Cyware Daily Threat Intelligence

Daily Threat Briefing • May 24, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 24, 2023
APT groups often use custom tools for reconnaissance and information exfiltration. Along the same lines, North Korean APT Kimsuky was found deploying a custom malware called RandomQuery in the latest activity cluster. It has been purpose-built to carry out file enumeration and data exfiltration tasks. Meanwhile, a sensitive flaw has been addressed by AT&T that could allow an unauthorized individual to take over a user’s account, provided the phone number and ZIP code of the victim are known. The adversary could perform a SIM swapping attack and even request service cancelation for unsuspected victims.
What more? An Iranian group was associated with a ransomware attack using a new ransomware payload called Moneybird against Israeli targets. Moving on from its predominantly used tool (Apostle ransomware), the group appears to be expanding its capabilities by developing new strains.
Top insurance entity under attack
The Insurance Information Bureau of India (IIB), the entity responsible for maintaining insurance-related information in the country, disclosed that it suffered a data breach at the hands of a Russian ransomware group. The hackers have demanded a ransom of $250,000 in BTC. As a result of the attack, approximately 30 server systems were encrypted, causing the agency's data to become inaccessible.
Healthcare breach impacts millions
Apria Healthcare, a healthcare equipment provider in the U.S., disclosed a data breach that potentially compromised the personal and financial information of approximately 1.9 million patients and employees. The breach occurred over a span of several months, between 2019 and 2021, during which malicious actors may have accessed personal, medical, health insurance and financial information, and other critical data of individuals.
APT group uses RandomQuery malware
Kimsuky, the North Korean APT group, is actively distributing a variant of custom malware known as RandomQuery as part of its reconnaissance campaigns. The malware has been specifically designed to perform two primary functions: file enumeration and data exfiltration. It can extract information regarding hardware, operating system, and files, which indirectly plays a key role in Kimsuky’s operations enabling tailored attacks.
Moneybird: Agrius’ new ransomware tool
Iranian threat actor Agrius reportedly launched a ransomware attack using a new strain dubbed Moneybird. The ransomware, written in C++, was used in attacks against Israeli entities. The tools included in the attack operation are SoftPerfect Network Scanner ( scan internal networks), Plink (RDP tunnel traffic from a VPS owned by the actor), ProcDump (dumps LSASS and harvest credentials), and FileZilla (exfiltrate compressed files).
Malicious app infects thousands of devices
Researchers at ESET discovered a trojanized Android application called iRecorder – Screen Recorder, that already garnered more than 50,000 downloads on the Google Play Store. Initially, in September 2021, this app was available as a legitimate application. However, the malicious functionality was introduced in the app around August 2022.
AT &T account takeover flaw
Cybersecurity researcher Joseph Harris took the wraps off of a security vulnerability on the AT&T platform that could allow an attacker to hijack someone's account. The flaw opens a scope to exploit an account merging feature with anyone else’s, giving the attacker the liberty to update that account’s password and pursue other harmful activities, such as SIM swapping attacks, modifying account details, and canceling services.
Router bug was exploited
MikroTik, a network equipment manufacturer based in Latvia, addressed a significant security issue in its RouterOS product. Security analysts confirmed that the CVE-2023-32154 flaw was exploited by cybercriminals approximately five months ago. The issue exists within the Router Advertisement Daemon that an attacker can remotely abuse to execute arbitrary code on vulnerable devices.