Cyware Daily Threat Intelligence
Daily Threat Briefing • October 26, 2023
Iranian threat actor Tortoiseshell has launched a new wave of watering hole attacks to deploy IMAPLoader, a .NET malware capable of executing payloads from email attachments through new service deployments. In the last quarter, the group was behind eight website breaches associated with shipping, logistics, and financial services companies in Israel. New threats lurk against VPN users owing to security mishaps. Cisco Talos laid bare over a dozen vulnerabilities in different VPN software, with potential impact on users' security, including denial of service attacks and code execution.
In a separate incident, the PII and sensitive internal documents of many ServiceNow users were exposed owing to misconfiguration issues in its widgets. Security experts suggested that it would be nearly impossible to check for historical attack attempts to steal the data.
Top Breaches Reported in the Last 24 Hours
Ransomware attack on energy firm
Energy services provider BHI Energy, a subsidiary of Westinghouse, revealed that it fell victim to an Akira ransomware attack in June. The threat actor gained access to BHI's internal network via stolen VPN credentials in late May, through a compromised third-party contractor's account. The attacker performed reconnaissance before exfiltrating 690 GB of data, including the personal information of 896 Iowa residents. Personal data impacted include full names, dates of birth, SSNs, and health information.
Telecom firm disrupted by ransomware attack
Chilean telecommunications company, Grupo GTD, experienced a cyberattack on its Infrastructure-as-a-Service (IaaS) platform, leading to disruptions in various services, including data centers, internet access, and VoIP. The attack, identified as a ransomware incident by Rorschach actors, prompted the disconnection of the IaaS platform from the internet to contain the spread of the attack. The ransomware uses the DLL sideloading technique to deploy its payload.
Top Malware Reported in the Last 24 Hours
Fake Chrome update malware infects websites
A new malware variant dubbed FakeUpdateRU was found targeting site visitors, attempting to trick them into downloading a fake Google Chrome update. The fake update is essentially a trojan that overwrites the main index.php file on websites' active themes. The infection impacts WordPress websites as well as other CMS platforms. Google has blocked many domains associated with this malware, but attackers have adapted by linking directly to compromised websites.
Iranian hackers deploy IMAPLoader malware
Iranian threat actor Tortoiseshell launched a series of watering hole attacks between 2022 and 2023, revealed PwC Threat Intelligence. The attacks targeted maritime, shipping, and logistics sectors in the Mediterranean region. Tortoiseshell deployed the IMAPLoader malware, a .NET-based threat that uses email as a command-and-control channel and acts as a downloader for additional payloads. The malware is used to gather information about victims, such as their location, device information, and time of visits.
Malware on sale on dark web
A dark web vendor is advertising Vacum Stealer, a malware that allows cybercriminals to transfer Ethereum (ETH) and other ERC20 tokens from a user's wallet to the attacker's account. The developer, who worked on the malware for five months during an NFT campaign, claims that Vacum Stealer can execute these transfers without requiring additional confirmation. Users are warned to be cautious of pop-ups and websites related to cryptocurrency wallets.
Top Vulnerabilities Reported in the Last 24 Hours
VMware fixes critical vCenter Server bug
VMware has released security updates to fix a critical vulnerability (CVE-2023-34048) in vCenter Server that could be exploited by remote attackers for remote code execution, without requiring user interaction. This vulnerability is found in the DCE/RPC protocol implementation of vCenter Server. VMware has stated that it has no evidence of active exploitation at this time. Given the critical nature of the bug, VMware has issued patches for both supported and end-of-life products. A preventive measure has been issued due to the absence of a workaround.
Apple issues patches for macOS and iOS flaws
Apple has issued significant security updates for macOS and iOS, addressing multiple vulnerabilities that could lead to code execution, privilege escalation, and exposure of sensitive data. The company documented 21 iOS security vulnerabilities and 44 macOS flaws, and stated that none of these had been exploited in the wild. Additionally, Apple patched an already-exploited vulnerability in an older version of iOS. The security updates cover various components, including Contacts, CoreAnimation, kernel, ImageIO, IOTextEncryptionFamily, and WebKit. The updates also extend to WatchOS, tvOS, and Safari.
Cisco Talos reports critical flaws in popular VPNs
Cisco Talos has identified and disclosed 17 vulnerabilities, with nine found in the SoftEther VPN client. These vulnerabilities can lead to arbitrary code execution or service disruption, making them a concern for users. An additional XSS vulnerability was found in Peplink Surf series of Small and Home Office (SOHO) wireless routers, allowing attackers to manipulate HTML elements to execute arbitrary JavaScrip. The remaining vulnerabilities include JustSystems Ichitaro word processor issues, leading to arbitrary code execution.
Firefox and Chrome receive security updates
Mozilla has released Firefox 119 with patches for 11 vulnerabilities, including three high-severity issues. These include insufficient activation-delay bugs and memory safety issues that could allow attackers to execute arbitrary code. Google has also issued a Chrome update to address two vulnerabilities, including a high-severity use-after-free flaw in Profiles. These patches are essential for securing the browsers and preventing potential exploits that could allow an attacker to take control of a system.
ServiceNow fixes flaw enabling data stealing
ServiceNow issued a patch to fix a flaw that exposed an organization's sensitive data to unauthenticated attackers. The vulnerability stemmed from issues with the default configurations of Access Control Lists (ACLs) in ServiceNow's widgets, which act as powerful APIs for the platform's Service Portal. Despite a code change to improve safety earlier in the year, the default configuration of these widgets—if left unchanged—allowed them to return the type of data an attacker specifies.