We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing May 9, 2023

Unpatched security issues continue to be one of the top reasons enterprises suffer unauthorized intrusions. Lately, cybercriminals behind AndoryuBot botnet have been spotted abusing an RCE vulnerability in Ruckus devices to make them a part of their extended DDoS network. The botnet, which surfaced in February this year, can launch diverse forms of DDoS attacks. PaperCut bugs are back in the headlines. However, this time it is a pair of Iranian state-sponsored threats who have adopted the publicly available PoC exploits.

The security issues with KNX are once again in the spotlight after security researchers reported the availability of a public exploit targeting building automation systems. Schneider Electric warned end-users against exposing unpatched versions of its products.

Top Breaches Reported in the Last 24 Hours

LockBit leaks 600 GB of data

After refusing to entertain ransom demands by the LockBit 3.0 group, Indian lending firm Fullerton suffered a 600 GB data exposure. It is anticipated that attackers would now take to triple extortion wherein they’d approach the firm’s clients, business partners, and vendors, to force it to negotiate with the ransomware actors. The breach was officially confirmed on April 24.

**MSI breach exposes Intel Boot Guard private keys **

Intel’s Boot Guard OEM private keys were allegedly exposed as a result of the breach event at Micro-Star International (MSI), which fell victim to a Money Message ransomware attack last month. PCs with Intel chips and BootGuard protection only run firmware if it is digitally signed using such keys. Anyone in possession of these private BootGuard keys could sign their malware and get bypass defenses on MSI systems.

Attack on Hong Kong healthcare group

A cyberattack on OT&P Healthcare, Hong Kong, apparently impacted the personal data and medical history of about 100,000 patients. While officials are yet to provide an estimation of the total scope of stolen data, they said individuals’ identity cards and passport numbers were also stored on the compromised servers. The healthcare group has a total of eight clinics in Central, Repulse Bay, and Clear Water Bay.

Top Malware Reported in the Last 24 Hours

AndoryuBot botnet abuses Ruckus flaws

Wired and wireless networking equipment maker Ruckus was targeted by a DDoS botnet threat named AndoryuBot that has been exploiting a recently patched bug in Ruckus access points (APs). Threat actors were observed abusing CVE-2023-25717, an RCE bug, to compromise devices. Upon infection, the botnet rapidly propagates and initiates communication with its command-and-control (C2) server using the SOCKS protocol.

Top Vulnerabilities Reported in the Last 24 Hours

Iranian threats abuse PaperCut bug

A couple of Iranian state-sponsored groups were observed targeting a recently patched flaw in PaperCut MF/NG print management solutions. According to Microsoft, Mint Sandstorm and Mango Sandstorm modified their arsenal in accordance with publicly available PoC exploit codes. It added that the first group is very actively targeting the flaw (deemed as opportunistic), while the number of attack attempts from the other group remains low.

KNX exploit threatens building automation systems

Building automation systems based on KNX, an open standard for commercial and residential building automation, is being targeted by a public exploit, revealed Schneider Electric. The exploit abuses two security vulnerabilities: CVE-2022-22809 and CVE-2020-7525. The first was addressed by the vendor in February 2022 and the second one in August 2020. Successful exploitation of the bugs can provide adversaries with admin privileges.

Related Threat Briefings