Cyware Daily Threat Intelligence
Daily Threat Briefing • Dec 15, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Dec 15, 2023
Publicly traded financial services firms are on the top list of targets of cybercriminals as researchers took the wraps off a collaboration among major ransomware groups planning to pull off a series of attacks against them. This highlights the fluid nature of the ransomware threat landscape. Meanwhile, a threat actor collective updated its arsenal to infiltrate the networks of Palestinian entities. The Pierogi backdoor has been updated and might travel to the target system through spear-phishing campaigns.
A recently patched critical flaw in Apache Struts has come under attack. The flaw is a path traversal vulnerability that can be exploited for unauthorized access, data theft, service disruption, and lateral movement within compromised networks. The scope of the impact is under investigation.
Ledger warns of supply chain attack
Ledger, the hardware wallet provider, warns users against using web3 decentralized applications (dApps) following a supply chain attack on its "Ledger dApps Connect Kit" library. The compromised library, containing a wallet-draining JavaScript code, resulted in the theft of approximately $600,000 in cryptocurrencies and NFTs. Ledger has since removed the malicious version, urging users to replace potentially impacted versions with a clean copy.
Nuclear lab notifies 45,000 of breach
Idaho National Laboratory (INL) is informing 45,000 individuals of a data breach in which personal information, including names, dates of birth, SSNs, and banking details, was stolen. The breach occurred on November 20 and targeted the Oracle Human Capital Management (HCM) software used for certain human resources applications. The incident impacted current and former employees, retirees, and others affiliated with Battelle Energy Alliance (BEA), the contractor managing INL, and some Idaho Cleanup Project (ICP) employees.
Kraft Heinz investigating cyberattack claim
Snatch ransomware group publicly claimed an attack on Kraft Heinz on its website, indicating the incident occurred several months ago. Kraft Heinz, one of the world's largest food and beverage companies, is investigating the cyberattack, which is believed to have targeted a decommissioned marketing site hosted on an external platform. The company stated that its internal systems are currently operating normally, and there is no evidence of a broader attack. The cybercriminals still need to publish proof of their claims.
GokuMarket exposes users data
Centralized cryptocurrency exchange GokuMarket left an unprotected MongoDB instance, exposing the details of over a million users. The leak included user IP addresses, countries, email addresses, encrypted passwords, crypto wallet addresses, dates of birth, names, and mobile numbers. The exposed database also revealed 35 accounts with full-admin access, containing sensitive information like private Telegram channel IDs, exchange platform secret tokens, and passwords.
Major dental insurance provider hit
Delta Dental, a dental insurance provider in California covering 85 million people, is notifying almost seven million patients of a data breach. The incident, affecting the California division, occurred through the MOVEit file transfer software application, exploited by the Clop ransomware gang using a zero-day SQL injection flaw. Unauthorized actors accessed and stole data, including names, financial account numbers, and credit/debit card details, between May 27 and May 30, 2023.
Ransomware groups join forces
Cybersecurity firm Resecurity discovered evidence of collaboration between three major ransomware groups—BianLian, White Rabbit, and Mario. The collaboration was identified during a Digital Forensics & Incident Response (DFIR) engagement involving a law enforcement agency and an investment organization in Singapore. The ransomware gangs worked together in a joint extortion campaign targeting publicly traded financial services firms.
Gaza Cyber Gang upgrades backdoor tool
The pro-Hamas threat group, Gaza Cyber Gang, apparently evolved its tactics to target Palestinian entities with an updated version of the Pierogi backdoor, now coded in C++. The malware, dubbed Pierogi++, displays similarities with its Delphi-based predecessor but enhances evasion techniques. Gaza Cyber Gang has an extensive history of targeting the Middle East, particularly Israel and Palestine.
Hackers exploit Apache Struts flaw
Hackers are actively exploiting the recently patched critical vulnerability (CVE-2023-50164) in Apache Struts to achieve RCE. The flaw allows for path traversal, enabling attackers to upload malicious files and potentially compromise the target server. The exploit, which leverages publicly available proof-of-concept code, poses a significant risk, as Apache Struts is widely used in various industries for web application development.