Go to listing page

Cyware Daily Threat Intelligence, October 05, 2022

Cyware Daily Threat Intelligence, October 05, 2022

Share Blog Post

The telecom sector appears to be in the crosshairs of cybercriminals as yet another Australian telecommunications giant reported a data breach impacting thousands of current and former employees. In a separate alarming update, a joint advisory by U.S. agencies has uncovered an APT attack on a defense sector organization using the Python-based Impacket toolkit and a custom data exfiltration tool called CovalentStealer. 

The saga of the ProxyNotShell zero-day vulnerabilities affecting Exchange servers continues as Microsoft has issued revised its earlier guidance for customers to mitigate the risks of exploitation. A potential software supply chain vulnerability in a PHP package has also caught the attention of security researchers in the last 24 hours.

 

Top Breaches Reported in the Last 24 Hours

 
Telstra employee data breach
Australia's largest telecom firm Telstra said it had suffered a data breach. The company said that an intrusion at a third-party organization exposed some of its employee data dating back to 2017. According to media reports, a Telstra internal staff member estimated that 30,000 current and former employees were affected by the incident.
 
Attack on defense sector organization
In a joint cybersecurity advisory, the CISA, the FBI, and the NSA disclosed APT activity on an organization in the Defense Industrial Base (DIB) sector, from November 2021 through January 2022. The CISA disclosed that likely multiple APT groups compromised the organization’s network and gained long-term access. They used the open-source Python toolkit Impacket and a custom data exfiltration tool CovalentStealer to steal sensitive data from the victim organization’s network.
 
Security incident at CommonSpirit Health
CommonSpirit Health experienced an IT security incident impacting an undisclosed number of facilities in multiple regions across the U.S. Some of its facilities in Chattanooga, Tennessee, were forced to take certain systems offline, including electronic health records, according to a statement from CHI Memorial. Moreover, some patient procedures were also rescheduled due to the incident.

 

Top Malware Reported in the Last 24 Hours


OnionPoison campaign
Kaspersky reported a Chinese-language YouTube channel, with over 180,000 subscribers, spreading malicious Tor Browser installers to victims located in China to steal their browsing history and data entered into website forms. One of the libraries packaged with the infected browser contains spyware designed to collect various personal data and sends it to a command and control server.

 

Top Vulnerabilities Reported in the Last 24 Hours

 
Mitigation updated for ProxyNotShell
Microsoft has updated its customer guidance for the recently disclosed zero-day flaws (CVE-2022-41040 and CVE-2022-41082) in Exchange Server after researchers reported that the previously provided mitigations could be easily bypassed. While the flaws have not been patched yet, the temporary workarounds are meant to reduce the risk of exploitation through a URL Rewrite rule in the IIS Manager or a standalone PowerShell script.
 
Akamai misconfiguration vulnerability
Two Italian security researchers discovered a misconfiguration in Akamai CDN that allowed them to poison the cache with arbitrary content. Researchers described the vulnerability as a combination of common HTTP smuggling and hop-by-hop headers abuse techniques. The company has since fixed the issue by preventing the specification of the Content-Length keyword within the Connection header value.
 
PHP software supply chain flaw
SonarSource researchers disclosed details about a high-severity vulnerability in Packagist, a PHP software package repository. Tracked as CVE-2022-24828 with a CVSS score of 8.8, it is described as a command injection vulnerability that could be exploited to conduct software supply chain attacks. Patches for the vulnerability have been deployed in Composer versions 1.10.26, 2.2.12, and 2.3.5 after SonarSource reported the flaw on April 7.
 
JavaScript sandbox escape vulnerability
Vm2, a popular NPM package used for creating sandbox environments, was found to contain a vulnerability that could allow attackers to bypass sandbox protections. Researchers from Oxeye Security, who discovered the flaw, explained that it arises due to improper exception handling and attackers could use it to stage remote code execution. Patches have been issued for the same.
 
 

Top Scams Reported in the Last 24 Hours

 
FBI alert on Pig Butchering
The FBI Miami Field Office, in coordination with the Internet Crime Complaint Center (IC3), issued a warning regarding a rise in 'Pig Butchering' cryptocurrency scams. It is a relatively new type of social engineering attack wherein fraudsters reach out to people on social media, establish a relationship, and later dupe them into investing in fake cryptocurrency investment platforms.
 
Sneaky fraud attack on businesses
Researchers at Abnormal Security discovered a new Business Email Compromise (BEC) attack campaign that leverages both vendor impersonation and executive impersonation. The phishing messages with an invoice request are personalized through the use of spoofed emails purporting to be from an actual executive of the targeted company.

 Tags

covalentstealer
defense industrial base dib networks
pig butchering scam
proxynotshell vulnerabilities
bec attack
commonspirit health
vm2
akamai cdn
telstra
packagist
onionpoison

Posted on: October 05, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.