We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Nov 2, 2023

Buried! In a surprising turn of events, the Mozi botnet, known for its DDoS attacks on IoT devices, has been deactivated after an unknown party initiated a kill switch. Either the original Mozi botnet creator or Chinese law enforcement is said to be behind the mysterious act. Meanwhile, a ransomware group has been spotted exploiting a recently disclosed critical vulnerability (CVSS score: 10.0) in the Apache ActiveMQ message broker service. Thousands of instances were found still exposed to RCE attacks. Applying security updates is crucial to prevent potential message interception, workflow disruption, data theft, and lateral movement.

Security experts are warning that threat actors can potentially exploit 34 vulnerable Windows kernel drivers, enabling them to gain device control and execute arbitrary code. The flaws potentially provide them with the ability to alter firmware and elevate OS privileges.

Top Breaches Reported in the Last 24 Hours

Mental healthcare provider suffers ransomware attack

Deer Oaks Behavioral Health, a mental healthcare provider based in Texas, notified Maine's Attorney General about the compromise of approximately 172,000 patients’ data in a ransomware incident. Patient information potentially affected includes names, addresses, birthdates, Social Security numbers, diagnosis codes, insurance details, and treatment service types. The incident, detected on September 1, was swiftly contained within a single network segment.

Breach of Russia's payment system

Pro-Ukrainian hackers from the DumpForums group and the Ukrainian Cyber Alliance claimed to have breached Russia's National Payment Card System (NSPK) and obtained user data. They defaced an NSPK website and allegedly accessed the Mir payment network's internal systems. While NSPK denied data leaks and said the site isn't connected to payment infrastructure, the criminals published a screenshot of a folder containing 30GB of Mir data.

Cyberattack cripples 70 German municipalities

A ransomware attack on Südwestfalen IT, a local municipal service provider, has severely limited government services in over 70 municipalities in western Germany. This attack encrypted servers, leading to restricted access to infrastructure and affecting nearly all town halls in the region. While online systems are down, local administrations are providing in-person services, however, internal and external communication is mostly nonfunctional.

U.S. DoJ among agencies targeted in MOVEit attack

An exploitation campaign targeting the MOVEit Transfer vulnerability has affected government agencies, including the U.S. DoJ and the DoD. Cybercriminals reportedly accessed email addresses belonging to approximately 632,000 government employees. The breach is connected to a data firm named Westat that provides services to the Office of Personnel Management. The impacted employees mainly come from the Defense Department, encompassing the Air Force, Army, Army Corps of Engineers, the Office of the Secretary of Defense, and Joint Staff officials.

Top Malware Reported in the Last 24 Hours

Mozi botnet sleeps in a mysterious trigger

The notorious Mozi botnet saw a sudden decline in activity in August in India and its origin country, China. Finally, on September 27, a UDP message was sent to all Mozi bots instructing them to download an update via HTTP, effectively triggering a kill switch. The kill switch sent instructions to Mozi bots to download an update via HTTP, resulting in the malware's termination, disabled system services, file replacement, and more. The use of correct private keys for signing the payload suggests a controlled takedown, possibly involving the original creators or Chinese law enforcement.

Ransomware build on sale

The owner of RansomedVC ransomware, a short-lived ransomware operation with several high-profile victims, is reportedly offering his operation for sale due to "personal reasons." The sale includes the ransomware builder, which is claimed to bypass all antivirus products and infect all LAN devices within a target network. The buyer will also receive access to affiliate groups, social media channels, and 37 databases. Some speculate this unusual move is an exit scam.

NodeStealer operators running malvertising campaign

Cybercriminals have adapted NodeStealer attacks to exploit Meta's ad network on Facebook to compromise users' privacy and security. In this campaign, at least 10 compromised business accounts have been used to serve malicious ads to the public. These ads lure victims with revealing photos of young women, encouraging them to download a malicious executable file. The malware, NodeStealer 2.1, allows attackers to steal browser cookies, take over Facebook accounts, access Gmail and Outlook, steal crypto wallet balances, and download additional malicious payloads. This campaign potentially garnered 100,000 downloads.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft 365 exposes numerous vulnerabilities

Microsoft's inclusion of SketchUp 3D library support in Microsoft 365 has led to the discovery of as many as 117 unique vulnerabilities in the suite. ThreatLabz researchers found these vulnerabilities over a span of three months, with Microsoft initially patching some high-severity issues. However, researchers were able to bypass the patches, leading to the discontinuation of support by the tech giant in June 2023. Microsoft had assigned three CVEs to track these vulnerabilities: CVE-2023-28285, CVE-2023-29344, and CVE-2023-33146.

Dozens of flaws in kernel drivers

VMware Carbon Black's Threat Analysis Unit uncovered dozens of previously unknown vulnerable kernel drivers that could be exploited to manipulate firmware or escalate privileges. Threat actors often abuse these drivers to maintain system persistence and evade security tools. While 18,000 Windows driver samples were collected and analyzed, a few hundred file hashes were linked to 34 unique, unknown vulnerable drivers, some of which belonged to major BIOS, PC, and chip manufacturers. VMware has also developed proof-of-concept exploits for some of these drivers.

Google releases Chrome 119 patches

Google launched Chrome 119 with security patches for 15 vulnerabilities, 13 of which were reported by external researchers. Three high-severity issues include problems related to the inappropriate implementation in Payments, insufficient data validation in USB, and integer overflow in USB. The remaining medium and low severity bugs were tied to various Chrome components. Half of the medium-severity bugs are use-after-free issues impacting Chrome’s Printing, Profiles, Reading Mode, and Side Panel components.

HelloKitty exploits Apache ActiveMQ bug

Cybersecurity researchers have detected suspected exploitation of a recently disclosed critical security flaw in Apache ActiveMQ by the HelloKitty ransomware operators. Apache ActiveMQ is an open-source message broker that enables communication between clients and servers in enterprise environments. The RCE vulnerability, CVE-2023-46604, allows attackers to execute arbitrary shell commands by exploiting serialized class types in the OpenWire protocol. Over 3,000 internet-exposed Apache ActiveMQ servers were found vulnerable to the critical flaw.

Related Threat Briefings