Cyware Daily Threat Intelligence
Daily Threat Briefing • Jul 18, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Jul 18, 2023
Amid the evolving landscape of ransomware attacks, several notorious ransomware groups have been observed reemerging as new strains, showcasing their adaptability and resilience. NoEscape ransomware is the result of one such effort. Researchers say the ransomware is most probably a successor of the defunct Avaddon ransomware group. It has targeted ten companies worldwide since its emergence in the last month. Meanwhile, the cybercrime group FIN8 was seen using a variant of the Sardonic backdoor to distribute the Noberus ransomware. The group is known for taking prolonged breaks between attack campaigns to enhance their tactics, techniques, and procedures.
A security hole in a popular WordPress plugin is also under attack to compromise over 157,000 sites. Site owners are strongly advised to update the plugin promptly and conduct scans for suspicious files and accounts to mitigate potential risks.
Human error hits VirusTotal
The popular malware scanning platform, VirusTotal, experienced a security incident in which data pertaining to 5,600 registered customers was exposed. It occurred due to an employee's accidental file upload. The exposed data includes accounts associated with official U.S. entities, such as the Cyber Command, the DoJ, the FBI, and the NSA. It also concerns government agencies from Germany, the Netherlands, Taiwan, and the U.K.
**Phishing impacts healthcare entity **
Henry Ford Health of Detroit, Michigan, confirmed a data breach affecting 168,000 patients due to an email phishing scheme. The breach occurred due to unauthorized access to business email accounts which was discovered on March 30, 2023. Patient information might have been accessed, including personal details, lab results, diagnoses, and medical records. Patients are urged to inquire about the incident by calling the Incident Response Line during specific hours.
Dating app exposes millions of records
An unprotected database was found blurting out approximately 2.3 million records from multiple dating apps, with a majority of them belonging to 419 Dating - Chat & Flirt. The database contains an extensive collection of user records comprising customer names, account numbers, emails, passwords, and other data. It encompasses over 600 compressed server logs in total. If this information fell into the wrong hands, the affected users could be at risk of experiencing spam, phishing attacks, or other malware infections.
**Dissecting new Sardonic variant **
Symantec's Threat Hunter Team found a new variant of the FIN8’s Sardonic backdoor used to deliver the Noberus ransomware. In this new version, the group behind Sardonic has reworked most of its code, most likely to avoid detection. The backdoor now uses the C++ standard library and most of the object-oriented features are written in C instead.
Avaddon linked to NoEscape
A strong argument for a connection has been established between the NoEscape ransomware and the obsolete Avaddon group. The encryption algorithms used by NoEscape and Avaddon ransomware are nearly identical, except that NoEscape switched to using the Salsa20 algorithm. Furthermore, sources have confirmed that multiple key members of Avaddon have joined the new ransomware operation.
WooCommerce plugin being abused
Threat actors are actively exploiting a critical vulnerability, CVE-2023-28121, in the popular WooCommerce Payments plugin for WordPress, allowing them to gain administrator privileges on vulnerable sites. The flaw was patched in March 2023, but recent reports indicate widespread exploitation. Over 157,000 sites have been targeted in a massive campaign, with attackers installing backdoors and creating new administrator accounts.