We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Sep 8, 2023

In the wake of a significant network breach, U.S. agencies underscore the peril of threat actors capitalizing on established vulnerabilities. A joint cybersecurity advisory has been released following confirmation by security experts that nation-state actors leveraged critical vulnerabilities in Zoho and Fortinet to target an aeronautical organization. Also, some high-severity flaws were reported in Cisco’s Open Automation Software (OAS) Platform, commonly used in industrial control systems, IoT, and enterprise environments. It was found vulnerable to a myriad of cyber threats including authentication bypass, sensitive information exposure, and file overwriting.

A new disclosure has come to light in the Pegasus delivery mechanism. In this technique, named BLASTPASS, cybercriminals chained a pair of Apple zero-day flaws and sent PassKit attachments containing malicious images from an attacker’s iMessage account.

Top Breaches Reported in the Last 24 Hours

Skimmer attack hits ticketing platform

See Tickets, a ticketing services provider owned by Vivendi SA, notified 323,000 individuals that their payment card data was compromised in a web skimmer attack. The attack was detected in May 2023, and an investigation revealed that an unauthorized third party inserted malicious code into several checkout pages between February 28 and July 2. This web skimmer collected and exfiltrated user information, including names, addresses, and payment card details.

Spain council held at $1.5 million ransom

The Seville City Council, Spain, fell victim to a ransomware attack attributed to the LockBit cybercriminal group. The attack, initially identified as an internal system failure, affected various city services, including police, firefighters, and tax collection. The attackers demanded a $1.5 million ransom, which the council has refused to pay. The extent of data theft, if any, remains unclear, with no reports of data leakage as of now.

Top Malware Reported in the Last 24 Hours

NTLMv2 hashes stolen using PowerShell scripts

A new sophisticated cyber campaign called Steal-It has been discovered, which exfiltrates NTLMv2 hashes using customized versions of Nishang's Start-CaptureServer PowerShell script. Believed to be an act of APT28, the attack involves various infection chains, including NTLMv2 hash stealing, system info stealing, Fansly-themed enticements, and geofencing tactics. Customized scripts from the Nishang framework are employed to steal and exfiltrate data, with mock APIs used to transfer stolen information. The campaign targets multiple regions, including Australia, Poland, and Belgium.

Top Vulnerabilities Reported in the Last 24 Hours

Apache Superset fixes critical flaws

Apache Superset addressed two security bugs, tagged CVE-2023-39265 and CVE-2023-37941, that could have been exploited to gain remote code execution on vulnerable systems. One of these vulnerabilities allowed an attacker to connect to Superset's metadata database, potentially leading to credential harvesting and remote code execution. The other vulnerability enabled an attacker with write access to the metadata database to insert an arbitrary pickle (Python package) payload into the store, leading to remote code execution.

High-severity bugs in Cisco’s OAS

Cisco identified eight vulnerabilities in its OAS Platform, which could be used to bypass authentication, leak sensitive data, and overwrite files. Three of these vulnerabilities are classified as high-severity. Two of these are authentication bypass issues that attackers could abuse to create new users, save configurations, and potentially gain access to the underlying system. These vulnerabilities have been addressed in OAS Platform version 19.00.0000.

U.S. agencies warn of critical vulnerabilities

In a joint advisory titled "Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475," the U.S. agencies detailed an incident in the aeronautical sector where nation-state APT actors used CVE-2022-47966 to gain unauthorized access to a public-facing application, establish persistence, and move laterally within the network. The advisory urges organizations to review and implement recommended mitigation strategies.

Urge to patch Apache RocketMQ bug

The CISA has added a critical vulnerability in Apache RocketMQ, tracked as CVE-2023-33246, to its Known Exploited Vulnerabilities catalog. The government has instructed all federal civilian agencies to patch it by September 27. The vulnerability affects versions 5.1.0 and below of Apache RocketMQ, a popular distributed messaging and streaming platform. The flaw has a CVSS rating of 9.8 and allows attackers to execute commands as system users running RocketMQ.

Apple zero-days exploited to deliver Pegasus

Researchers at Citizen Lab uncovered that recently patched zero-day vulnerabilities—CVE-2023-41064 and CVE-2023-41061—in Apple were actively exploited to infect devices with the NSO Group's Pegasus spyware. These vulnerabilities were chained together as part of a zero-click exploit called BLASTPASS, used in attacks on iPhones running the latest version of iOS (16.6). The exploit involved malicious images sent via PassKit attachments from an attacker's iMessage account.

Top Scams Reported in the Last 24 Hours

Google platform exploited for crypto phishing

Cybercriminals were observed exploiting Google Looker Studio (formerly Data Studio) to create counterfeit cryptocurrency phishing websites. Through this, attackers aim to deceive recipients into revealing their crypto wallet login details. The phishing emails falsely inform recipients that they have won a specific amount of Bitcoin and urge them to click on the embedded link to claim their prize. The stolen login credentials can then be used to compromise other accounts, potentially leading to financial losses.

Related Threat Briefings