Cyware Daily Threat Intelligence

Daily Threat Briefing • Dec 14, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Dec 14, 2023
The U.S., U.K, and Polish government agencies put a spotlight on a Russian espionage outfit actively exploiting a Jetbrains TeamCity flaw since September. The authentication bypass issue affects on-premises TeamCity instances, allowing unauthorized access to sensitive information and server takeover. Dell’s security advisory is also out. The tech giant urged users of its PowerProtect appliances to address severe vulnerabilities, including a high-severity DOM-based XSS bug that let remote attackers inject malicious code.
Cybercriminals have enhanced deception techniques in their BazarCall attacks. The attacks now employ Google Forms to create a fake transaction form, adding details like invoice numbers and payment information. Being susceptible to such tactics may result in an unsuspecting user installing malware on their cell phones.
City of Defiance falls victim to cyberattack
The City of Defiance, Ohio, was targeted by the Knight ransomware group, resulting in a data breach compromising over 390GB of sensitive information. The threat actor announced the cyberattack on the dark web, revealing that the breached data includes employee records, law enforcement videos, emails, and confidential documents. The disclosure on the dark web included a countdown, and the attackers promised to reveal more later.
Healthcare entity’s ongoing extortion
Tri-City Medical Center, California, continues to face ransomware extortion attempts by the Inc Ransom group, as evidenced by records posted on the dark web. The cybersecurity attack disrupted the hospital's operations on November 9, with services partially restored on November 27. The posted records include prior authorization forms, financial details, and other sensitive information. Patients are advised to monitor their credit, medical records, and financial accounts for potential fraud.
Switzerland district court hit by cyberattack
A Switzerland district court, serving the German-speaking district of March, has fallen victim to a cyberattack, potentially involving ransomware. The attack prompted a shutdown of the entire IT system to protect data. Although the details remain undisclosed, the incident follows a ransomware attack in November against Zollikofen, a suburb of Bern.
Attack on WMC Health Network
New York-based health providers, including HealthAlliance Hospital, Margaretville Hospital, and Mountainside Residential Care Center, under the Westchester Medical Center Health Network (WMCHealth), experienced a nearly two-month-long cyberattack. Threat actors infiltrated the IT network from August 18 to October 13, leading to the compromise of patient’s personal, medical, and financial data.
Insomniac Games targeted in ransomware attack
Sony is investigating reports of a ransomware attack on its subsidiary, Insomniac Games, known for popular titles like Spider-Man. The Rhysida ransomware gang claimed responsibility, demanding an undisclosed ransom and giving Insomniac Games six days to respond. Sony Interactive Entertainment (SIE) stated there's no reason to believe other SIE or other Sony divisions are affected.
Attackers use KV-Botnet against SOHO devices
A Small Office/Home Office (SOHO) router botnet, KV-Botnet, has been linked to China's Volt Typhoon cyberespionage group. Operating since at least February 2022, the botnet targets end-of-life SOHO devices, including Cisco routers and Axis IP cameras. Recent structural changes in the botnet, including the targeting of new devices, suggest preparations for an upcoming campaign. Researchers anticipate increased activity during the holiday season, focusing on strategic interests in the Indo-Pacific region and critical infrastructure.
Russian APT exploits TeamCity bug
Government agencies in the U.S., U.K, and Poland jointly revealed that the Russian cyberespionage group APT29 has been exploiting a critical TeamCity vulnerability CVE-2023-42793 on a large scale since September. The vulnerability, an authentication bypass issue, allows attackers to steal sensitive information and take over vulnerable servers. APT29 used the exploit to escalate privileges, move laterally, deploy additional backdoors, and ensure persistent access to compromised networks.
Dell urges patching of critical bugs
Dell released a security advisory and patched a series of potentially harmful vulnerabilities affecting its PowerProtect Data Domain series appliances. The most serious vulnerability is a DOM-based cross-site scripting (XSS) issue tracked as CVE-2023-44286. The flaw allows a remote, unauthenticated attacker to inject malicious code into a user's browser, potentially leading to client-side request forgery, session theft, and information disclosure. Other high-severity vulnerabilities include OS command injection and improper access control flaws.
Phishing attack enhances deception
Cybersecurity researchers stumbled across a new variant of the BazarCall phishing attack that incorporates Google Forms to increase its deception. In this attack, scammers send phishing emails with Google Forms invitations, making the fraudulent communication appear more legitimate. The attacker manipulates the form, adding fake transaction details and activating the response receipt option, which sends a copy to the target's email. This tactic adds complexity to traditional email security tools, making it challenging to detect phishing attempts.