Cyware Daily Threat Intelligence

Daily Threat Briefing • Jun 30, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jun 30, 2023
Beware as ransomware actors continue to grab headlines! On one hand, the notorious BlackCat ransomware group has been observed propagating via malvertising campaigns, on the other, Taiwan Semiconductor Manufacturing Company is reportedly facing a ransom demand of $70 million from the LockBit ransomware group. Additionally, LockBit ransomware was found leading in activity with the highest number of victims identified as compared to other ransomware groups, followed by Cl0p, BalckCat/ALPHV, Royal, and Play ransomware groups.
Wanna learn about the critical security weaknesses that require your immediate attention? MITRE has published a list of the top 25 most dangerous weaknesses that have been plaguing software over the past two years.
Over a million NHS victims
National Health Service (NHS) suffered a breach impacting the sensitive personal information of about 1.1 million patients, including trauma patients and victims of terrorism. The attack originally targeted the University of Manchester, which led to the NHS leak. The incident also led to the compromise of student and alumni information, which includes personal details, including demographic data. The university's backup servers were accessed by criminals; however, their identity remains unknown at this time.
Russian satellite telecom provider targeted
An attacker group on Telegram claimed to have targeted Dozor-Teleport, a satellite telecommunications provider that serves various entities, including power lines, oil fields, Russian military units, and the Federal Security Service (FSB). Allegedly, the criminals defaced four different Russian websites. These defacements featured messages expressing support for the Wagner private military company, a Russian mercenary group that had lately challenged the power of the Russian president.
**Lockbit asks $70 million from TSMC **
The LockBit ransomware group has made claims of hacking into Taiwan Semiconductor Manufacturing Company (TSMC) and demanding $70 million in ransom. Meanwhile, TSMC has confirmed that one of its IT hardware suppliers, Kinmax Technology, was hit by a cyberattack that compromised data related to initial server setup and configuration.
**MuddyWater’s new weapon: PhonyC2 **
Security experts linked a newly discovered command-and-control (C2) framework named PhonyC2 to MuddyWater, an Iranian Advanced Persistent Threat (APT) group. further investigations have revealed additional connections between the Python 3-based program, PhonyC2, and other cyber attacks attributed to MuddyWater. In fact, these links were part of the continuous exploitation of PaperCut servers.
Malvertising leads to BlackCat infections
Trend Micro researchers have identified a malvertising campaign that distributes BlackCat ransomware. Adversaries create cloned webpages, including that of the open-source file transfer app WinSCP, resembling legitimate organizations. Additionally, the criminals used SpyBoy, a tool that tampers with the protective measures implemented by security agents.
Iran-based actor backdoor
Iranian threat actor Charming Kitten introduced the new version of its PowerStar backdoor malware. The latest iteration of the backdoor unveils enhanced operational security measures, rendering the malware even more challenging to analyze and gather intelligence on. The updated malware utilizes the InterPlanetary File System (IPFS) and publicly accessible cloud hosting for its decryption function and configuration details
LockBit is the most active and successful
According to an Acronis report, the LockBit ransomware gang has emerged as the most active group, with the highest number of victims (49%) identified from January to May, 2023. Notably, the group has also developed encryptors that specifically target macOS systems. The list is followed by Cl0p (19%), BalckCat/ALPHV (13%), Royal (12%), and Play (7%) ransomware groups.
High-severity bugs in SAP
Fabian Hagg, a researcher at SEC Consult, uncovered critical bugs in SAP products that use the SAP Application Server for the ABAP component, including SAP for Oil & Gas, SAP for Utilities, and SAP ERP Central Component, among others. The vulnerabilities reported are identified as CVE-2021-27610, CVE-2021-33677, CVE-2021-33684, and CVE-2023-0014. While each vulnerability poses a certain level of threat, if chained, it unlocks the possibility of automated exploitation.
Top 25 software issues
MITRE rolled out its annual list of the top 25 most dangerous software weaknesses that have been prevalent over the past two years. These vulnerabilities pose significant risks, from allowing attackers to taking over compromised systems and stealing sensitive data to disrupting the normal functioning of applications. Through this, MITRE aims to warn the broader community about the most critical software security weaknesses that demand immediate attention.