Cyware Daily Threat Intelligence
Daily Threat Briefing • Sep 1, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Sep 1, 2023
The rapid evolution of an info-stealer, dubbed SapphireStealer, has sent waves of distress among the cybersecurity community. Active since December 2022, multiple entities have adapted and modified the codebase, leading to the creation of several variants. In some cases, the stealer was delivered as part of a multi-stage infection process. Threats of unpatched critical bugs have returned in a new finding. A research group has uncovered attacks aimed at exploiting an Adobe ColdFusion deserialization vulnerability, using at least four different malware payloads. However, the patch for the bug was released in July.
Urging customers to promptly update their firmware, Netgear has addressed a vulnerability duo in one of its router models and its network management software. Both vulnerabilities have been categorized as high-severity issues.
Thousands of companies exposed to cyber threats
The National Safety Council (NSC), a U.S. non-profit organization, inadvertently exposed nearly 10,000 emails and passwords belonging to its 55,000 members for five months. This security lapse impacted around 2,000 entities, including major corporations, governmental organizations, and even the likes of Shell, Boeing, Tesla, NASA, Pfizer, and the FBI. The leak poses risks of credential stuffing attacks and potential cyberattacks on these entities.
Security incident impacts Blue Cross members
Prime Therapeutics LLC, in partnership with Magellan Rx, has reported a security incident affecting a subset of its covered Blue Cross and Blue Shield of Minnesota members. On July 11, Prime discovered that an unauthorized actor gained access to an employee's mobile email account, which contained the personal health information of members, including names, addresses, dates of birth, member ID numbers, and medication details.
Over a million customer records laid bare
The American sports equipment company specializing in golf gear, Callaway, suffered a data breach in early August, impacting 1,114,954 individuals. The breach compromised sensitive customer information, including names, addresses, emails, phone numbers, order histories, passwords, and security question answers. No payment card data or SSNs were exposed.
Data stolen due to leaked admin token
Sourcegraph, a software collaboration platform, reported a security breach after discovering a surge in API usage on August 30. The incident was traced back to an admin access token that had been leaked in a July 14 commit, eluding internal code analysis tools. This token, with broad privileges, was exploited by a user who elevated their privileges through a recently created account, gaining unauthorized access to the admin dashboard.
Default passwords risk customer data
Network security company LogicMonitor acknowledged a security incident that affected a portion of its customers. The incident stemmed from LogicMonitor's previous practice of assigning weak default passwords, like "Welcome@" plus a short number, to customer accounts. These default passwords were not changed or required until recently. Around 400 systems were compromised at one of its customers affected by the breach.
A rising malware stealer
SapphireStealer, an open-source information-stealing malware, has gained notoriety in the cyber threat landscape since its release in December 2022. This malware targets sensitive data, particularly corporate credentials, and is favored by financially motivated threat actors. It focuses on popular browsers like Chrome and Edge, posing a significant risk to organizations.
Netgear mitigates high-severity flaws
Netgear addressed two high-severity vulnerabilities affecting one of its router models and a network management software. Tracked as CVE-2023-41183, the first flaw permits unauthorized access to Orbi 760 routers without authentication due to an issue with the SOAP API settings. CVE-2023-41182, the other flaw, affects ProSAFE network management software, requiring authentication for exploitation, which can be bypassed. No known exploitation incidents have been reported.
Attempts against Adobe ColdFusion bug
Despite the release of security updates to fix pre-authentication RCE vulnerabilities in Adobe ColdFusion in July, FortiGuard Labs has detected ongoing attempts to exploit it. The attackers target the "/CFIDE/adminapi/accessmanager.cfc" URI, injecting payloads via POST requests. Their actions include probing, establishing reverse shells, and deploying malware. Multiple IP addresses are involved, and encoded payloads are used. Four malware variants, including XMRig Miner and Lucifer, have been identified, signifying a persistent threat.