Cyware Daily Threat Intelligence

Daily Threat Briefing • Jul 10, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jul 10, 2023
A new ransomware strain, along with its two variants, has been identified in the wild to mainly target gullible consumers. Named Big Head, researchers have shared in-depth routines of the variants, their differences, and their potential impact. Also, a notorious Iranian state-sponsored threat group was found posing as nuclear experts from the U.S. and approaching targets regarding drafts related to foreign policy subjects. The intention, however, was to infect Windows and Mac systems with GorjolEcho and NokNok malware, respectively.
Moving on. A NATO summit is due on July 11-12 and cybercriminals are not cool about it. They have initiated an infection campaign aimed at harassing Ukrainian politicians and other foreign entities and individuals taking part in the summit.
Operations suffered at Italian healthcare firm
The Luigi Vanvitelli Health Institute in Naples, Italy, fell victim to a ransomware attack, leaving the polyclinic's operations at a standstill by locking down the computer systems. While assessments are underway to define the scope of the attack, there’s a hypothesis that Chinese attackers could be involved in the incident. The experts did not come across a clear ransom demand, however, they discovered a basic email address, possibly provided to communicate with the attackers.
Multichain hacked, phishing follows
Cybercriminals managed to transfer approximately $125 million worth of Multichain assets to different wallets. While the investigation is on, officials have requested users to revoke all contract approvals related to Multichain. Meanwhile, scammers were seen swiftly floating a phishing link on Twitter for FTM’s emergency fund distribution scheme to the victims.
Century-old Colorado firm attacked
Gates Corporation, a Denver-based manufacturer of transmission belts and fluid power products, experienced a ransomware attack that resulted in the exposure of HR documents containing sensitive employee data. Impacted data include names, addresses, dates of birth, SSNs, direct deposit information, driver’s licenses, and passport details. The incident concerns over 11,000 individuals.
Thousands impacted at California law firm
The Law Foundation of Silicon Valley, a pro bono Californian law firm, was subjected to a ransomware attack that resulted in the exposure of personal information belonging to over 42,000 clients, staff, and others. Leaked data contained medical records, immigration numbers, financial data, payment card information, passports or other government IDs, taxpayer identification numbers, and more.
Serious breach allegations
An individual going by the moniker 'Nationalist' claimed to have obtained purportedly stolen data from Razer Inc., a tech firm based in the U.S. and Singapore. It is estimated that the hacker could be possessing a range of the company’s sensitive information, including source code, encryption keys, database access credentials, and backend access credentials. The seller claimed to have 404,000 accounts, but this could not be verified.
Millions of passport holders at risk
A cybercriminal was observed offering sensitive data related to around 35 million Indonesian passport holders on the dark web for a price of $10,000. Wrapped in a 4GB folder, the data at risk include victims’ full names, birthdates, gender, passport numbers, and passport validity dates. An Indonesian security researcher said, the data looks valid and the timestamps are from 2009 to 2020.
APT42’s Windows and Mac malware
Security researchers uncovered a new campaign by Charming Kitten (APT42) targeting Windows and macOS systems using different malware payloads. A new type of malware called NokNok, is specifically used for targeting macOS systems. For Windows, adversaries leverage PowerShell code and an LNK file to drop the GorjolEcho backdoor from a cloud hosting provider. For macOS, they drop the NokNok backdoor via a ZIP file impersonating a Royal United Services Institute (RUSI) VPN app.
Malvertising of Big Head ransomware
A newly discovered ransomware strain dubbed Big Head is spreading through malvertising, which involves the promotion of fake Windows updates and Microsoft Word installers, warned Trend Micro. Designed as a .NET binary, the ransomware deploys three AES-encrypted files on the targeted system: one for spreading the malware, another for facilitating communication with a Telegram bot, and the third for encrypting files. Additionally, the third file can also deceive the user by displaying a fake Windows update.
TOITOIN - a potential trojan
Businesses in the Latin American region are facing a new threat from a sophisticated malicious campaign distributing the TOITOIN trojan. Zscaler ThreatLabz, who detected the threat, disclosed that attackers incorporate a unique XOR decryption technique to decode its configuration file. They employ a set of specially developed modules to enhance the trojan’s operations. Moreover, the campaign uses Amazon EC2 instances to evade domain-based detections.
RomCom RAT used in NATO-themed campaign
Blackberry's research team has reported a phishing campaign targeting the upcoming NATO Summit in Vilnius as well as an organization supporting Ukraine abroad. Security experts believe this could be a RomCom RAT’s rebranded operation. This execution chain also involves the abuse of the Follina bug, CVE-2022-30190. The summit is scheduled for July 11-12.
Multiple bugs in PiiGAB products
Researchers reported nine types of vulnerabilities in PiiGAB’s M-Bus 900s deployed across the global energy infrastructure sector. It included code injection, login attempt rate limiting, hardcoded and plaintext credentials, weak passwords, XSS, and CSRF issues. A Shodan search revealed over 600 exposed instances of such devices. An attacker could exploit the flaws for RCE or brute-force attacks, while also gaining elevated privileges.