Cyware Daily Threat Intelligence

Daily Threat Briefing • Jan 9, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jan 9, 2023
Rogue packages on open-source repositories continue to be a persistent threat to developers. Of late, half a dozen malicious PyPI packages were discovered by researchers, which could extract sensitive data such as crypto wallets, browser cookies and passwords, and Discord tokens. Moreover, a much more infectious Zoom app download was floated by adversaries that deploys the IcedID trojan on victims’ systems. Hackers have even launched a copy of the legitimate Zoom website, adding to the authenticity of the attack.
On the system vulnerability side, the CISA has urged organizations using Hitachi Energy products to patch sensitive flaws at the latest to safeguard against potential exploitation of the products.
Healthcare services provider’s network breach
Consulate Health Care, a senior healthcare services organization, was listed as the victim of an attack by the Hive ransomware group on its leak site. It allegedly stole contracts, NDA and other agreements docs, other critical company data as well as employee information amounting to 550 GB.
**Ransomware attack on Romanian hospital **
Saint Gheorghe Recovery Hospital, Romania, continues to remain impacted, owing to a ransomware attack on its infrastructure last month. Cyber adversaries have demanded 3 BTC to decrypt the data. Reports suggest that the attack was sophisticated in nature and looks like the work of an experienced group.
Airline customers suffer breach
Customers of Air France and KLM using Flying Blue, an airline loyalty program, fell victim to a breach that exposed their personal data. Airlines have informed the impacted users that their accounts were frozen and will be reactivated as soon as they visit the websites of the airlines to change their passwords.
Russia targeted nuclear-based labs
Russian threat group Callisto, aka Cold River, targeted three high-profile nuclear research laboratories namely ?Argonne, Brookhaven, and Lawrence Livermore - all located in the U.S. As per Reuters, these attacks occurred between August and September 2022.
30% of Texans exposed
A ransomware attack on Metropolitan Area EMS Authority, an administrative agency in Texas, victimized 612,000 individuals, about 30% of the county’s population. The agency works operates its business as MedStar Mobile Healthcare and is still determining the full scope of the incident.
Dropping IcedID via phishing
Researchers at Cyble laid bare a phishing campaign using fake Zoom landing pages to distribute the IcedID malware. If installed, the malware connects to the C2 server, which can let an attacker download other payloads in the %programdata% directory. IcedID is a much advanced, long-lasting malware threat affecting victims globally.
Six malicious PyPI packages
The Phylum research team found six infected PyPI packages installing info-stealers and RAT malware, while exploiting Cloudflare Tunnel to bypass firewall restrictions. The packages could steal user information stored in browsers, run shell commands, and use keyloggers to steal other secrets. The malicious packages, now removed, were uploaded till December 31, 2022.
ChatGPT-written Malware
Security firm Check Point uncovered an attack campaign involving the use of ChatGPT, a highly optimized language model. In one instance, a hacker in an underground forum shared an Android malware code written by ChatGPT. Researchers found more tools that could be leveraged to install a backdoor on a device and download more malware.
CISA warns about Hitachi Energy bugs
The CISA released advisories to customers of Hitachi Energy about highly critical flaws in three of its products: UNEM, Foxman-UN, and Lumada Asset Performance Management (APM). The bugs can be abused for a variety of malicious purposes, including obtaining sensitive information and triggering DoS attacks and arbitrary code execution.
Pokemon NFT scam hits market
Cybercriminals are targeting Pokemon NFT enthusiasts via a couple of Pokemon-based NFT card game sites that can lead to the compromise of victims' devices. How? The fake site pushes the NetSupport remote access tool on users’ devices. Security analysts at ASEC observed the first signs of this campaign in December 2022.