Cyware Daily Threat Intelligence

Daily Threat Briefing • Aug 16, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Aug 16, 2023
It seems the detention of one of the key operators of Raccoon Stealer last year wasn’t enough to deter the group from their mission. A newer version of Raccoon has been spotted: it boasts improvements based on customer feedback and also includes a quick dashboard search tool to find specific stolen data. Separately, cybersecurity experts disclosed a set of three security vulnerabilities in a popular transportation software used by over 1.5 billion users across 112 countries that allowed free rides and unauthorized access to user accounts.
Harnessing the power of automated exploitation, a cybercriminal group successfully backdoored nearly 2,000 Citrix NetScaler instances worldwide. The compromised instances are concentrated in European countries, with notable absences of web shells in Canada, Russia, and the U.S.
Infected machines expose cybercriminals’ identity
Threat intelligence firm Hudson Rock uncovered over 120,000 computers infected with various information-stealer malware carrying credentials linked to cybercrime forums. Research into a database of 14.5 million infected computers revealed real hacker identities based on personal data, additional credentials, and system information. Cybercriminal forum passwords were found stronger than those for government sites.
LinkedIn accounts hijack campaign
Several LinkedIn users have reported difficulties in recovering their hacked or locked-out accounts through LinkedIn support. Some claimed to have faced ransom demands or account deletion threats. In the past few months, according to Google Trends, there’s been a 5000% increase in searches related to LinkedIn account hacks and recovery. Attackers have been changing associated email addresses, passwords, and enabling two-factor authentication, complicating recovery.
Ransomware attack on property listing firm
A ransomware attack on California-based data services company Rapattoni has caused significant disruptions to the property listing process nationwide. The attack, which occurred on August 8, led to system outages, affecting MLS providers and listing websites, including Zillow, and others. Rapattoni's production system remains offline as of the latest update.
MOVEit breach affects state program participants
Over 134,000 individuals enrolled in certain Massachusetts state programs have been alerted about a third-party data breach due to the MOVEit exploit. The breach affected individuals who received services from the Executive Office of Health and Human Services. Compromised data includes names, dates of birth, addresses, protected health information, Social Security numbers, and financial account information.
Healthcare organization discloses intrusion
Tift Regional Health System, a Georgia-based healthcare organization, is notifying over 180,000 individuals about a data breach due to a Hive ransomware attack that occurred a year ago. Patient information, including medical and financial data, was accessed and copied by hackers during the incident. Tift’s investigation revealed certain files were accessed or copied without authorization. The compromised data includes Social Security numbers, patient IDs, driver's license numbers, medical and treatment information, health insurance data, and more.
Raccoon Stealer returns after six months
After a 6-month hiatus, the developers behind the notorious Raccoon Stealer information-stealing malware have reintroduced version 2.3.0 to cybercriminal forums. Raccoon, a malware-as-a-service known for stealing data from over 60 applications including sensitive login credentials and cryptocurrency wallet details, had faced disruptions in 2022 due to arrests and takedowns. Its enhanced features include a quick search tool, anti-suspicion measures against security-assisting bots, IP reporting to deter monitoring, and a log stats panel.
Criminals backdoor 2,000 Citrix instances
Around 2,000 Citrix NetScaler instances have fallen victim to a massive attack that exploited a critical security flaw. The bug, tracked as CVE-2023-3519, let an unauthenticated user to establish a backdoor. NCC Group's advisory stated that automated exploitation of the vulnerability enabled attackers to place web shells, granting persistent access and remote code execution. Despite most instances being patched, over 1,900 servers remained backdoored, potentially indicating a lack of proper post-patch verification.
Buffer overflow flaws in Ivanti Avalanche
Two critical stack-based buffer overflow vulnerabilities, collectively known as CVE-2023-32560, have been identified in Ivanti Avalanche, an enterprise mobility management (EMM) solution. These flaws allow remote execution of arbitrary code without user authentication. The vulnerabilities impact WLAvalancheService.exe version 6.4.0.0 and older, and are triggered by specially crafted data packets containing hex strings or decimal strings.
Moovit’s sensitive bug disclosure
Researchers at DEF CON exposed three vulnerabilities in the Moovit transportation app, which could have enabled hackers to take control of user accounts worldwide. The flaws potentially granted unauthorized access to personal information, credit card details, and even the ability to hijack accounts for free rides. Moovit, an app with over 1.5 billion users globally, provides route planning and ticket purchasing services.
Scammers target crypto investment victims
The FBI has issued a warning about a rising trend in recovery scams targeting victims of cryptocurrency investment fraud. With losses exceeding $2.5 billion in 2022 alone, scammers pose as recovery companies promising to retrieve lost assets. These criminals target victims through social media, online ads, and comment sections. They often request upfront fees for their services and may claim affiliation with legitimate organizations or law enforcement agencies.