Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Oct 27, 2023

Healthcare sector patch alert! A critical vulnerability has been discovered in the healthcare data integration platform Mirth Connect, which is widely used in healthcare organizations across more than 30 countries. Cybercriminals could access sensitive healthcare data and access critical systems. Speaking of flaws, a critical vulnerability in F5's BIG-IP product poses a high risk of unauthenticated remote code execution, prompting F5 to issue warnings, release patches, and suggest temporary workarounds.

On the malware side, a five-year-old cross-platform malware StripedFly has surfaced once again. It is recognized as a versatile APT threat with advanced capabilities, prompting the need for robust security measures. When detected initially, researchers originally mistook it for mere cryptocurrency mining malware.

Top Breaches Reported in the Last 24 Hours

**Real estate app blurts out user data **

The Hello Alfred platform, which provides in-home services and maintenance for real estate developers and property managers, exposed sensitive user data such as names, contact information, authentication tokens, private notes, and partial payment information. The leak was caused by a publicly accessible MongoDB database containing nearly 170,000 records, raising concerns about user privacy and security.

Pro-Ukraine attackers target Spotify accounts

Pro-Ukraine hackers targeted Russian musicians on Spotify by compromising their accounts and replacing their profile pictures with images of Ukraine's flag. The affected musicians include Nikolay Baskov, Grigory Leps, Oleg Gazmanov, and the rock band Leningrad, who have expressed support for the Kremlin and the war in Ukraine. The adversaries left messages on the profiles, such as "Stop war in Ukraine," and featured images of Ukrainian rapper Clonnex.

APT28’s wide-scale attacks on France

A recent report from the French ANSSI reveals that APT28 has been actively exploiting vulnerabilities to target government entities, businesses, universities, research institutes, and think tanks in France since the second half of 2021. The bugs exploited include a zero-day privilege escalation flaw in Microsoft Outlook (CVE-2023-23397), an RCE bug in WinRAR (CVE-2023-38831), a Follina flaw (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool, and CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026 in the Roundcube application.

California city warns of data breach

The city of Victorville, California, issued a breach notification to its residents after learning that cybercriminals gained access to the city's systems from August 12 to September 26. The breach exposed personal data, including names, SSNs, driver's license numbers, medical information, and health insurance policy numbers. The specific details of the breach were not disclosed, however, the NoEscape ransomware gang claimed responsibility and said they stole 200GB of data from government systems.

DDoS attack peaks at 201 million rps

Cloudflare has reported a significant increase in hyper-volumetric HTTP DDoS attacks, with 89 recent attacks exceeding 100 million requests per second (rps) and the largest being 201 million rps. These attacks exploited the recently disclosed HTTP/2 Rapid Reset vulnerability (CVE-2023-44487). This trend resulted in a 65% increase in HTTP DDoS attack traffic in Q3 compared to the previous quarter. A spike in DNS-based DDoS attacks and a decline in ransom DDoS attacks were also observed in that quarter.

Top Malware Reported in the Last 24 Hours

Cross-platform malware that also mines

A highly sophisticated cross-platform malware platform named StripedFly, which went unnoticed for five years, infected over a million Windows and Linux systems. Despite initially being classified as a cryptocurrency miner, StripedFly is now recognized as a complex Advanced Persistent Threat (APT) malware. The malware leverages numerous advanced techniques, including a custom EternalBlue SMBv1 exploit and Tor-based traffic concealment. Its modules enable data theft, system exploitation, Monero mining, and even ransomware attacks, making it a versatile threat.

Millions of malicious Android app downloads

Over 2 million Android users unknowingly installed malicious apps from Google Play, containing the HiddenAds, Joker, and FakeApp malware families. Some apps disguised as games run in the background, displaying intrusive ads while concealing their presence. Furthermore, users are lured into investment scams or directed to dubious online casinos. These apps have been removed from Google Play, but users who previously installed them should delete them and run security scans.

DuckTail malware used in identity theft campaign

Cluster25, an Italian cybersecurity firm, detected a malicious campaign that exploits LinkedIn messages for identity theft attacks. The attackers use a malware known as DuckTail, which is capable of taking over Facebook Business accounts. If victims open the malware-laden files, their computers get infected, enabling data theft, including cookies, session data, and browser credentials. The campaign begins with attackers sending fake job offers via LinkedIn messages. It is primarily targeting sales and finance professionals in Italy.

Top Vulnerabilities Reported in the Last 24 Hours

Flaw in F5's BIG-IP allows RCE attack

F5 issued a warning to customers about a critical security vulnerability in its BIG-IP product that could result in unauthenticated remote code execution. The vulnerability was found in the configuration utility component and has been assigned the CVE identifier CVE-2023-46747. With a CVSS score of 9.8 out of 10, the flaw may allow an attacker with network access to BIG-IP systems to execute arbitrary system commands. F5 has released patches for affected versions and provided temporary workarounds.

RCE flaw affects healthcare platform

Horizon3.ai has identified a critical remote code execution vulnerability, CVE-2023-43208, in the healthcare data integration platform Mirth Connect by NextGen Healthcare, which healthcare organizations widely use. This vulnerability can be exploited without authentication and allows attackers to compromise sensitive healthcare data or gain initial access to systems. Notably, the cybersecurity firm found that the previously patched CVE-2023-37679 flaw can be bypassed, impacting all Mirth Connect instances, regardless of the Java version used.

Related Threat Briefings