Cyware Daily Threat Intelligence
Daily Threat Briefing • Oct 25, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Oct 25, 2023
Top social media platforms are not secured for logins! You heard it. Security experts have uncovered security flaws in the social login mechanisms of three well-known websites that have the potential to jeopardize tens of millions of user accounts, potentially leading to account hijacking and data leaks. Adding to the woes is a new Android-based RAT that poses itself as the Google Chrome browser. Dubbed Rusty Droid, the malware can track financial activities, intercept emails from Gmail accounts, and even initiate calls to premium-rate numbers.
Be warned! VMware is alerting customers about the availability of proof-of-concept exploit code for a critical authentication bypass vulnerability in Aria Operations for Logs, which could enable RCE with root privileges under specific conditions.
Unprotected data found at life science firm
The Cybernews research team uncovered two publicly hosted environment (.env) files containing sensitive data from New England Biolabs (NEB), a life science research company. These files, intended for the production environment, included database credentials, SMTP server login information, enterprise payment processing data, and more. The exposure of such files poses a significant threat to organizations, potentially leading to unauthorized access, data breaches, financial losses, and legal issues.
Basketball team’s data compromised
French professional basketball team LDLC ASVEL confirmed a data breach after the NoEscape ransomware gang reported an attack on the club. The threat actors claim to have stolen 32 GB of data, including personal information, passports, finance documents, and contracts. NoEscape used this data to extort the victim. While the breach did not disrupt the club's operations, the extent of harm to third parties is being assessed, particularly concerning fans' payment details.
**Cyberattack impacts millions of Airbnb users **
Airbnb, the popular accommodation platform, is facing a potential data breach that could expose the personal information of 1.2 million users. A threat actor named 'Sheriff' claims to have the data and has set a starting price of $7,000 for its sale on the dark web. The exposed information includes names, email addresses, countries of residence, cities, and more. While the breach has not been officially confirmed by Airbnb, the situation raises serious concerns about user privacy and security.
Philadelphia natives’ data stolen
The City of Philadelphia has disclosed that certain individuals' information was stolen in a cyberattack. The investigation revealed that unauthorized parties accessed certain city email accounts between May 26 and July 28. Furthermore, some of these accounts contained protected health information, which the city became aware of on August 22, 2023. Personal data, health information, and financial records may have been compromised in the attack.
Criminals hold plastic surgeon clinic at ransom
A newly emerged ransomware gang Hunters International claims to have accessed the systems of a US plastic surgeon's clinic and is attempting to pressure the clinic into paying a ransom by leaking pre-operation pictures of patients. This morally questionable tactic is being used to speed up ransom negotiations and is reminiscent of previous attacks where ransomware groups targeted healthcare organizations. Security experts have linked Hunters International to the shuttered Hive group, which was previously dismantled through an international law enforcement operation.
Meet a new potential RAT
A recent discovery by K7 Security Labs highlights the Rusty Droid, an Android malware that disguises itself as the Chrome browser. Once granted the accessibility permission, it conceals its icon from the app drawer. The malware can collect contact information, account data, and the app list before connecting to a control server. Using the Android Accessibility Service as a keylogger, Rusty Droid can further steal sensitive data, including passwords and credit card details, which can be abused for identity theft and fraud.
Billions of social media accounts are at risk
Critical API security flaws in the social sign-in and OAuth implementations have been identified in high-profile websites such as Vidio, Grammarly, and Bukalapak, potentially exposing tens of millions of user accounts to account hijacking and data leakage. These vulnerabilities were discovered through the Pass-The-Token Attack method, enabling unauthorized access to user accounts on multiple websites. The flaws were primarily related to improper token verification during the social sign-in process.
VMware bug allows RCE
A critical authentication bypass vulnerability, CVE-2023-34051, has been found in VMware Aria Operations for Logs. This flaw, with a CVSS score of 8.1, allows unauthenticated attackers to inject files into an affected appliance's OS, potentially leading to remote code execution. VMware has confirmed the availability of proof-of-concept exploit code for this vulnerability. The exploit code uses IP address spoofing and Thrift RPC endpoints to perform arbitrary file write, potentially creating a reverse shell.
European entities targeted via zero-day bug
A well-known espionage group, Winter Vivern, linked to Russia and Belarus, has been exploiting a zero-day vulnerability in the Roundcube Webmail software, which is popular among European governments. ESET researchers identified this campaign that specifically targeted Roundcube servers owned by governmental entities and a think tank in Europe. The vulnerability, tracked as CVE-2023-5631, was notable because it allowed hackers to exfiltrate email messages, only by requiring the victim to view a malicious email in a web browser.
Citrix urges patch fix
Citrix wants administrators to immediately apply a patch for a critical information disclosure vulnerability, CVE-2023-4966, affecting its NetScaler ADC and NetScaler Gateway products. This comes after Mandiant warned that the vulnerability had been exploited by cybercriminals, potentially nation-state actors, to hijack sessions and steal corporate data since late August. Citrix released a patch for affected devices on October 10. Organizations using affected builds are urged to assume they are compromised and are recommended to apply the update immediately.