Cyware Daily Threat Intelligence
Daily Threat Briefing • Aug 14, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Aug 14, 2023
Ransomware threats remain a prevalent issue in the cyber ecosystem as researchers share updates about Knight and Monti ransomware attacks. While Knight ransomware is being used in an ongoing spam campaign targeting TripAdvisor users, Monti ransomware has been upgraded with a new encryption process to target law and government organizations.
There are also reports of several vulnerabilities impacting different software and devices in the past 24 hours. Four of these flaws were found impacting Iagona’s ScrutisWeb ATM fleet monitoring software, which could be abused to remotely hack ATMs. Besides, Zoom users are susceptible to eavesdropping and remote attacks due to authentication issues in Zoom’s desk phone devices.
Colorada’s HCPF discloses data breach
The Colorado Department of Health Care Policy & Financing (HCPF) revealed that the personal and health information of more than four million individuals has been impacted by the MOVEit attack on IBM. The exfiltrated files contained full names, Social Security numbers, Medicaid, ID numbers, dates of birth, home addresses, and health insurance details of patients.
Knight ransomware distributed in a spam campaign
Knight ransomware, which is a recycled version of Cyclops ransomware, is being used in an ongoing spam campaign impersonating TripAdvisor. The email includes an HTML attachment named ‘TripAdvisor-Complaint-[random].PDF.htm’ that redirects users to a fake browser window for TripAdvisor. Upon infection, the Knight Lite ransomware encryptor is injected into a new explorer.exe process to encrypt the files on targeted computers. Later, the .knight_1 extension is appended to the encrypted files’ names, where ‘1’ stands for lite.
Monti ransomware updates its encryption process
A new variant of Monti ransomware has surfaced, demonstrating a notable encryption process that is different from previous Linux-based versions. It employs the AES-256-CTR algorithm, instead of the Salsa20 algorithm implemented by older variants. Moreover, it uses the .monti file extension to append the encrypted files and drops its ransom note to every directory.
Flaws patched in CyberPower solutions
Nine vulnerabilities discovered in the CyberPower PowerPanel Enterprise DCIM platform and Dataprobe PDU can be abused to gain unauthorized access to systems and carry out a broad range of malicious attacks, including the shutdown of entire data centers. These vulnerabilities are tracked from CVE-2023-3259 through CVE-2023-3267. While there is no evidence that these flaws were exploited in the wild, the vendor has addressed the flaws with the release of version 2.6.9 of PowerPanel Enterprise software and version 1.44.08042023 of the Dataprobe iBoot PDU firmware.
Infotainment systems vulnerable to attacks
A critical flaw found in the Texas Instruments-supplied Wi-Fi driver of SYNC 3 infotainment systems in certain car models from Ford can be abused to launch remote code execution attacks. Tracked as CVE-2023-29468, the flaw has a CVSS score ranging between 8.8 and 9.6. An attacker within the wireless range of an impacted device can trigger the flaw using a specially crafted frame.
**Flaws in Zoom ZTP and AudioCode Phones **
Several flaws discovered in Zoom ZTP and AudioCodes Phones can be exploited by malicious actors to conduct remote attacks. The problem stems from authentication settings in Zoom ZTP and AudioCodes phones. When combined, these vulnerabilities can be used to remotely take over arbitrary devices. While Zoom has implemented a restriction for new customers to mitigate the attacks arising from the abuse of these vulnerabilities, there are no updates from AudioCodes yet.
Flaws patched in ATM monitoring software
Synack Red Team shared details about four vulnerabilities impacting Iagona’s ScrutisWeb ATM fleet monitoring software. Tracked as CVE-2023-33871, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189, these flaws can be exploited to remotely hack ATMs. These flaws can also enable attackers to obtain data from the server, execute arbitrary commands, obtain encrypted administrator passwords, and decrypt them using a hardcoded key. They have been patched with the release of ScrutisWeb version 2.1.38.