Daily Threat Intelligence

Daily Threat Briefing • Oct 9, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Oct 9, 2023
Several new threats are propagated every day with sophisticated tactics and techniques, making cyber defense an uphill task for security practitioners. Recently, a group of experts noted a rapid evolution in Balada Injector's infrastructure and attack methods, which resulted in a significant number of compromised WordPress sites. In another headline, the cURL data transfer project is in the process of addressing a high-severity security hole, deemed to be one of its worst flaws. Details are yet to be disclosed, but the bug affects recent releases. Users are urged to update promptly upon the October 11 release to protect their systems. In both scenarios, stakeholders have been advised to be extra cautious.
Separately, ConnectedIO's ER2000 edge routers and their linked cloud-based platform were found to contain multiple high-severity vulnerabilities, presenting significant security risks. It could allow attackers to breach the cloud infrastructure, perform remote code execution, and access sensitive data.
Flagstar Bank warns of breach
Flagstar Bank, now owned by New York Community Bank, has warned 837,390 U.S. customers about a data breach originating from a third-party service provider, Fiserv, that had suffered a MOVEit Transfer hack. The attackers exploited a zero-day vulnerability to access Fiserv's systems and steal customer data, including names and SSNs. This marks Flagstar Bank's third breach since March 2021, raising concerns about the security of customers’ personal and financial data.
Ransomware group claims two victims
The Rhysida ransomware group targeted the city of Gondomar in Portugal and the Dominican Republic's Migration Agency. Gondomar's municipal services were disrupted, impacting communication with residents for nearly a week. The ransomware group shared samples of passports and other financial documents it allegedly pilfered from the municipality. Meanwhile, attackers stole sensitive data from the Dominican Republic’s Migration Agency, without encrypting its systems.
OrthoAlaska breach impacts 176,000 Individuals
Healthcare company OrthoAlaska disclosed, in a notice to HHS, that an unauthorized party was able to access the sensitive information of 176,203 individuals. While the specific data types compromised have not been publicly revealed, affected parties are urged to take precautions against potential fraud and identity theft. Details about the cause of the breach and the affected individuals remain under investigation.
Voter records at risk
The District of Columbia Board of Elections (DCBOE) is investigating a data leak involving voter records, prompted by claims from a threat actor known as RansomedVC. The breach did not directly affect DCBOE's internal systems but impacted the web server of DataNet, the hosting provider for the D.C. election authority. RansomedVC claimed to have pilfered over 600,000 lines of U.S. voter data, including D.C. voter records, which are now being offered for sale on the dark web.
Android devices shipped with backdoored firmware
Researchers from Human Security discovered a global network called BADBOX that compromised a Chinese manufacturer's supply chain to install backdoors in over 74,000 Android-based mobile phones, tablets, and Connected TV boxes. Based on the Triada malware, the backdoor was used to conduct ad fraud, create fake Gmail and WhatsApp accounts, and perform other malicious actions. The campaign includes an ad fraud scheme called PeachPit, which infected over 121,000 Android and 159,000 iOS devices.
Balada Injector's campaign targets WordPress themes
Balada Injector was found exploiting an unauthenticated stored XSS flaw in the tagDiv Composer, a companion plugin for popular tagDiv premium themes like Newspaper and Newsmag. This led to waves of malware injections targeting websites using these themes. The attacks injected malicious scripts, created rogue admin users, planted backdoors in the theme's files, and installed malicious plugins. The attackers used various obfuscation techniques and multiple domains and sub-domains, making detection and mitigation challenging.
High-severity bugs in ConnectedIO's routers
Multiple high-severity security vulnerabilities have been exposed in ConnectedIO's ER2000 edge routers and their associated cloud-based management platform. These issues include stack-based buffer overflow, argument injection, and OS command execution vulnerabilities, posing significant risks to global companies and their internal networks. The flaws could be exploited by malicious actors to execute arbitrary code and gain access to sensitive data.
Critical vulnerability in cURL
Maintainers of the cURL data transfer project are rushing to patch a high-severity vulnerability, tracked as CVE-2023-38545, which could be one of the most severe flaws in the open-source tool in years. This critical bug impacts both libcurl and curl, exposing systems using this library to potential exploitation. The details of the vulnerability remain undisclosed, but it's expected to affect all iterations released over the last several years. Organizations are urged to prepare for immediate updates upon the release of curl 8.4.0 on October 11.