We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 9, 2022

Malware authors continue to adapt to advance security protocols in place. For instance, the relatively new Bumblebee malware loader, which was discovered in April, has received an update that makes it more obscure to anti-malware tools. Its authors have also added a post-exploitation tool to its arsenal. Separately, Wordpress security company Wordfence has revealed a zero-day flaw in the Backupbuddy plugin that is being actively abused by cyber adversaries. It allows an unauthenticated threat actor to make inroads on web servers.

Another vulnerability was fixed by Connectwise, a popular remote monitoring and management tool provider. The flaw stems from improper access control, however, the Automate remote agents installed on the managed assets are immune to it.

Top Breaches Reported in Last 24 Hours

Sensitive NATO documents on sale

Threat actors were seen offering stolen confidential NATO documents for sale on the dark web. The documents belonged to the Armed Forces General Staff agency of Portugal (EMGFA). Reports revealed that the attack was carried out using bots programmed to detect secret documents. Hackers also published samples of the stolen documents as proof, which was discovered by the US Information Services. An inquiry is ongoing to determine the extent of the data breach.

Dual data breach astounds Indonesia

Indonesia experienced a couple of major data breaches, both by the same hacker - Bjorka. The first incident involves 1.3 billion SIM card registration details and the second concerns 105 citizenship records. Both were leaked on an online forum. The second dataset is 20GB in size and was most likely obtained from the Indonesian General Elections Commission. Furthermore, the database stolen from Indonesia's Ministry of Communication and IT in the form of sim cards last week is valued at $50,000.

Top Malware Reported in Last 24 Hours

**Bumblebee aims for stealthy infections **

Bumblebee malware loader has been spotted with a new infection chain that injects a DLL payload into memory via the PowerSploit post-exploitation framework in a stealthy manner. Previously, Bumblebee reached victims via emails carrying password-protected zipped ISO files that contained an LNK and a DLL file. In the recent attack, Bumblebee replaced the ISO with a VHD file, which again contains an LNK shortcut file. The advancement minimizes the chances of anti-virus tools detecting and stopping Bumblebee because it loads from memory instead of the host's disk.

Top Vulnerabilities Reported in the Last 24 Hours

Zero-Day Flaw exploited in BackupBuddy

Hackers exploited a zero-day vulnerability in BackupBuddy, a WordPress plugin, that allows unauthenticated users to download arbitrary files on the server from the affected site. The flaw was exploited for the first time last month, and the security firm Wordfence has since reported nearly five million attacks. The flaw affects versions 8.5.8.0 to 8.7.4.1 of the plugin, which has approximately 140,000 active installations.

Vulnerabilities spotted in medical devices

Four vulnerabilities were reported in the Sigma Spectrum Infusion Pump and Sigma WiFi battery, both manufactured by the healthcare company Baxter International. In the U.S., healthcare professionals use them in clinical settings to dispense medication to patients. The vulnerabilities are related to secure decommissioning of Wireless Battery Modules (WBMs). Successful exploitation of these vulnerabilities could result in sensitive data access and system configuration changes.

Vulnerability in pfSense Firewall

Researchers from IHTeam discovered a critical vulnerability, CVE-2022-31814, in a plugin for the pfSense firewall technology. Since the flaw creates an unauthenticated RCE as a root risk on affected installations, the affected pfBlockerNG plugin is not installed by default. The number of affected systems is unknown, but there are approximately 27,000 exposed pfSense machines on the internet. The only versions affected are 2.1.4 26 and lower. Its pfBlockerNG-devel is unaffected and safe to use.

ConnectWise fixes high-risk vulnerability

ConnectWise has resolved a vulnerability discovered in ConnectWise Automate that could allow unauthorized access to confidential data and other processing resources. The company has not confirmed whether the vulnerability is being exploited in the wild, but has a higher risk of being targeted by wild exploits. The vulnerability affects the software suite versions 2022.8 and earlier, and the admins should upgrade to apply the 2022.9 patch, available only to people with an account.

Related Threat Briefings