Cyware Daily Threat Intelligence
Daily Threat Briefing • Aug 25, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Aug 25, 2023
Ransomware attacks at smaller businesses rarely make headlines and hackers often take advantage of that. A similar affair has come to light wherein a variant of Adhubllka ransomware was observed targeting individuals and small businesses with modest ransoms ranging from $800 to $1,600. While this variant may initially go unnoticed due to its modest demands, experts advise that prevention remains key. Separately, Tenable researchers uncovered improper input validation flaws in Rockwell Automation's ThinManager ThinServer, posing considerable threats to Industrial Control Systems (ICS).
In other news, researchers revealed that attackers may pull off unauthenticated attacks on Cisco NX-OS Software via TACACS+ and RADIUS vulnerability, leading to device reload. It is exploitable only via Telnet or console connection, not SSH.
1,000 organizations and 60 million individuals impacted
The Cl0p ransomware group's MOVEit campaign has reportedly affected nearly 1,000 organizations and around 60 million individuals, revealed Emsisoft. This includes both direct and indirect victims, with compromised data traced back to organizations like Maximus, Pôle Emploi, and more. Cl0p has already started leaking data from victims who refused to pay. Over 80% of the affected entities are in the US.
Personal data of thousands of patients exposed
Jefferson Cherry Hill Hospital, part of the Jefferson Health System, reported a data breach potentially affecting approximately 4,100 patients. The breach, discovered during maintenance on June 15, involved a missing portable backup drive containing patient information. The exposed data includes names, birth dates, medical record numbers, study dates, and in some cases, mailing addresses.
Payment card data blurted out
TMX Finance Corporate Services, the parent company of subprime lender TitleMax, has expanded its data breach notification to nearly five million customers, revealing that attackers also stole payment card data and security codes. The breach, initially reported in March, exposed personal details, including passport and Social Security numbers. The revised notification indicates the attackers may have obtained credit/debit card numbers in combination with security codes, access codes, passwords, or PINs for the account.
New ransomware variant targets SMBs
Security researchers at Netenrich laid bare a previously misclassified strain of ransomware, TZW, as part of the Adhubllka ransomware family. Unlike other high-profile ransomware campaigns, TZW targets individuals and small businesses, demanding small ransoms ranging from $800 to $1,600. The researchers' meticulous attribution process involved tracing communication channels, ransom notes, and Tor domains used by the threat actor.
PoC exploit released for Ivanti Sentry bug
Researchers have recently published a Proof-of-Concept (PoC) exploit code for a critical authentication bypass vulnerability, CVE-2023-38035, affecting Ivanti Sentry (formerly MobileIron Sentry) software. The vulnerability allows unauthenticated attackers to access sensitive API data, execute system commands, and write files onto the system. The exploit could be used to change configurations, run unauthorized commands, and more. Ivanti has already released security patches to address this issue.
Rockwell Automation suffered sensitive flaws
Tenable has identified critical and high-severity flaws in Rockwell Automation's ThinManager ThinServer product. These flaws could be exploited by attackers to target the ICS environment. The flaws, tracked as CVE-2023-2914, CVE-2023-2915, and CVE-2023-2917, involve improper input validation issues that lead to integer overflow or path traversal. Potential consequences of exploitation include causing a DoS condition, deleting arbitrary files with system privileges, and uploading arbitrary files to the system.
Cisco bug could lead to unauthenticated DoS
Cisco has issued a security advisory regarding a high-severity vulnerability (CVE-2023-20168) in its NX-OS Software, affecting TACACS+ and RADIUS remote authentication. An unauthenticated, local attacker could trigger an unexpected device reload by exploiting incorrect input validation during an authentication attempt with the directed request option enabled. The vulnerability can only be exploited via Telnet or the console management connection, not SSH.