Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jan 22, 2024

Cybercriminals continue to innovate their tactics and this time it’s the 3AM ransomware group’s turn. It has launched an extortion scheme on X (formerly Twitter) using bots to name and shame victims' followers. Furthermore, an analysis suggested that 3AM is associated with the infamous Conti actors. In a different report, researchers reported that adversaries are deploying the Godzilla web shell by increasingly exploiting an Apache ActiveMQ bug. The flaw poses a myriad of risks to potential victims, including ransomware threats, rootkit deployment, cryptomining threats, and DDoS attacks.

Another bug under attack is a zero-day! A Chinese APT group has been observed exploiting a VMware vCenter Server flaw since late 2021. The group used malicious vSphere Installation Bundles to install backdoors and harvested credentials from unpatched vCenter Servers.

Top Breaches Reported in the Last 24 Hours

Finnish firm hit by Akira group

Finnish IT services and enterprise cloud hosting provider Tietoevry experienced a ransomware attack affecting one of its data centers in Sweden. The attack, allegedly carried out by the Akira ransomware gang, led to outages for multiple customers, including Filmstaden, Rusta, Moelven, Grangnården, and the managed payroll and HR system Primula. Several impacted Swedish universities, colleges, government agencies, and municipalities are also experiencing disruptions.

Threat to leak 55 million citizens' data

An attacker, operating under the alias "9Near – Hacktivist," threatened to expose the personal information of 55 million Thai citizens, allegedly obtained from vaccine registration records. The hacker claims to have accessed personal details, including full names, birthdates, ID card numbers, and phone numbers. Separately, a threat actor known as Naraka has also been found circulating large amounts of personal information on the dark web, affecting over 160,000 users.

Three U.K councils face cyberattack

Three councils in England—Canterbury, Dover, and Thanet—have fallen victim to a cyberattack, compelling them to take down multiple online services. The incident appears to be a single attack affecting all three councils. The councils outsource their IT and HR services to Civica through the East Kent Services partnership, whose website is currently down. Civica, responsible for collecting various services at the councils, claims that the incident was not caused by any of its systems.

Lockbit ransomware targets Subway

The Lockbit ransomware group infiltrated the networks of the American multinational fast-food chain Subway. The threat actors claimed to have stolen hundreds of gigabytes of sensitive data, including employee salaries, franchise royalty payments, master franchise commission payments, restaurant turnovers, and more. The Lockbit group has threatened to leak the stolen data on February 2, 2024, if Subway does not respond or take measures.

Money Message stole 600GB data from hospital

The Money Message ransomware group claimed responsibility for a Christmas day attack on Anna Jaques Hospital (AJH) in Massachusetts. The group stated that it stole 600GB of information from AJH and has data related to its parent network, Beth Israel Lahey Health. AJH confirmed the cybersecurity incident on January 5, noting that the electronic health records system was knocked out, and ambulances were turned away on Christmas Day.

Top Malware Reported in the Last 24 Hours

SmokeLoader hits Ukrainian entities

ASEC identified multiple instances of SmokeLoader malware being distributed to Ukrainian government entities and companies. The attacks have targeted various sectors, including the Department of Justice, public institutions, insurance companies, medical institutions, construction companies, and manufacturing companies. The attack involves phishing emails with a Ukrainian-language invoice, prompting recipients to open a PDF file containing SmokeLoader.

3AM ransomware connected to Conti

Investigations revealed connections between the 3AM ransomware operation and the Conti and Royal syndicates. Experts at French cybersecurity company Intrinsec spotted significant overlaps in communication channels, infrastructure, and tactics between 3AM and the Conti group. Additionally, 3AM has tested a new extortion tactic by sharing news of a data leak with the victim's social media followers and using bots to reply to high-ranking accounts on X with messages pointing to data leaks.

Top Vulnerabilities Reported in the Last 24 Hours

Apache ActiveMQ bug exploited

Security researchers warned of a significant increase in cybercriminal activity exploiting a now-patched vulnerability (CVE-2023-46604) in Apache ActiveMQ. The flaw allows for RCE and has been actively exploited since its public disclosure in late October 2023. The attackers are using a JSP-based web shell named Godzilla, which is wrapped within an unknown binary format to evade detection by signature-based scanners. The Godzilla web shell is a feature-rich backdoor allowing threat actors to gain complete control over the target host.

Chinese APT abuses VMware zero day

Researchers from Mandiant have reported that the China-linked UNC3886 has been exploiting a zero-day vulnerability, CVE-2023-34048, in VMware vCenter Server since late 2021. VMware addressed the critical out-of-bounds write vulnerability in October 2023, and as of January 18, 2024, it is aware of exploitation in the wild. The group used sophisticated techniques to target vCenter systems; it crashed the vmdird service and removed its core dumps to cover their tracks.

Related Threat Briefings