Go to listing page

Cyware Daily Threat Intelligence, November 03, 2022

Cyware Daily Threat Intelligence, November 03, 2022

Share Blog Post

A hacker group could impact over 250 news websites in the U.S. through a single attack on their common service provider. Hackers attempted to push SocGholish malware into the systems of the visitors of those websites. Separately, Sentinel Labs made a revelation about overlapping TTPs—and other operational behavior—of Black Basta ransomware and the financially motivated FIN7 group.

That’s not it! Security researchers are warning against a Gatsby vulnerability in its image CDN functionality. The flaw opened two routes for exploitation, leading an attacker to steal secret keys or sensitive data from the metadata IP address.

Top Breaches Reported in the Last 24 Hours


Crypto-attack risks $28 million
Withdrawals on cryptocurrency derivatives platform Deribit were discontinued in the aftermath of a hot wallet cyberattack on the firm. The victims’ hot wallet was compromised for $28 million worth of cryptocurrency, however, users’ funds are reportedly safe. The incident highlights issues with hot wallets since they aren’t as secure as cold wallets, said an official.

Misconfiguration blurts out sensitive records 
Urlscan[.]io, a website scan and analysis engine, allegedly exposed a plethora of API data, including password reset links, DocuSign signing requests, setup pages, Telegram bots, meeting invitations, package tracking links, and PayPal invoices in a leak incident. The investigation found a misconfigured Security Orchestration, Automation, and Response (SOAR) playbook, which was integrated with urlscan.io.

Hackers hobbled U.S. news websites
Researchers at Proofpoint discovered a threat actor it tracks as TA569 targeting an unnamed media company with SocGholish malware. The victim firm caters to over 250 news outlets in the U.S. While the numbers could be higher, the affected regions include Boston, New York, Chicago, Miami, Palm Beach, Washington DC, and Cincinnati.

Vodafone Italy discloses breach
Customers of FourB S.p.A., a reseller of Vodafone services in Italy, have begun to receive breach notifications that laid bare their subscription details, identity documents (containing PII), and other details. As per the notice, no account passwords or network traffic data was compromised.

Top Malware Reported in the Last 24 Hours


Emotet’s back after five months
After nearly a five-month hiatus, Emotet malware infection has been detected by the Emotet research group Cryptolaemus. It is being distributed via phishing campaigns containing malicious Excel or Word documents. Once inside a compromised network, it can steal emails for spam campaigns and even drop additional payloads such as Cobalt Strike.

Black Basta and FIN7 are linked
According to Sentinel Labs, the Black Basta ransomware operation has ties with FIN7. Researchers noted that a developer for FIN7 also authored the EDR evasion tools that Black Basta has been using exclusively since June 2022. In other evidence, both groups used similar IP addresses and specific TTPs, although with a gap of a few months.

Top Vulnerabilities Reported in the Last 24 Hours


Fortinet patches 16 flaws
With six high-severity flaws, Fortinet warned its customers about a total of 16 flaws affecting its products. One of the bugs affecting FortiTester lets an attacker execute arbitrary commands. Another product FortiSIEM was affected by a flaw that allowed an unauthenticated attacker access to the Glassfish server. The remaining high-severity flaws were stored and reflected XSS bugs impacting other Fortinet products.

High-severity bug in Gatsby
Gatsby, a React-based JavaScript and open source framework, was seen hosting a critical bug in its Cloud Image CDN service. The vulnerability could allow attackers to carry out server-side request forgery (SSRF) or cross-site scripting (XSS) attacks against cloud-hosted Gatsby websites.

 Tags

emotetmalware
gatsby
fin7 group
vodafone italia
fortinet products
socgholish
soar playbook
fourb spa
deribit
urlscanio

Posted on: November 03, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.