Cyware Daily Threat Intelligence

Daily Threat Briefing • Feb 7, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Feb 7, 2023
Cl0p operators are spreading their wings across the cyber landscape. The ransomware group rolled out the ELF Cl0p variant as its first Linux encryptor. It was first spotted during an attack aimed at a university in Colombia. For a long time, embedding malicious executables in images and archives has been a popular method for hackers to evade detection. GuLoader malware has made a similar-fashioned transition from malware-laced Microsoft Word documents to NSIS executable files for loading the malware.
If you're a user of GoAnywhere MFT and not aware of the zero-day affecting the administrative consoles, please hurry and make a move toward safeguarding your systems. The latest emergency patch as an exploit is already available.
Ransomware attack on MKS Instruments
Production has been interrupted at semiconductor equipment maker MKS Instruments in the wake of a ransomware attack. The Massachusetts-based firm had its website knocked offline. The extent and full scope of the incident is yet to be determined. MKS Instruments is a supplier of subsystems for printed circuit boards, wafer-level packaging, and semiconductor fabrication.
Schools shut in West Virginia
A cyberattack on Berkeley County Schools, West Virginia, became the reason for 20,000 students missing classes. The attack crippled the school district’s network and left them with an internet and phone outage. Officials stated that they weren’t aware of any personal data leak during the incident.
Brit engineering firm targeted
U.K engineering company Vesuvius Plc announced that it recently became aware of unauthorized activity on its networks. The company did not provide further details regarding the intrusion or the nature of the attack. While an investigation is ongoing, the firm has shut down affected systems.
Patient data at risk, once again
San Diego’s largest health provider Sharp HealthCare informed 62,777 individuals about unsolicited access to their personal information on its systems by a third party. Affected information includes patient names, Sharp identification numbers, and payment details. However, the firm outlined that the breach did not include patients’ banking data, SSNs, health insurance information, or health records, and said it varies from victim to victim.
Linux version of Cl0p ransomware
SentinelLabs claimed to have observed the first Linux variant of Cl0p ransomware. The ELF variant of the ransomware uses the same encryption method and similar process logic as it does for Windows. Given that some Windows-only capabilities are missing from this new Linux version, it appears to still be in the early stages of development. The firm has also shared a free decryptor with law enforcement to help victims.
GuLoader makes a clever move
A GuLoader malware campaign was observed targeting e-commerce companies in the U.S. and South Korea. The malicious activity shows that the hackers switched from Microsoft Word documents to NSIS executable files to drop the malware. Other nations that were targeted in this campaign include Germany, Saudi Arabia, Taiwan, and Japan.
Exploit code and patch release
A security researcher from Code White issued a POC exploit code against vulnerable GoAnywhere MFT servers. The exploitation of the bug allows an attacker to perform unauthenticated RCE on compromised systems. The administrative console of the application is needed for this exploit's attack vector. A patch has been made available for the same.
Bugs in OpenSSH fixed
The maintainers of OpenSSH have addressed a number of security bugs in OpenSSH server (sshd). This round of patching addresses a memory safety flaw tracked as CVE-2023-25136, which is a pre-authentication double-free bug. The exposed area is in the twice-freed memory block, resulting in a double-free issue in the unprivileged sshd process.
Sunlogin flaws affect Windows users
Hackers were found abusing vulnerabilities in Sunlogin, a remote-control software by a Chinese developer, in a new attack campaign to launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks and distribute the Sliver post-exploitation toolkit. Two 2022 flaws in Sunlogin were the focus of recently detected assaults. The abuse can lead to the deployment of the Gh0st RAT, XMRig Monero coin miner, and more.
Critical vulnerability in Baicells products
A critical command injection flaw in some of Baicells Technologies' Nova base station products can be remotely exploited without authentication, revealed cybersecurity researcher Rustam Amin. A hacker can send carefully crafted HTTP requests to a vulnerable device to gain full control of it. The bug, identified as CVE-2023-24508, can also be manipulated to trigger a shutdown.