Cyware Daily Threat Intelligence
Daily Threat Briefing • Nov 7, 2023
We use cookies to improve your experience. Do you accept?
Daily Threat Briefing • Nov 7, 2023
The Israeli higher education and technology sectors were caught in the crosshairs of cyberattacks amidst the ongoing Israel-Hamas conflict. An Iranian state-backed hacking group called Agonizing Serpens was found using three previously undocumented wiper malware, named MultiLayer Wiper, PartialWasher, and BFG Agonizer, to wipe data from systems. There was also a report on the increase in Jupyter infostealer infections in the last two weeks. VMware’s Carbon Black researchers revealed that the malware has evolved to target Chrome, Edge, and Firefox browsers, enabling threat actors to steal credentials and other sensitive details from victims’ systems.
Besides these, experts have raised alarms about the active exploitation of critical flaws in Atlassian Confluence and Apache ActiveMQ to launch ransomware attacks. Customers are urged to use the latest versions of these products to stay safe.
Canadian hospitals confirm ransomware attacks
Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital confirmed that their patient and employee data was stolen in a ransomware attack. While Bluewater Health disclosed that the data of approximately 267,000 unique patients was stolen, Chatham-Kent Health Alliance revealed that information pertaining to 1,446 patients was impacted. For Windsor Regional Hospital and Hôtel-Dieu Grace Healthcare, limited patient and employee information was accessed. Meanwhile, Erie Shores HealthCare concluded that the social insurance numbers of around 352 employees were compromised.
Medusa group claims attack on CPA
Medusa ransomware group claimed attacks on the Canadian Psychological Association (CPA) by adding the name to its data leak site. It included a countdown timer adding pressure to the situation. There are no further details on what kind of data was compromised in the attack.
Google Calendar RAT abuses Calendar Events
Google warned the cybersecurity community about a new exploit tool that abuses Google’s Calendar Events to host C2 infrastructure. The tool, called Google Calendar RAT, employs the service for C2 using a Gmail account, which makes it difficult for defenders to detect suspicious activity. Although Google has not observed it being deployed in the wild, Mandiant observed multiple users sharing it on cybercriminal forums.
New wiper malware detected
Palo Alto Networks shared details of a new cyberattack against the Israeli education and technology sectors, which aimed at wiping data from systems. The intrusion began in January and continued through October, with the latest series of attacks being launched by an Iranian hacking group named Agonizing Serpens. The attackers were found using three new wiper malware, tracked as MultiLayer, PartialWasher, and BFG Agonizer, as well as a custom tool named Sqlextractor to extract information from database servers.
Rise in Jupyter infostealer infections
Infections involving the Jupyter infostealer increased over the last two weeks, with attackers recently exploiting search engines and using legitimate signed files to distribute the malware. Researchers also observed an increase in the number of variants of the infostealer, with improvements aimed at avoiding detection, targeting various browsers, and establishing persistence.
**Atlassian and Apache vulnerabilities exploited **
Multiple ransomware groups have begun exploiting recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Attackers began exploiting the Atlassian Confluence Data Center and Server flaw (CVE-2023-22518) after an exploit code was released last week. In one instance, the exploitation of the vulnerability led to the deployment of Cerber ransomware. Meanwhile, Arctic Wolf Labs disclosed that the flaw impacting Apache ActiveMQ was weaponized to deliver SparkRAT malware and a ransomware variant that shares similarities with TellYouThePass ransomware. Customers are urged to update to the latest version of the products to stay safe.
Veeam issues emergency security updates
Veeam released emergency updates for four vulnerabilities affecting its ONE IT infrastructure monitoring and analytics platform. Two of these flaws (CVE-2023-38547 and CVE-2023-38548) are assigned critical severity and can let attackers perform remote code execution attacks. The remaining two are medium-severity bugs (CVE-2023-38549 and CVE-2023-41723) that require user interaction and have limited impact.
QNAP issues advisory for two flaws
QNAP issued advisories for two critical command injection vulnerabilities impacting multiple versions of QTS operating systems and applications on its NAS devices. The flaws are tracked as CVE-2023-23368 and CVE-2023-23369 and can be exploited by remote attackers via a network. QTS versions impacted by the first security issue are QTS 5.0.x and 4.5.x, QuTS hero h5.0.x and h4.5.x, and QuTScloud c5.0.1, whereas the second issue impacts 5.1.x, 4.3.6, 4.3.4, 4.3.3, and 4.2.x versions of QTS.
Google addresses 37 flaws
Google announced security updates for 37 vulnerabilities as part of the November 2023 Android security updates. The updates also include fixes for Pixel devices. Fifteen of these flaws affect Android’s Framework and System components. The most severe of these flaws is tracked as CVE-2023-40113 and can lead to local information disclosure from compromised devices.