We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jan 9, 2024

YouTube-based cybercrime returns with security experts warning about a Lumma Stealer campaign. The attackers compromise YouTube accounts and lure users by offering them cracked software downloads that contain the info-stealer.

Hopping to security flaws in the news today, Kyocera's Device Manager addressed a security flaw that enabled attackers to manipulate backup path settings. Exploitation of this flaw could lead to a potential capture of Active Directory hashed credentials. Meanwhile, QNAP issued several security advisories to address numerous high, medium, and low-severity vulnerabilities across its products.

Top Breaches Reported in the Last 24 Hours

Rhysida claims Christmas attack

The Rhysida ransomware group reportedly targeted the Lutheran World Federation (LWF), a member of World Council of Churches (WCC). The WCC confirmed the ransomware attack on December 28, 2023, reporting that hackers demanded a ransom. The Rhysida group demanded 6 BTC (approximately $280,000) for the stolen information, within seven days before public release.

Pregnancy care clinic exposes sensitive data

A data breach at the Midwives of Windsor clinic, in Canada, impacted patients’ sensitive information, including names, addresses, medical details, and insurance information. The breach occurred in April 2023. Concerns arose over the delayed notification, potentially allowing for identity theft or scams. While Midwives of Windsor claims no data misuse, affected patients are advised to remain vigilant for suspicious communications.

.env file of Saudi ministry compromised

The Saudi Ministry of Industry and Mineral Resources (MIM) suffered a data exposure incident, revealing a critical environment (env.) file containing database credentials, mail credentials, and encryption keys. Indexed by IoT search engines in March 2022 and left exposed for at least 15 months, the file provided a potential gateway for attackers to perform lateral movement within the ministry's systems. The leak included SMTP credentials, enabling impersonation for social engineering attacks, and database credentials for MySQL and Redis.

Swiss Air Force document leaked

Documents belonging to the Swiss Air Force were leaked on the dark web following a data breach at U.S. security company Ultra Intelligence & Communications. The breach, attributed to the BlackCat ransomware group, exposed approximately 30GB of sensitive data, including a $5 million contract between the Swiss Department of Defence and Ultra Intelligence & Communications for encrypted communication technology.

Top Malware Reported in the Last 24 Hours

Decryptor for Babuk variant out

Cisco Talos, in collaboration with Dutch Police and Avast, successfully recovered a decryptor for files affected by a Babuk ransomware variant called Tortilla. The collaborative effort led to the identification, arrest, and prosecution of the Babuk Tortilla threat actor by Dutch Police. Users affected by Babuk ransomware can access the decryptor through NoMoreRansom or Avast.

Lumma Stealer infection via YouTube

FortiGuard Labs researchers discovered an attack campaign involving the Lumma Stealer malware spreading through hijacked YouTube channels. Threat actors compromise YouTube accounts, upload videos disguised as legitimate cracked software, and redirect users to malicious URLs via installation guides. Unique to this campaign is the use of GitHub and MediaFire to evade traditional web filter blacklists. Lumma Stealer targets sensitive information like user credentials and browser data.

Top Vulnerabilities Reported in the Last 24 Hours

Security flaw in Kyocera's Device Manager

A**** security flaw, tracked as CVE-2023-50916, has been identified inKyocera's Device Manager. The bug allows attackers to coerce authentication attempts to their resources, potentially capturing or relaying Active Directory hashed credentials. This path traversal issue enables unauthorized access and data theft. The vulnerability has been addressed in Kyocera Device Manager version 3.1.1213.0.

QNAP fixes multiple vulnerabilities

QNAP released fixes for several vulnerabilities, including a high-severity prototype pollution flaw (CVE-2023-39296) impacting QTS and QuTS hero. Other flaws include cross-site scripting (XSS) and OS command injection vulnerabilities in QuMagie, SQL injection and OS command injection vulnerabilities in Video Station, and an unauthenticated remote code execution vulnerability in Netatalk.

Top Scams Reported in the Last 24 Hours

Scammers pose as security researchers

Scammers were found impersonating security researchers to contact organizations that have fallen victim to ransomware attacks. The scammers offer to hack into the ransomware groups' servers to delete exfiltrated data for a fee. They use the names "Ethical Side Group" and "xanonymoux" and claim proof of access to the stolen data. They threaten the organizations, insinuating that they risk future attacks if the stolen data is not deleted.

Netgear and Hyundai Twitter accounts hijacked

The official Twitter accounts of Netgear and Hyundai MEA (Middle East & Africa) were compromised by hackers to promote cryptocurrency scams. The attackers, yet to be identified, targeted over 160,000 followers with malicious tweets and links to fraudulent websites promising financial rewards. While Hyundai MEA has regained control and removed the malicious content, Netgear is still struggling to recover its account.

Related Threat Briefings