We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Dec 4, 2023

The macOS ecosystem confronts rising threats, posing challenges for users in safeguarding against evolving cyber risks. Cybercriminals have been observed bundling popular software on warez sites with a proxy trojan in a malware campaign directed at Mac users. The trojan transforms infected computers into traffic-forwarding proxies. Additionally, a series of interconnected attacks were discovered utilizing tools like the new 'Agent Racoon’ backdoor, 'Ntospy,' and a customized version of Mimikatz to target organizations in the Middle East, Africa, and the U.S.

Cyber researchers called for human intervention against threats stemming from unsupported Exchange servers and a high-severity Citrix Bleed flaw. While tens of thousands of vulnerable Exchange servers lie exposed to the public internet across Europe, the U.S., and Asia, the Citrix Bleed bug has emerged as the root cause of system outages at hospitals.

Top Breaches Reported in the Last 24 Hours

Astrology platform security misstep

WeMystic, a platform focusing on astrology, numerology, and tarot, inadvertently exposed 34GB of sensitive user data through an open and passwordless MongoDB database. The database, containing information related to WeMystic's services, was accessible for at least five days before being secured. The exposed data included 13.3 million records containing names, email addresses, dates of birth, IP addresses, gender, and horoscope signs.

Ransomware attack impacts 60 U.S. credit unions

Approximately 60 credit unions in the U.S. faced disruptions in services due to a ransomware attack on cloud IT provider Ongoing Operations, which provides services to the affected credit unions. The National Credit Union Administration (NCUA) confirmed the incident and stated that it is currently working to address the situation. Ongoing Operations, owned by Trellance, suffered the ransomware attack on November 26. The attack has led to system downtime, impacting credit unions that rely on the affected vendor for various services.

Healthcare group notifies of data theft

Proliance Surgeons, a large surgical group based in Seattle, notified nearly 437,400 individuals about a ransomware and data theft incident that occurred earlier in the year. The cyberattack involved the encryption of some IT systems and files, as well as unauthorized access leading to the removal of a limited number of files. A forensic investigation found that additional files, potentially containing personal information, may have been accessed by attackers. The compromised data includes the personal and medical information of individuals.

Top Malware Reported in the Last 24 Hours

Mac users targeted with proxy trojan

A new proxy trojan malware is targeting Mac users through trojanized versions of popular, copyrighted macOS software available on warez sites. Cybercriminals are bundling the proxy malware with software like 4K Video Downloader Pro, Sketch, and Wondershare UniConverter 13. The trojanized versions are downloaded as PKG files, which execute scripts during installation, gaining administrator rights and enabling other risky actions.

Agent Raccoon: A multi-continent threat

Palo Alto Networks experts laid bare an Agent Raccoon malware campaign targeting organizations across various sectors in the U.S., the Middle East, and Africa. The malware disguises itself as a Google Update or Microsoft OneDrive Updater and uses the DNS protocol for covert communication with its C2 infrastructure. The attackers, focused on espionage, also use other tools like 'Mimilite' (customized Mimikatz) and 'Ntospy' (DLL credential stealer).

Obfuscation tool abused in account takeover attacks

ScrubCrypt, an obfuscation tool, is being utilized by threat actors to evade antivirus detection and launch attacks. HUMAN's Satori Threat Intelligence Team discovered a new build of ScrubCrypt for sale in underground communities. In an attack on a HUMAN customer, ScrubCrypt was used to deliver RedLine Stealer, a malware known for credential and cryptocurrency wallet exfiltration, aiming at account takeover and fraud. ScrubCrypt converts executable files into batch files, slipping attacks past email and messaging safeguards.

Experts dissect new macOS ransomware 'Turtle'

Cybersecurity researcher Patrick Wardle conducted a detailed analysis of a new macOS ransomware called Turtle. Wardle suggests that the malware may have been originally developed for Windows and later ported to macOS. The Turtle ransomware is not considered sophisticated, and its discovery on macOS indicates an increasing interest in targeting Apple devices in the cybercrime underground. The malware encrypts files using AES in CTR mode, renames them, and adds the extension "TURTLERANSv0" to the filenames.

Top Vulnerabilities Reported in the Last 24 Hours

Thousands of unsupported Exchange servers

According to the ShadowServer Foundation, close to 20,000 Microsoft Exchange servers have reached end-of-life, with more than half located in Europe, followed by 6,038 in the U.S., and 2,241 in Asia. Running an unsupported software version makes these devices vulnerable to remote code execution attacks. Security researcher Yutaka Sejiyama discovered over 30,000 such servers on the web. These systems were found susceptible to multiple security issues, including the critical ProxyLogon vulnerability.

Hospitals warned to patch critical 'Citrix Bleed' flaw

The HHS issued a warning to hospitals, urging them to patch the critical 'Citrix Bleed' Netscaler vulnerability (CVE-2023-4966), which has been actively exploited in ransomware attacks. Ransomware groups are utilizing this vulnerability to breach networks by bypassing login requirements and multifactor authentication measures. The HHS’ HC3 has emphasized the urgency for healthcare organizations to secure vulnerable NetScaler ADC and NetScaler Gateway devices to prevent further damage to the sector.

Related Threat Briefings