Cyware Daily Threat Intelligence
Daily Threat Briefing • Sep 9, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Sep 9, 2022
Malware authors continue to adapt to advance security protocols in place. For instance, the relatively new Bumblebee malware loader, which was discovered in April, has received an update that makes it more obscure to anti-malware tools. Its authors have also added a post-exploitation tool to its arsenal. Separately, Wordpress security company Wordfence has revealed a zero-day flaw in the Backupbuddy plugin that is being actively abused by cyber adversaries. It allows an unauthenticated threat actor to make inroads on web servers.
Another vulnerability was fixed by Connectwise, a popular remote monitoring and management tool provider. The flaw stems from improper access control, however, the Automate remote agents installed on the managed assets are immune to it.
Sensitive NATO documents on sale
Threat actors were seen offering stolen confidential NATO documents for sale on the dark web. The documents belonged to the Armed Forces General Staff agency of Portugal (EMGFA). Reports revealed that the attack was carried out using bots programmed to detect secret documents. Hackers also published samples of the stolen documents as proof, which was discovered by the US Information Services. An inquiry is ongoing to determine the extent of the data breach.
Dual data breach astounds Indonesia
Indonesia experienced a couple of major data breaches, both by the same hacker - Bjorka. The first incident involves 1.3 billion SIM card registration details and the second concerns 105 citizenship records. Both were leaked on an online forum. The second dataset is 20GB in size and was most likely obtained from the Indonesian General Elections Commission. Furthermore, the database stolen from Indonesia's Ministry of Communication and IT in the form of sim cards last week is valued at $50,000.
**Bumblebee aims for stealthy infections **
Bumblebee malware loader has been spotted with a new infection chain that injects a DLL payload into memory via the PowerSploit post-exploitation framework in a stealthy manner. Previously, Bumblebee reached victims via emails carrying password-protected zipped ISO files that contained an LNK and a DLL file. In the recent attack, Bumblebee replaced the ISO with a VHD file, which again contains an LNK shortcut file. The advancement minimizes the chances of anti-virus tools detecting and stopping Bumblebee because it loads from memory instead of the host's disk.
Zero-Day Flaw exploited in BackupBuddy
Hackers exploited a zero-day vulnerability in BackupBuddy, a WordPress plugin, that allows unauthenticated users to download arbitrary files on the server from the affected site. The flaw was exploited for the first time last month, and the security firm Wordfence has since reported nearly five million attacks. The flaw affects versions 8.5.8.0 to 8.7.4.1 of the plugin, which has approximately 140,000 active installations.
Vulnerabilities spotted in medical devices
Four vulnerabilities were reported in the Sigma Spectrum Infusion Pump and Sigma WiFi battery, both manufactured by the healthcare company Baxter International. In the U.S., healthcare professionals use them in clinical settings to dispense medication to patients. The vulnerabilities are related to secure decommissioning of Wireless Battery Modules (WBMs). Successful exploitation of these vulnerabilities could result in sensitive data access and system configuration changes.
Vulnerability in pfSense Firewall
Researchers from IHTeam discovered a critical vulnerability, CVE-2022-31814, in a plugin for the pfSense firewall technology. Since the flaw creates an unauthenticated RCE as a root risk on affected installations, the affected pfBlockerNG plugin is not installed by default. The number of affected systems is unknown, but there are approximately 27,000 exposed pfSense machines on the internet. The only versions affected are 2.1.4 26 and lower. Its pfBlockerNG-devel is unaffected and safe to use.
ConnectWise fixes high-risk vulnerability
ConnectWise has resolved a vulnerability discovered in ConnectWise Automate that could allow unauthorized access to confidential data and other processing resources. The company has not confirmed whether the vulnerability is being exploited in the wild, but has a higher risk of being targeted by wild exploits. The vulnerability affects the software suite versions 2022.8 and earlier, and the admins should upgrade to apply the 2022.9 patch, available only to people with an account.