Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Jun 2, 2023

The maker of MOVEit Transfer is alerting customers about the active exploitation of a critical security vulnerability in its software. The flaw could lead to privilege escalation and potential unauthorized access to the environment. Meanwhile, a group of researchers has uncovered a striking pattern for QBot malware - approximately 25% of its Command-and-Control (C2) servers remain active for only a single day. Also, Spanish-speaking users in Latin America are the target of a unique attack campaign that drops the Horabot botnet.

In other news, security researchers discovered a novel technique that makes the PyPI repository vulnerable to supply chain attacks. The attack relies on compiled Python code to avoid detection.

Top Breaches Reported in the Last 24 Hours

Healthcare breach affects 2.5 million

A ransomware attack crippled the systems of Harvard Pilgrim Health Care (HPHC) and stole the sensitive data of 2,550,922 individuals. The investigation revealed that the data was illicitly copied and extracted from the Harvard Pilgrim systems between March 28, 2023, and April 17, 2023. The impacted data includes health insurance account information, SSNs, provider taxpayer identification numbers, and other critical clinical information.

Job seekers’ data at risk

Prosperix, formally Crowdstaffing, laid bare approximately 250,000 files exposed to the internet via a misconfigured Amazon AWS bucket. The incident affected the PII of job seekers, such as full names, dates of birth, occupation history, home addresses, phone numbers, and email addresses. Some medical records, including urine tests and vaccination data, were also leaked.

Ransomware targets educational infrastructure

Middlesex County Public Schools, Virginia, officially confirmed suffering a ransomware attack recently. According to security experts, the Akira ransomware group was behind the attack and it allegedly stole 543 GB of data from the website. Officials claimed to have suffered minimal impact on their infrastructure which houses 121 instructional staff, 64 support staff, and 1,220 students.

Top Malware Reported in the Last 24 Hours

Hacking abusing zero-day

Organizations are currently facing active exploitation of a zero-day vulnerability in the MOVEit Transfer file transfer software, that could result in data theft by malicious hackers. Owing to the threat, admins are advised to inspect the 'c:\MOVEit Transfer\wwwroot' folder for any unexpected files, such as backups or large file downloads. Also, block external traffic to ports 80 and 443 on the MOVEit Transfer server.

Identifying patterns of QBot

A report by Lumen Black Lotus Labs found analyzed the activities of QBot malware operators and revealed that while 25% of its C2 servers are active only for a day, roughly 50% of the servers are live not for more than a week. Characterized as both evasive and persistent, the malware that started off as a banking trojan evolved into a multifaceted threat by incorporating additional functionality.

Horabot - New botnet attack

Cisco Talos uncovered a new operation called Horabot, supposedly run by a threat actor based in Brazil, targeting Spanish-speaking users in Latin America since at least 2020. Criminals send tax-themed phishing emails to potential victims that contain an HTML attachment disguised as a payment receipt. The trojan utilized in the Horabot operation empowers the attackers to compromise users’ email accounts for different email vendors.

Top Vulnerabilities Reported in the Last 24 Hours

New threat to PyPI

While investigating an ongoing malware attack, the ReversingLabs team discovered a new attack that employed compiled Python code to evade detection. This attack is noteworthy because it potentially represents the first supply chain attack exploiting the direct execution capability of Python byte code (PYC) files. Furthermore, since most security tools only scan Python source code (PY) files, they may overlook this type of attack.

Top Scams Reported in the Last 24 Hours

Impersonation scam by Chinese group

PostalFurious, a Chinese phishing group, has reportedly expanded its operations to target the Middle East. In a fresh series of scams, the group sends malicious iMessages and phishing texts to citizens in the UAE and misguides them to pay a vehicle toll to avoid additional fines. Victims falling for this may lose their personal information and credit card data to adversaries.

Related Threat Briefings