We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Oct 18, 2023

In recent weeks, an alarming increase in malvertising campaigns through Google search ads has been observed. A malvertising campaign has surfaced to target users searching for software like Notepad++. The campaign involves a multi-level filtering process, including system fingerprinting and custom, time-sensitive payload downloads. In another headline, security experts uncovered a cryptojacking campaign targeting Jupyter Notebooks, employing sophisticated command and control via Discord. Also, this campaign marks the first known instance of Codeberg's use in a malware campaign.

Let’s see some bug updates! Oracle addressed hundreds of security vulnerabilities across products; the CISA warned about significant issues in Weintek's cMT HMI product, and; a flaw in Synology's DiskStation Manager (DSM) puts admin passwords at risk and enables remote hijacking of accounts.

Top Breaches Reported in the Last 24 Hours

TV advertising sales firm hit by ransomware

Ampersand, a television advertising sales and technology company jointly owned by Comcast Corporation, Charter Communications, and Cox Communications, recently experienced a ransomware attack. The company provides viewership data to advertisers for approximately 85 million households. The attack was claimed by the Black Basta ransomware gang, but it remains unclear when the incident occurred and whether a ransom will be paid.

IBM discloses victim count for Johnson & Johnson breach

IBM has disclosed that the Johnson & Johnson data breach impacted the personal information of 631,000 individuals. The breach resulted from unauthorized access to a third-party database. The breach exposed individuals' names, contact details, birthdates, health insurance data, and medication-related information but did not compromise SSNs or financial account information of individuals.

Cyberattack disrupts retail chain

Kwik Trip, a chain of over 800 convenience stores and gas stations, appears to have experienced a cyberattack that disrupted its IT systems, including the Kwik Rewards program. While the company has not explicitly stated that it suffered a cyberattack, a recent statement mentioned it as a "network incident," while an investigation is ongoing. The chain also emphasizes that there is no evidence of data theft. However, concerns persist among customers and employees about the potential exposure of their data.

Data stolen from D-Link’s network

D-Link confirmed a data breach after a threat actor claimed to have stolen 3 million lines of information and the source code for D-Link's D-View network management software. The stolen data allegedly includes information related to Taiwanese government officials, CEOs, and employees, with details such as names, emails, addresses, phone numbers, and registration dates. The breach occurred due to a phishing attack on an employee, resulting in unauthorized access to outdated data used for registration purposes.

Top Malware Reported in the Last 24 Hours

Stealthy attack targeting Notepad++ users

Threat actors launched a malvertising campaign focusing on Notepad++, the popular Windows text editor. This campaign employs sophisticated techniques, including IP checks, fingerprinting for VM detection, and custom, time-sensitive payload downloads. Each victim receives a unique payload, typically a .hta script, which appears to be part of a broader malicious infrastructure for gaining access to victims' machines. While the exact intent of the attackers isn't clear, the payload is associated with potentially harmful tools.

New Qubitstrike malware targets Jupyter Notebooks

Cado Security Labs uncovered the Qubitstrike cryptojacking campaign, marking the first known use of the Codeberg code hosting platform for malware distribution. This advanced attack employed Discord for command and control, primarily seeking cloud credentials, and exploited vulnerable Jupyter Notebooks instances. The stolen credentials are exfiltrated via the Telegram Bot API.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerability in Synology NAS products

A vulnerability, identified as CVE-2023-2729 with a CVSS score of 5.9, has been discovered in Synology DiskStation Manager (DSM). Researchers from Claroty’s Team82 revealed that the bug arises from the use of a weak random number generator in the Linux-based operating system for Synology’s NAS products. Attackers could potentially leak information and reconstruct the seed for the pseudorandom number generator (PRNG) to brute-force the admin password, thereby taking over the admin account.

Oracle releases 387 security patches

Oracle issued a massive release of 387 security patches in its October 2023 Critical Patch Update (CPU). These patches are designed to address various vulnerabilities in Oracle's own code and third-party components. Among these patches, more than 40 tackle critical severity flaws, and over 200 address bugs that could be exploited remotely without requiring authentication. The largest number of patches were for Oracle's Financial Services Applications, amounting to 103 fixes, followed by Oracle Communications with 91 patches.

Weintek HMI product threatens ICS

The CISA urged organizations to fix high-severity vulnerabilities in Weintek's cMT HMI product, used globally. Industrial cybersecurity firm TXOne Networks discovered three vulnerabilities that allow anonymous users to bypass authentication and execute arbitrary commands on the HMI. While a DoS attack doesn't require special permissions, executing arbitrary commands necessitates knowledge of the HMI's password. Although some exposed Weintek HMIs exist, such instances are limited.

Related Threat Briefings