Google researchers exposed an espionage campaign, orchestrated by Russian state actors, targeting NATO countries and Ukraine with the SPICA backdoor. The attackers have been distributing seemingly benign files to high-profile targets since November 2022. As the nightmare of software supply chain attacks is still afresh in our memories from last year, misconfigurations in TensorFlow's open-source machine learning framework setup intensify it. While organizations are increasingly embracing automation, safeguarding against such mishaps should be taking center stage.

Can you check if you have a publicly exposed and poorly protected PostgreSQL and MySQL database? Data wipers are back and they might want to say ‘hello!.’ It may occur within hours of exposure of your database to the internet. Also, there’s a ransom involved if you wish no harm to your data.

Top Breaches Reported in the Last 24 Hours

Energy producer faces $1.5 million in loss

Canadian energy producer Clearview Resources Ltd suffered a $1.5 million financial setback due to a cyberattack. The attack exploited a compromised internal email address, redirecting funds to a third-party account. The firm admitted that the nature of the cybersecurity incident might hinder the complete retrieval of stolen funds.

Network disrupted at U.S. University

Kansas State University (K-State) reported a cyberattack that disrupted various network systems, including VPN, K-State Today emails, and video services on Canvas and Mediasite. Impacted systems were pulled offline. Students and staff are advised to remain vigilant for suspicious activity.

Breach exposes sensitive healthcare information

Cooper Aerobics, comprising Cooper Clinic, P.A., Cooper Medical Imaging, LLP, and Cooper Aerobics Enterprises, Inc., reported a data breach, impacting nearly 90,000 customer accounts. The incident potentially exposed a range of sensitive information, including names, addresses, financial details, Social Security numbers, and health-related data.

Exposed databases being wiped for ransom

A malicious bot is autonomously targeting publicly exposed PostgreSQL and MySQL databases with weak passwords, swiftly deleting data, and leaving ransom notes. The bot, of unknown origin, breaches databases allegedly within hours of exposure to the internet. Victims are then blackmailed to pay a fee to regain access to their data. So far, criminals tricked some victims into paying over $3,000 in one week.

Millions of customer records compromised

VF Corp., the parent company of popular brands like Vans, Supreme, and The North Face, revealed that 35.5 million customers were impacted during a December cyberattack that compromised their data. While specific details about the stolen data were not provided, VF Corp. stated that it doesn't retain consumer SSNs, bank account information, or payment card details for its consumer businesses.

Top Malware Reported in the Last 24 Hours

Russian attackers use SPICA backdoor

Google's TAG took the wraps off of a sophisticated espionage campaign, named COLDRIVER, orchestrated by Russian state adversaries from Center 18. Focused on NATO countries and Ukraine, the attackers infect victims with a backdoor named SPICA. When victims open these files, a seemingly encrypted text prompts them to use a provided link for decryption. However, this "decryption utility" is, in fact, the SPICA backdoor, granting the attackers access to the victim's machine.

Malicious npm package deploys advanced trojan

A malicious npm package named ‘oscompatible’ was discovered deploying a sophisticated RAT on compromised Windows machines. The package included binaries, a DLL, and an encrypted DAT file. Upon execution on a Windows system, the RAT establishes connections with a command-and-control server, retrieves a ZIP archive containing AnyDesk and a RAT, and performs various malicious actions, including capturing keyboard and mouse events.

Top Vulnerabilities Reported in the Last 24 Hours

TensorFlow faces supply chain risk

Misconfigurations in TensorFlow's continuous integration and continuous delivery (CI/CD) process pose a risk of supply chain attacks, found researchers from Praetorian. The bugs allow an attacker to compromise TensorFlow releases on GitHub and PyPI by manipulating TensorFlow's build agents through a malicious pull request. This could result in uploading malicious releases, gaining remote code execution, and accessing GitHub Personal Access Tokens.

CISA flags actively Ivanti’s exploited flaw

The CISA added CVE-2023-35082—impacting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core—to its KEV catalog. The already-patched flaw allows an attacker to bypass authentication, potentially enabling access to users' PII and authorizing limited server changes. Such vulnerabilities pose significant risks to the federal enterprise, said experts.

Top Scams Reported in the Last 24 Hours

Social engineering scams hit hospital help desks

The American Hospital Association issued a warning about threat actors calling IT help desks in hospitals to squeeze answers to security questions (of patients) from billing employees. They use previously stolen personal information of patients and request password resets and new device enrollments, bypassing MFA. Compromised email accounts are then used to alter instructions with payment processors, diverting legitimate payments to fraudulent U.S. bank accounts.