Daily Threat Intelligence – May 19 – 2023
Open-source software supply chains face immense threats from malicious npm packages making it to the repository. Of late, a couple of packages carrying an info-stealer called TurkoRat were identified by researchers. In a span of two months, the packages accumulated 1,200 downloads. In another attack campaign, hackers attempted to plague the Visual Studio Marketplace with fake extensions. Using these, the threat actors could steal credentials, collect system information, and establish a remote shell on the victim’s machine. Also, Rust-Based info-stealers were spotted on GitHub Codespaces, which could lead to the abuse of cloud services for a myriad of malicious pursuits.
Moving on. Three security holes in Apple’s WebKit browser engine are in the headlines because the tech giant is aware of its active exploitation in the wild. Since the beginning of 2023, six zero-days have been addressed by Apple.
Top Breaches Reported in the Last 24 Hours
Indonesia’s bank suffers massive hack
Ransom negotiations appear to have fallen flat for Bank Syariah Indonesia as the LockBit ransomware group published 1.5 TB of personal and financial information it allegedly stole. The group claimed to have compromised the records of approximately 15 million customers and employees of the bank, which is also the largest Islamic bank in the country. LockBit demanded $20 million in ransom.
New ransomware group gets a bigger fish
Michigan-based Gentex Corporation revealed that it suffered a data breach following an attack by Dunghill, a relatively new ransomware group. The criminals may have stolen 5 TB of sensitive data, including emails, client documents, and the personal data of 10,000 Gentex employees, such as their SSNs. The list of impacted data also contained IT infrastructure, access to databases, projects, and business agreements.
Luxottica data breach impacts 70 million
A cybercriminal has dumped a 2021 database containing millions of records of Luxottica customers in the United States and Canada for free. Security experts studied the leak and found that it contains 305 million entries, 74.4 million unique email addresses, and 2.6 million unique domain email addresses. Luxottica has officially acknowledged that one of its partners experienced a data breach in 2021, affecting 70 million individuals.
Top Malware Reported in the Last 24 Hours
Npm packages drop TurkoRat
ReversingLabs laid bare two malicious npm packages—nodejs-encrypt-agent and nodejs-cookie-proxy-agent—harboring an open-source information-stealing malware known as TurkoRat. The packages were collectively downloaded around 1,200 times and remained accessible to users for over two months. The malware can gather sensitive data, including login credentials, crypto wallets, and website cookies.
Spreading malware via GitHub
Trend Micro encountered Rust-based info-stealers targeting Windows systems. These stealers masquerade as legitimate applications and exploit exposed ports on a GitHub Codespaces instance to extract credentials from an infected device. While analyzing one of such malware strains, researchers found anti-debugging capabilities along with the ability to pilfer data from web browsers, Discord, Steam, cryptocurrency wallets, and other sources.
Suspicious extensions on Microsoft platform
Check Point took the wraps off of three malicious Microsoft Visual Studio extensions on May 4, 2023, aimed at exploiting VSCode Marketplace visitors. These extensions named Theme Darcula dark, python-vscode, and prettiest java, were downloaded by Windows developers nearly 45,000, 1,384, and 278 times, respectively. Furthermore, experts discovered other suspicious extensions, however, they could not be strictly categorized as malicious. Still, for the record, they exhibited unsafe behavior.
Top Vulnerabilities Reported in the Last 24 Hours
Apple fixes three zero-days
The multi-platform WebKit browser engine of Apple was found to be affected by three zero-day vulnerabilities tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. The first one is a sandbox escape that permits a remote adversary to evade Web Content sandboxes. The other two vulnerabilities are an out-of-bounds read flaw (enabling unauthorized access to sensitive data) and a use-after-free issue (allowing arbitrary code execution). These two are being exploited by tricking victims into loading specially crafted web pages.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.