Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jan 16, 2024

Do you own a home heating system from Bosch? Security experts have warned that Bosch thermostats, marketed as "sleek, internet-connected" devices, contain a flaw that could enable hackers to cut power and override firmware. It also addressed dozens of bugs in Rexroth Nexo cordless nutrunners, potentially leading to tampering with configurations and even ransomware deployment. Speaking of bugs, DoS and RCE risks hover over SonicWall NGFW management interface owing to two sensitive security issues, concerning over 178,000 exposed appliances.

New reports on Akira ransomware attacks uncovered several victims in Finland. The group accounted for six out of seven recent incidents, with threat actors focusing on wiping NAS and tape backup devices to hinder data recovery. The attack vector involved poorly secured VPN gateways, particularly on Cisco ASA or FTD devices.

Top Breaches Reported in the Last 24 Hours

Rhysida claims attack on healthcare

Singing River Health System, Mississippi, notified nearly 253,000 individuals about a "malicious and sophisticated ransomware" attack that occurred last summer. It affected patient services and also knocked IT systems offline for several days. The compromised information includes patient names, birthdates, addresses, SSNs, and medical and health information. The Rhysida ransomware group claimed responsibility for the attack.

NoName cripples Lithuania organizations

The NoName ransomware group allegedly targeted major organizations in Lithuania, including Compensa Vienna Insurance Group, If Insurance, Lithuanian Roads Association, AD REM, INIT, and Balticum. Some sites displayed error messages related to internet connectivity and server response times. The attackers defaced the sites using DDoS attacks.

French and Japanese companies under attack

The LockBit ransomware group added Maisons de l’Avenir (France) and Shinwa Co (Japan), issuing a deadline of February 4, 2024, for their ransom demands. Despite the claims, both companies' websites appeared functional, raising doubts about the authenticity of the cyberattack. According to experts, if the attack claims are verified, the consequences could reach well beyond the immediate disruption.

Top Malware Reported in the Last 24 Hours

Akira ransomware targets Finnish firms

The NCSC-FI noted a surge in Akira ransomware attacks targeting organizations in the country. The attacks, which increased in December 2023, involve threat actors wiping NAS and backup devices. Six out of seven reported infections were attributed to the Akira ransomware family. The attackers exploit poorly secured VPN gateways on Cisco ASA or FTD devices, leveraging a known vulnerability tracked as CVE-2023-20269. The ransomware group claims to have hacked multiple organizations in various industries since March 2023.

Remcos RAT disguise as Adult Games

The Remcos RAT is being distributed in South Korea through webhards, leveraging adult-themed games as a disguise. In this tactic, users are deceived into opening files posing as adult games, which, when executed, run malicious Visual Basic scripts to launch an intermediate binary named "ffmpeg.exe." This process fetches the Remcos RAT from a server controlled by threat actors, enabling unauthorized remote control and surveillance of compromised systems.

Top Vulnerabilities Reported in the Last 24 Hours

Opera flaw allows RCE

A now-patched security flaw, dubbed MyFlaw, in the Opera web browser for Windows and macOS could be exploited for RCE, revealed security researchers at Guardio Labs. Attackers can leverage the My Flow feature to sync messages and files across devices to bypass the browser's sandbox through a controlled extension, leading to potential risks of code injection. The flaw was responsibly disclosed in November 2023 and swiftly addressed by Opera in subsequent updates.

Bosch thermostats and smart nutrunners are vulnerable

Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners were found to have multiple security vulnerabilities, potentially enabling attackers to execute arbitrary code. The high-severity flaw in Bosch thermostats (CVE-2023-49722) allowed unauthenticated access, permitting attackers to alter device firmware, rendering it inoperable, or creating a backdoor. Additionally, over two dozen vulnerabilities in Rexroth Nexo cordless nutrunners could disrupt manufacturing operations and result in ransomware infection. The release of patches is expected this month.

SonicWall firewalls exposed to DoS and RCE attacks

Security researchers discovered that more than 178,000 SonicWall NGFW appliances with exposed online management interfaces are vulnerable to potential DoS and RCE attacks. Two DoS security flaws, tracked as CVE-2022-22274 and CVE-2023-0656, affect these appliances. While SonicWall PSIRT claims no knowledge of these vulnerabilities being exploited in the wild, the exposure poses a significant risk.

Top Scams Reported in the Last 24 Hours

Crypto scam drains $87 million

The Inferno Drainer operation, active from November 2022 to November 2023, spoofed more than 100 cryptocurrency brands to milk over $87 million from nearly 137,000 victims, warned Group-IB. The drainer-as-a-service model allowed affiliates to create and host phishing websites, with the malware tricking users into connecting their cryptocurrency wallets, authorizing transactions, and draining assets. Criminals created over 16,000 malicious domains in a year.

Related Threat Briefings