Cyware Daily Threat Intelligence

Daily Threat Briefing • Oct 23, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Oct 23, 2023
A banking trojan, previously designed to target banking users in Brazil and Mexico, has expanded its horizon to Spain. Researchers have found a new version of Grandoreiro banking trojan using the bank credential stealing overlay method to steal login credentials from users. Meanwhile, there’s an update on the recently discovered zero-day vulnerability abused to compromise over 50,000 Cisco devices. Cisco has encountered a second zero-day vulnerability in its IOS XE devices that is also being exploited in the wild. To stay safe, organizations are urged to address both vulnerabilities by applying the latest patches.
In other news, the District of Columbia Board of Elections (DCBOE) has disclosed that the data breach, which was detected on October 5, may have impacted the personal information of all registered voters in the U.S. Earlier, it was reported that the records of less than 4,000 voters were affected.
Okta discloses a data breach
Identity and authentication management provider Okta revealed that a breach of its customer support system allowed some intruders to view files uploaded by certain clients. While the company is investigating the incident, it is to be noted that the support case management system breached in this attack was also used to store HTTP Archive (HAR) files that contained cookies and session tokens. Threat actors can leverage the cookies and session tokens to spoof valid users and hijack their browser activity.
The City of Philadelphia reveals a data breach
The City of Philadelphia is investigating a data breach that occurred five months ago in May. Although officials detected the incident on May 24 due to suspicious activity in the City's email system, the investigation revealed that threat actors might have had access to emails in the compromised accounts for a minimum of two months after the City's discovery of the incident. The types of information impacted in the attack include names, addresses, dates of birth, medical information, Social Security numbers, and contact details of individuals.
AmFam confirms a cyberattack
Insurance giant American Family Insurance (AmFam) confirmed suffering a cyberattack that caused outages on its website, phone service, and bill payment, among other services. To prevent the spread of the attack, the firm had to shut down portions of its IT systems. While the investigation is ongoing, the firm mentions that there is no evidence of compromise to critical business and customer data processing or storage systems.
Update on DCBOE data breach
In a new update on the data breach, the District of Columbia Board of Elections (DCBOE) revealed that threat actors may have obtained access to the personal information of all registered voters. The breach first came to light on October 5 after the RansomedVC ransomware gang posted the agency’s name on its dark web site, claiming that it had acquired over 600k lines of voter data.
A new version of Grandoreiro detected
A new version of the Grandoreiro banking trojan from TA2725 APT has been observed targeting banking users in Mexico and Spain. Previously, the malware was known for targeting banking users in Brazil and Mexico. The latest activity observed indicates that the threat actors are expanding their operations. The new version of the malware was used in two campaigns between August 24 and 29. It used bank credential stealing overlays to steal credentials from users.
Second zero-day vulnerability in Cisco discovered
The number of Cisco IOS XE devices hacked with a malicious backdoor implant has mysteriously dropped from over 50,000 to only a few hundred. These devices were hacked by exploiting a zero-day vulnerability (CVE-2023-20198). Some researchers speculate that attackers are deploying an update to hide their presence, thus causing the implants to be no longer visible in the scan. Amidst the significant drop, Cisco warned of a new zero-day vulnerability (CVE-2023-20237) in the software that is also being exploited in the wild to deliver a Lua backdoor. Security patches have been issued to address these flaws.