Cyware Daily Threat Intelligence
Daily Threat Briefing • Oct 17, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Oct 17, 2023
Multiple zero-days have come under attack. A critical vulnerability (CVSS 9.8) in a WordPress plugin—with over 200,000 active installations—was actively exploited for a month before a patch was made available. Security researchers witnessed over 46,000 attacks attempting to abuse this flaw, posing a significant threat to websites using the add-on. Meanwhile, another zero-day flaw in Cisco IOS XE Software pushed tens of thousands of devices to the brink of exploitation. There’s no workaround available as of now.
On the malware side, a new campaign has been associated with the XorDDoS trojan, prompting an extensive investigation. This inquiry revealed a hidden attack infrastructure responsible for substantial C2 traffic, with hosts on legitimate public hosting services.
Ransomware attack hits Kansas courts
A cyberattack crippled electronic systems at various Kansas courts, including the state's Supreme Court, Court of Appeals, and 31 district courts. These attacks forced several courts to resort to paper records as their electronic filing systems remained unavailable. The extent and details of the incident are unclear, and while courts are operational, they face significant limitations in processing electronic documents.
Ukrainian telecom providers targeted
Ukrainian telecommunication service providers faced a series of cyberattacks by UAC-0165, leading to service disruptions for at least 11 providers between May and September, according to the CERT-UA. The attacks involved reconnaissance, exploitation, and unauthorized access phases, employing specialized programs like POEMGATE and POSEIDON to steal credentials and control infected hosts. Notably, these attacks sought to disrupt network and server equipment.
Knight ransomware group hits BMW Munique Motors
The Knight ransomware group claimed responsibility for a cyberattack on BMW Munique Motors, an authorized BMW dealership in the state of Rondônia in Brazil. The threat actors announced their intention to release stolen files on the dark web. Notably, the official BMW dealership website appears unaffected, suggesting that the cyberattack may have targeted the organization's backend database.
Spyware targets Israeli Android Users
Threat actors are exploiting the popularity of the RedAlert – Rocket Alerts app in Israel, which provides real-time alerts about incoming rocket attacks, by distributing a malicious version of the app. Cloudflare detected a website hosting a rogue APK file with spyware, masquerading as the legitimate app. When users download this fake version, it collects sensitive data and exhibits anti-analysis features. The malware then uploads the stolen data to attackers’ server.
XorDDoS trojan again hunts down Linux
A new cyberattack campaign has been discovered involving the XorDDoS Trojan, targeting Linux systems and devices. This trojan converts compromised devices into remote-controlled zombies that can be used for DDoS attacks. While the current campaign is similar to one conducted in 2022, the threat actors have updated their C2 hosts. In this attack, the threat actors scanned for hosts with vulnerable HTTP services, particularly targeting the /etc/passwd file to read passwords.
Zero-day exploited in WordPress plugin
A critical-severity vulnerability (CVE-2023-5360) in the Royal Elementor Addons and Templates WordPress plugin has been exploited as a zero-day, for over a month. The bug allows unauthenticated attackers to upload arbitrary files to vulnerable sites, potentially leading to remote code execution. Security firm Defiant has detected over 46,000 attacks exploiting this flaw, with most attempting to create malicious administrator accounts on target sites.
Active exploitation of critical Cisco bug
Cisco issued an urgent warning about an actively exploited zero-day bug (CVE-2023-20198) in the web UI of Cisco IOS XE Software. The flaw allowed remote, unauthenticated attackers to create an account with privilege level 15 access, potentially leading to full device control. Cisco recommends disabling the HTTP Server feature on all internet-facing systems. With more than 40,000 Cisco devices at risk, the company is working on a software patch.
Authorities warn of Atlassian bug
The CISA, the FBI, and the MS-ISAC issued a warning about the potential widespread exploitation of a recently disclosed zero-day vulnerability in the Atlassian Confluence Data Center and Server. Tracked as CVE-2023-22515, the vulnerability has been exploited by a nation-state threat actor since before patches were available. The flaw allows attackers to create unauthorized administrator accounts and modify critical configuration settings. Organizations with vulnerable instances are urged to update to patched versions and take measures to restrict network access until updates are applied.
Flaws in Titan MFT and Titan SFTP servers
South River Technologies' Titan MFT and Titan SFTP servers were found to have vulnerabilities that, while requiring unusual circumstances and non-default configurations along with valid user logins, could lead to remote superuser access on the affected host. These issues affect both Linux and Windows versions of the products. Successful exploitation of this is unlikely to be widespread.