Cyware Daily Threat Intelligence

Daily Threat Briefing • May 8, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 8, 2023
The stealth with which ransomware operations run today is highly intimidating to businesses. Researchers have stumbled across a couple of such threats. The first one, called Akira, has allegedly claimed 16 companies as victims across different industry verticals, such as education, finance, real estate, manufacturing, and consulting. The other one is running an operation dubbed Cactus. It was spotted leveraging security holes in VPN appliances to gain a foothold on the networks of sizable commercial firms. Both the adversary groups look for big payouts from their victims, with the former demanding up to millions of dollars in ransom.
Besides, a WordPress plugin with over 2 million installations has been discovered posing a potential threat to users. Both paid and free plugin editions could be exploited to put site visitors in a compromised situation.
Ransomware attack on Canadian firm
Toronto-based Constellation Software Inc. disclosed an impact on a limited number of IT systems owing to a ransomware attack by the BlackCat group. Attackers claimed to pilfer more than 1TB of data. The incident may have compromised the personal data of individuals and also data related to its partners.
Healthcare software maker targeted
Atlanta-Headquartered NextGen Healthcare revealed that an unauthorized party infiltrated its systems between March 29 and April 14, 2023, gaining access to the personal information of patients. Personal data affected include names, addresses, birth dates, and SSNs. The firm also stated that infiltrators couldn’t access health or medical records and data of individuals.
Akira - a multi-million dollar threat
MalwareHunterTeam took the wraps off of the Akira ransomware group that has been penetrating corporate networks globally and subsequently asking ransom payments from victims, which may go upto millions of dollars. For those not willing to pay for decryptors, criminals suggest reducing the ransom amount just to avoid data leaks. The malware first surfaced in March.
Cactus - A self-encrypting ransomware operation
Another ransomware operation was unveiled of late called Cactus. Its unique feature is that it encrypts itself to stay under the radar. Operating since at least March 2023, The malware strain exploits known vulnerabilities in Fortinet VPN appliances, noted cybersecurity experts at Kroll. It employs a customized version of the open-source PSnmap Tool (a PowerShell alternative to the nmap network scanner).
**Bug exposes over 2M WordPress Sites **
The Advanced Custom Fields WordPress plugin was found affected by a high-severity XSS flaw identified as CVE-2023-30777. With more than 2 million installations, the flaw impacts the widely used plugin’s admin page that an authorized or unauthorized user can abuse for redirections, advertisements, and deploying HTML payloads on compromised hosts. The vulnerability can be exploited on default plugin installations.
New PoC exploit for PaperCut bug
Security experts at VulCheck developed a new PoC exploit against the critical PaperCut bug earmarked CVE-2023-27350. The PoC exploit is capable of evading all known detection rules. The bug affects PaperCut MF or NG versions 8.0 and above, whose exploitation paves the way for unauthenticated RCE attacks. The bug has previously been exploited in ransomware attacks by Cl0p and LockBit groups.