Go to listing page

Cyware Daily Threat Intelligence, November 08, 2021

Cyware Daily Threat Intelligence, November 08, 2021

Share Blog Post

Alert! Hackers out phishing! A threat actor spearphished a DeFi employee and stole $55 million worth of cryptocurrency assets and a credential phishing attack impersonated Proofpoint to steal victims’ Microsoft and Google email credentials. On the other hand, a U.S. defense contractor, disclosed a phishing attack that exfiltrated files containing personal information. With vulnerabilities, come a fix. 

Coming to new security weaknesses, a public exploit code and a proof-of-concept tool were released for BrakTooth bugs affecting Bluetooth stacks. Also, a comprehensive healthcare informatics solution has been found vulnerable to two critical SQL injection flaws, which have been addressed with a new version of the product.

Top Breaches Reported in the Last 24 Hours

A hacker steals millions from a DeFi platform
A hacker stole an estimated $55 million worth of cryptocurrency assets from a decentralized finance (DeFi) platform, bZx, by sending a phishing email to one of its employees. The email contained a malicious macro in a Word document and ran a script on the employee’s computer that compromised his mnemonic wallet phrase. The attacker stole two private keys used by bZx for its integration with Polygon and Binance Smart Chain (BSC) blockchains.

U.S. defense contractor confirms a data breach
Electronic Warfare Associates (EWA), a U.S. defense contractor, disclosed a data breach wherein attackers exfiltrated files containing personal information. The breach started with a phishing attack that slightly impacted EWA email accounts and further investigation revealed names, SSNs, and driver’s license numbers in the downloaded files.

Aerial surveillance footage leaked
Police helicopter surveillance footage from the Dallas Police Department in Texas and Georgia State Patrol were leaked as a result of unsecured cloud infrastructure. The transparency activist group Distributed Denial of Secrets (DDoSecrets) posted 1.8TB of police helicopter footage to its website.


Top Malware Reported in the Last 24 Hours

APTs exploit newly identified vulnerabilities
Unit 42 observed an attack campaign in which APT groups gained initial access to targeted organizations by exploiting a patched vulnerability, tracked as CVE-2021-40539, in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution. The malicious actors were observed deploying Godzilla webshell, NGLite Trojan, and KdcSponge Stealer, compromising at least nine entities across the defense, technology, healthcare, education, and energy industries in the attack campaign.

Two NPM packages backdoored
In a supply chain attack targeting open-source software repositories, two popular NPM packages—with cumulative weekly downloads of nearly 22 million—were compromised with malicious code. The two libraries “coa,” a parser for command-line options and “rc,” a configuration loader were tampered with by an unidentified threat actor to add an identical password-stealing malware.


Top Vulnerabilities Reported in the Last 24 Hours

Exploit code and POC for BrakTooth bugs
The CISA urges vendors to patch, given the release of public exploit code and a proof of concept (POC) tool for BrakTooth bugs. The initial group of 16 vulnerabilities (now up to 22), collectively dubbed BrakTooth, found in the closed commercial Bluetooth stack used by over 1,400 embedded chip components can result in denial of service (DoS) attacks and code execution. 

Philips Tasy EMR vulnerable to SQL injection
A comprehensive healthcare informatics solution, Philips Tasy EMR, is affected by two critical SQL injection vulnerabilities, CVE-2021-39375 and CVE-2021-39376. Both the vulnerabilities affect Tasy EMR HTML5 3.06.1803 version and prior. However, the company addressed them with the release of version 3.06.1804. The vulnerabilities, if exploited, can compromise patient records and financial data.


Top Scams Reported in the Last 24 Hours

Attackers impersonate a security firm
Threat actors spotted a phishing campaign impersonating Proofpoint, a cybersecurity firm to trick victims into providing Microsoft Office 365 and Gmail credentials. The phishing emails with the subject “Re: Payoff Request” use mortgage payments as a lure and contain a secure file sent via Proofpoint as a link. 

 Tags

email impersonation scams
manageengine adselfservice plus
malicious npm packages
braktooth vulnerabilities
bzx
dallas police department
philips tasy emr
kdcsponge
nglite backdoor
godzilla webshell

Posted on: November 08, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.