We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 1, 2023

The rapid evolution of an info-stealer, dubbed SapphireStealer, has sent waves of distress among the cybersecurity community. Active since December 2022, multiple entities have adapted and modified the codebase, leading to the creation of several variants. In some cases, the stealer was delivered as part of a multi-stage infection process. Threats of unpatched critical bugs have returned in a new finding. A research group has uncovered attacks aimed at exploiting an Adobe ColdFusion deserialization vulnerability, using at least four different malware payloads. However, the patch for the bug was released in July.

Urging customers to promptly update their firmware, Netgear has addressed a vulnerability duo in one of its router models and its network management software. Both vulnerabilities have been categorized as high-severity issues.

Top Breaches Reported in the Last 24 Hours

Thousands of companies exposed to cyber threats

The National Safety Council (NSC), a U.S. non-profit organization, inadvertently exposed nearly 10,000 emails and passwords belonging to its 55,000 members for five months. This security lapse impacted around 2,000 entities, including major corporations, governmental organizations, and even the likes of Shell, Boeing, Tesla, NASA, Pfizer, and the FBI. The leak poses risks of credential stuffing attacks and potential cyberattacks on these entities.

Security incident impacts Blue Cross members

Prime Therapeutics LLC, in partnership with Magellan Rx, has reported a security incident affecting a subset of its covered Blue Cross and Blue Shield of Minnesota members. On July 11, Prime discovered that an unauthorized actor gained access to an employee's mobile email account, which contained the personal health information of members, including names, addresses, dates of birth, member ID numbers, and medication details.

Over a million customer records laid bare

The American sports equipment company specializing in golf gear, Callaway, suffered a data breach in early August, impacting 1,114,954 individuals. The breach compromised sensitive customer information, including names, addresses, emails, phone numbers, order histories, passwords, and security question answers. No payment card data or SSNs were exposed.

Data stolen due to leaked admin token

Sourcegraph, a software collaboration platform, reported a security breach after discovering a surge in API usage on August 30. The incident was traced back to an admin access token that had been leaked in a July 14 commit, eluding internal code analysis tools. This token, with broad privileges, was exploited by a user who elevated their privileges through a recently created account, gaining unauthorized access to the admin dashboard.

Default passwords risk customer data

Network security company LogicMonitor acknowledged a security incident that affected a portion of its customers. The incident stemmed from LogicMonitor's previous practice of assigning weak default passwords, like "Welcome@" plus a short number, to customer accounts. These default passwords were not changed or required until recently. Around 400 systems were compromised at one of its customers affected by the breach.

Top Malware Reported in the Last 24 Hours

A rising malware stealer

SapphireStealer, an open-source information-stealing malware, has gained notoriety in the cyber threat landscape since its release in December 2022. This malware targets sensitive data, particularly corporate credentials, and is favored by financially motivated threat actors. It focuses on popular browsers like Chrome and Edge, posing a significant risk to organizations.

Top Vulnerabilities Reported in the Last 24 Hours

Netgear mitigates high-severity flaws

Netgear addressed two high-severity vulnerabilities affecting one of its router models and a network management software. Tracked as CVE-2023-41183, the first flaw permits unauthorized access to Orbi 760 routers without authentication due to an issue with the SOAP API settings. CVE-2023-41182, the other flaw, affects ProSAFE network management software, requiring authentication for exploitation, which can be bypassed. No known exploitation incidents have been reported.

Attempts against Adobe ColdFusion bug

Despite the release of security updates to fix pre-authentication RCE vulnerabilities in Adobe ColdFusion in July, FortiGuard Labs has detected ongoing attempts to exploit it. The attackers target the "/CFIDE/adminapi/accessmanager.cfc" URI, injecting payloads via POST requests. Their actions include probing, establishing reverse shells, and deploying malware. Multiple IP addresses are involved, and encoded payloads are used. Four malware variants, including XMRig Miner and Lucifer, have been identified, signifying a persistent threat.

Related Threat Briefings