Cyware Daily Threat Intelligence

Daily Threat Briefing • Dec 28, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Dec 28, 2023
Watch out! A newly identified malware loader, Rugmi, has been discovered amplifying the distribution of information stealers, such as Lumma Stealer, Vidar, and RecordBreaker. In a different report, researchers laid bare an analysis of cyberattack campaigns targeting poorly managed Linux SSH servers. Threat actors utilize SSH scanner malware alongside DDoS bots and crypto miners to compromise systems through vulnerability exploits.
Meanwhile, a critical zero-day vulnerability in an Apache ERP system, stemming from an incomplete patch for a previous flaw, enables attackers to bypass authentication. Users are advised to apply the patches urgently.
Yakult Australia hit by cyberattack
Yakult Australia, the manufacturer of a popular probiotic milk drink, fell victim to a cyber incident, allegedly by the DragonForce group. The group claimed to have pilfered 95GB of data belonging to the company. The leaked data includes company databases, contracts, passports, and other sensitive information. The company's IT systems in both Australia and New Zealand were affected, but operations remain open.
Lottery systems hijacked
The Ohio Lottery faced a cyberattack on Christmas Eve, leading to the shutdown of some key systems. While the gaming system remained operational, certain services, such as mobile cashing, prize cashing above $599 at Super Retailers, and the display of winning numbers for KENO, Lucky One, and EZPLAY Progressive Jackpots, were affected. Again, DragonForce has claimed responsibility for the attack, stating they stole data worth over 600GB.
Emergency services disabled
The Katholische Hospitalvereinigung Ostwestfalen (KHO) network in Germany confirmed a Lockbit ransomware attack on three of its hospitals – Franziskus Hospital Bielefeld, Sankt Vinzenz Hospital Rheda-Wiedenbrück, and Mathilden Hospital Herford. Although patient treatment continues, emergency care services were impacted, leading to potential delays for critical cases. Investigations are ongoing to determine the extent of the damage and whether the attackers stole sensitive data.
Insurance board systems locked out
The National Insurance Board in Trinidad and Tobago (NIBTT), responsible for the nation's social security system, experienced a ransomware attack. As a result, all offices will be closed until the end of the year. The NIBTT is working to assess the extent of the attack. It has not disclosed details about the ransomware group or whether a ransom has been paid. The incident follows a ransomware attack on Trinidad and Tobago's justice department in July.
New malware loader delivers info-stealers
Threat actors are using the Rugmi malware to deliver information stealers like Lumma Stealer, Vidar, RecordBreaker, and Rescoms, found ESET experts. The Rugmi loader consists of a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another loader that runs the payload from an external file on the disk. Telemetry data indicates a significant spike in Rugmi loader detections in October and November 2023. The malware spread through various means, including malvertising, fake software updates, and the use of Discord's CDN.
Malware attacks on poorly managed Linux servers
AhnLab has analyzed attack campaigns targeting poorly managed Linux SSH servers, shedding light on the tactics employed by threat actors. The attackers use malware loaders like ShellBot, Tsunami, ChinaZ DDoS Bot, and XMRig miner. The analysis reveals the use of an ID and password list for SSH brute force attacks, with threat actors deploying various tools, including port scanners, banner grabbers, and SSH dictionary attack tools.
Zero-Day flaw in Apache OfBiz ERP system
A zero-day security vulnerability has been identified in Apache OfBiz, an open-source ERP system. Tracked as CVE-2023-51467, the flaw is located in the login functionality and can be exploited to bypass authentication protections. The issue is the result of an incomplete patch for another critical vulnerability, CVE-2023-49070. The incomplete fix left the root problem unaddressed, allowing an authentication bypass to persist. Successful exploitation could lead to unauthorized access to internal resources.