Go to listing page

Cyware Daily Threat Intelligence, February 20, 2023

Cyware Daily Threat Intelligence, February 20, 2023

Share Blog Post

Making the headlines today is cybersecurity firm Fortinet which rolled out dozens of advisories to fix security holes in its software lineup, including FortiOS, FortiNAC, FortiWeb, and FortiProxy, among others. The most serious issue according to experts is the one that affects FortiNAC network access control. In other news, North Korean cybercriminals are targeting individuals with the RambleOn malware wrapped as a secure chat app called Fizzle. Interestingly, researchers could trace some overlaps in the Firebase Cloud Messaging (FCM) functionality of RambleOn and FastFire, another Android spyware that has been attributed to Kimsuky in the past. 

What’s more? BEC scams galore. While Europol dismantled and detained a gang that stole $40.3 million from users, a Finance Director in the city of Hilliard, Ohio, was fired after scammers manipulated authorities to transfer a hefty sum to a different account. 

Top Breaches Reported in the Last 24 Hours

German airlines face DDoS threats
Thousands of passengers of Lufthansa airlines were left stranded in light of a cyberattack that rattled the websites of seven airports. The airports at Dusseldorf, Nuremberg, Erfurt-Weimar, and Dortmund were also targeted. Killnet, the pro-Russian hacker group reportedly took the responsibility for the IT outage at Lufthansa.

De-Fi protocol loses millions 
A hacker pulled off an $8.5 million hack on DeFi platform Platypus via a flash loan attack technique. Officials said it onboarded blockchain security firm BlockSec and was able to recover $2.4 million worth of USDC. Meanwhile, a security researcher claimed to link the stolen funds incident to a Twitter account but that was deleted upon being contacted.

QR code generator site suffered leak
Sofia, Bulgaria-based QR code generator website MyQRcode was found blurting out 128 GB worth of sensitive data of its users owing to a misconfigured cloud database. The database included the personal information of 66,000 customers. It is worth noting that the database was being actively updated with new records each day, implying it continued to leak data to date.

Pharmacy infra risked patient info
mscripts, Cardinal Health’s mobile pharmacy company, revealed that a cyber incident has impacted 66,372 patients. The incident concerns the patients of Phoenix-based Banner Health as well as customers at the Costco, Brookshire Brothers, Meijer, and Giant Eagle pharmacy chains. It was caused due to unauthorized access to data in cloud storage.

Railway app exposes traveler data
Popular Indian railway ticketing app RailYatri spilled the data of over 31 million travelers in a massive data breach. The affected data involve email addresses, full names, genders, phone numbers, and locations of the app users. Researchers at Hackread confirmed that the database made it to at least one hacker forum. Two years ago, Railyatri suffered a similar incident.

GoDaddy was under attack for three years
Internet domain registrar GoDaddy confirmed a three-year-long attack on its infrastructure that culminated in hackers obtaining its source code. The company believes a highly sophisticated threat group could be behind the attack that installed malware on internal systems. It is not sure what is the root cause of the incident.

Portuguese water utility under attack
The LockBit ransomware gang allegedly compromised the website of Portuguese municipal water utility company Aguas do Porto. The group has added the water utility corporation to its list of victims on its Tor leak site and threatened them with a deadline of March 07, 2023 for a ransom or else they’ll leak the data. 

Fake SMS alert hits Coinbase
An unidentified threat actor attempted to obtain remote access to Coinbase’s systems by stealing one of its employees' login information. Several engineers of the cryptocurrency exchange platform were in fact targeted. One employee fell for the ruse and clicked the link to the phishing page while others simply disregarded the message.

Top Malware Reported in the Last 24 Hours

Hackers gamble with RambleOn
South Korean researchers stumbled across a novel malware RambleOn that most probably North Korean nation-state actors used against a journalist in the country. Hackers camouflage the spyware as a secure chat app called Fizzle. The app, in reality, requests for the next-stage payload hosted on pCloud and Yandex. It was sent as an APK file over WeChat to the target.

Espionage group drops WhiskerSpy 
Trend Micro reported about a new threat actor that would drop a new backdoor dubbed WhiskerSpy. The cybercriminal group tracked, as Earth Kitsune, is a relatively new threat group that conducts watering hole attacks. The malware is delivered to users when they attempt to watch videos on attacker-compromised websites.

Top Vulnerabilities Reported in the Last 24 Hours

Fortinet’s 40 patches
Security firm Fortinet issued 40 security advisories that address critical flaws affecting its FortiNAC and FortiWeb products. Two advisories were given a ‘critical’ severity rating, while 15 received a ‘high’ severity rating. One of the critical flaws, tracked as CVE-2021-42756, is a buffer overflow bug in FortiWeb’s proxy daemon that can let a remote attacker execute arbitrary code.

Top Scams Reported in the Last 24 Hours

BEC scam worth $219,000 
A digital impersonator posed as an existing vendor to a finance worker in the Columbus suburb of Hilliard, Ohio, to steal $218,992.06. The adversary, like in a typical BEC scam, requested a change in bank-routing information. Finance Director David Delande, who served for more than five years in the post, was fired. One of the reasons for his firing was a delay of 35 days in informing his superiors about the incident.


bec scams
earth kitsune
fortinet security
aguas do porto
german airports
whiskerspy backdoor

Posted on: February 20, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite