Cyware Daily Threat Intelligence

Daily Threat Briefing • Oct 12, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Oct 12, 2023
A new sophisticated malware threat disguised as a legitimate caching plugin for WordPress is doing rounds on the internet. The malware’s features include preventing detection, pinging for script status, modifying files, creating admin accounts, and remotely managing plugins, all while maintaining a professional facade. After nearly a week of intense speculation regarding the security issues in cURL, the latest version of this command-line transfer tool has been released with a fix. Vulnerable systems could allow potential attacks via a malicious HTTPS server redirect. Organizations are urged to promptly update and secure systems using cURL or libcurl.
Furthermore, the widely used D-Link DAP-X1860 WiFi 6 range extender was found vulnerable to DoS and command injection attacks. Researchers claimed that D-Link has not responded or issued any fixes despite multiple notifications. The bug was first reported in May.
Air Canada allegedly lost 210GB of data
The BianLian extortion group asserted that it successfully breached Air Canada's IT network. In contrast to the airline’s previous statements downplaying the attack, the threat actors claim to have stolen a substantial amount of data amounting to 210GB. The stolen data reportedly spans from 2008 to 2023, and includes technical and operational information, SQL backups, employee personal data, vendor and supplier details, confidential documents, and archives from company databases.
Simpson Manufacturing takes IT systems offline
Simpson Manufacturing, an engineering and manufacturing firm based in California, revealed—in an 8K-Form filing to the SEC—suffering a cyberattack, prompting the company to take some of its IT systems offline. Although the company did not specify the type of attack, it typically aligns with the response to a ransomware incident. The incident is expected to disrupt certain business operations.
Cloud gaming service’s data on sale
Cloud gaming provider Shadow PC alerted customers about a data breach that resulted from a social engineering attack on an employee. The attack involved downloading malware disguised as a game on the Steam platform, leading to the theft of an authentication cookie. This breach exposed names, email addresses, dates of birth, billing addresses, and credit card expiration dates of 533,624 users. The breach didn't compromise account passwords or sensitive payment data.
Malware disguised as caching plugin
A new malware strain is pretending to be a legitimate caching plugin for WordPress, enabling hackers to infiltrate sites by creating an administrator account and gaining control of the site's operations. Analysts at Defiant discovered this malware that can hide itself from other plugins, replace content, and redirect specific users to malicious sites. Through its clever disguise, this malware aims to avoid detection during manual inspections.
Vulnerability in D-Link extender
The widely used D-Link DAP-X1860 WiFi 6 range extender is susceptible to a vulnerability (CVE-2023-45208) that can be exploited for DoS attacks and remote command injection. The security issue stems from the extender's inability to parse SSIDs with a single tick (') in the name, misinterpreting it as a command terminator. An attacker within the extender's range can create a network SSID with a tick in the name, potentially allowing remote command execution.
cURL vulnerability puts enterprises at risk
The maintainers of cURL, a widely used open-source data transfer project, issued patches for a high-risk memory corruption vulnerability, tracked as CVE-2023-38545. The flaw affects the SOCKS5 proxy handshake process in cURL and poses a severe threat to numerous enterprise operating systems, applications, and devices. An attacker controlling an HTTPS server accessed via cURL through a SOCKS5 proxy can exploit the bug to trigger a heap buffer overflow in certain conditions.
LinkedIn Smart Links used for credential phishing
A credential phishing campaign was spotted employing LinkedIn Smart Links to sneak into users' inboxes. Over 800 emails with various subject themes have been identified, using over 80 unique LinkedIn Smart Links across multiple industries. These Smart Links can be sent from newly created or previously compromised LinkedIn business accounts. The LinkedIn Smart Links use trusted domain names, allowing them to bypass Secure Email Gateways (SEGs) and other security suites.