Cyware Daily Threat Intelligence
Daily Threat Briefing • July 24, 2023
In case you were wondering how big could be the impact of the MOVEit hack, security experts estimate that the Cl0p ransomware group may make a profit of up to $100 million as the number of confirmed victims approaches 400. In an attempt to pressurize victims, the group had recently adopted a tactic from the BlackCat gang, but unfortunately, it wasn’t long-lived. The gang had set up different clearweb sites for five companies affected by the MOVEit hack. However, these sites were taken offline and the reason remains unknown.
In other threats, researchers revealed that there are roughly 32,000 Citrix appliances vulnerable to a recently-disclosed zero-day RCE flaw. Last week, the CISA highlighted the risk associated, adding one critical infrastructure organization impacted by the exploitation of the flaw.
For detailed Cyber Threat Intel, click ‘Read More’.
Top Breaches Reported in the Last 24 Hours
Banks suffer supply chain attacks
In the first half of 2023, the banking sector was explicitly targeted by two distinct Open-Source Software (OSS) supply chain attacks that enabled attackers to stealthily overlay the banking sites. These attacks leveraged the the NPM registry to inject malicious code and mimicked bank employees to avoid suspicion.
Cl0p ransomware adopts new extortion tactic
In a new move, the Cl0p ransomware gang had adopted the BlackCat ransomware gang’s extortion tactic by creating clearweb websites to leak stolen data from victims of the infamous MOVEit Transfer hack. The first site created by threat actors was for PWC, releasing the stolen data in four ZIP archives, with four more sites for Aon, EY, Kirkland, and TD Ameritrade. However, as these extortion websites were hosted directly on the internet, they were taken offline. The reason is unclear.
More updates on the MOVEit hack
A report from Coveware disclosed that the MOVEit hack campaign may end up impacting over 1,000 companies directly and the Cl0p group may earn up to $100 million as the number of confirmed victim organizations approaches 400. According to Emsisoft, more than 20 million individuals have been affected by the incident. Meanwhile, the U.K branch of DHL is investigating a data breach that it believes to be related to the MOVEit hack.
Top Vulnerabilities Reported in the Last 24 Hours
RCE flaw in OpenSSH fixed
A new remote code execution flaw discovered in OpenSSH’s forwarded ssh-agent could enable attackers to run arbitrary commands remotely on compromised hosts under specific conditions. Tracked as CVE-2023-38408, the vulnerability impacts all OpenSSH versions prior to 9.3p2. The issue has been addressed in version 9.2.
Citrix ADC zero-day flaw exploited in wild
Bishop Fox revealed a new way to exploit a recently disclosed Citrix ADC zero-day vulnerability (CVE-2023-3519) as it further claimed that roughly 32,000 appliances remain vulnerable. Last week, the CISA warned of attacks exploiting the flaw in the wild since June 2023. The now-patched flaw can be abused to execute arbitrary code remotely, without authentication, on vulnerable appliances that are configured as a gateway or AAA virtual server.
Atlassian patches flaws
Atlassian released security patches for remote code execution flaws in Confluence Data Center and Server and Bamboo Data Center. The most severe of these vulnerabilities, tracked as CVE-2023-22505, impacts Confluence version 7.4.0 and has a CVSS score of 8.5. Other flaws are tracked as CVE-2023-22505 and CVE-2023-22508. These flaws are addressed in Confluence versions 8.3.2 and 8.4.0 and Bamboo Data Center versions 9.2.3 and 9.3.1.