Cyware Daily Threat Intelligence
Daily Threat Briefing • Aug 25, 2022
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Aug 25, 2022
One of Russia’s most dreaded threat groups, NOBELIUM, was found deploying the MagicWeb backdoor to maintain persistent access to compromised environments. The hacker group is deploying the backdoor through stolen privileged credentials and then moving laterally for administrative privileges in an AD FS system. In a report by IBM, researchers revealed that CVE-2016-4510 is the most commonly targeted industrial bug. It lets remote attackers bypass authentication and read arbitrary files.
Meanwhile, the HHS issued a warning about an ongoing attack campaign by the Karakurt ransomware group aimed at healthcare providers. This is in the wake of Karakurt’s alleged partnership with the Conti gang.
Dominican Republic's government agency attacked
Quantum ransomware operators targeted Instituto Agrario Dominicano, a Dominican Republic agency, and halted part of its operations including four physical servers and eight virtual servers. Hackers reportedly asked for $650,000 in ransom. If the demand isn’t met, they may release the stolen data (1TB, as per the claim) publicly.
MagicWeb: Nobelium’s new tool
Microsoft has uncovered a new post-exploitation tool, dubbed MagicWeb, by Russian group APT29, aka Nobelium. The backdoor lets an attacker abuse the AD FS servers by manipulating the claims passed in tokens generated by them. It allows the manipulation of user authentication certificates used for authentication (not the signing certificates used in attacks like Golden SAML).
Karakurt walks the Conti’s path
Healthcare providers need to stay vigilant against cyberattacks by the Karakurt ransomware group. The HHS noted that Karakurt’s ties to the Conti ransomware, which brings expertise in targeting the healthcare industry, make it a potential threat. It has claimed four victims in the healthcare sector in the past three months.
Operation Technology (OT) is vulnerable
IBM Security’s X-Force research and intelligence unit stated that old and inconspicuous system flaws in industrial products are commonly targeted to exploit OT environments. The vulnerability, identified as CVE-2016-4510, remained the most targeted. It is a flaw in the WAP interface of the Trihedral VTScada SCADA software. According to experts, more than 80% of vulnerability scanning is coming via port scanning and Shodan scanning.
Credential stealing for PyPI developers
According to PyPI, an ongoing phishing campaign is after developers’ credentials to inject malicious updates into legitimate packages. Cybercriminals send security-themed messages. misinforming recipients about Google’s mandatory validation process on all packages that need to be completed before September else their PyPI modules would be removed.