Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing November 14, 2023

Hamas-Israel cyberwar update - BlackBerry warned of a Windows version of the BiBi-Wiper malware that previously targeted Linux systems in cyberattacks against Israel. The Windows variant expands the threat to end user machines, overwriting data and deleting shadow copies to hinder file recovery. In other news, a security analysis of PyPI packages uncovered close to 4,000 hardcoded credentials with many posing an immediate threat. Configuration/documentation files like .json and .yml, along with 'readme' files, were also identified as storing credentials. Experts say accidentally published files are a more common issue here.

The ongoing conflict between innovation and exploitation once again highlighted the need for constant vigilance in cryptographic security. Digital adversaries swindled $60 million from roughly one million individuals by exploiting Ethereum network’s CREATE2 opcode.

Top Breaches Reported in the Last 24 Hours

Ransomware attack hits Texas hospital

Cogdell Memorial Hospital, a critical access hospital in Texas, suffered a ransomware attack by the Lorenz extortion group. The incident impacted the hospital's computer network, leading to restricted access to systems and phone system operability. The Lorenz group claimed over 400GB of data theft, including internal files, patient medical images, and employee email communications.

Attackers cripple Danish critical infrastructure

Russian GRU carried out coordinated attacks on 22 companies in Denmark, which is touted to be the largest attack in the latter’s history so far. These organizations oversee the nation's energy infrastructure. Attackers exploited zero-day vulnerabilities in Zyxel firewalls to hack into the systems. They demonstrated meticulous planning, exploiting vulnerabilities, tracked as CVE-2023-28771, to gain remote access to industrial control systems.

Cyberattack impacts 2.2 million patients

Michigan-based McLaren Health Care confirmed falling victim to a cyberattack earlier this year, affecting 2.2 million patients. The healthcare provider spotted suspicious activities in its systems three weeks after the intrusion began. The compromised data includes patient names, birth dates, SSNs, and extensive medical information. The ALPHV (BlackCat) ransomware gang claimed responsibility for the breach in October, boasting access to sensitive information.

Second data incident within a short period

Chess[.]com, the popular online platform for chess enthusiasts, suffered a second data leak within a week. This incident involves the exposure of nearly 500,000 user records, including sensitive information such as full names, usernames, email addresses, profile links, and more. The leak is distinct and unrelated to the previous one, affecting approximately 828,327 users. The threat actor responsible for the recent leak claims to have acquired access to four more scraped databases.

Boeing LockBit feud escalated

Boeing is facing a significant data breach by the LockBit ransomware gang. The attackers warned Boeing about the potential public release of stolen data and threatened to publish a sample if their ransom demands were not met. After Boeing refused to pay, LockBit leaked over 43GB of files, including sensitive data such as configuration backups, audit logs, and logs on monitoring tools.

Top Malware Reported in the Last 24 Hours

BiBi-Windows wiper targets Israeli entities

Cybersecurity researchers warn of the BiBi-Windows Wiper, a Windows malware associated with a pro-Hamas cybercriminal group targeting Israel. The malware, a counterpart to BiBi-Linux Wiper, overwrites data with junk data, deletes shadow copies, and exhibits multithreading capabilities. The group behind this aims to disrupt Israeli companies' operations using data destruction. Tactical overlaps with another actor, Moses Staff (suspected to be of Iranian origin), have been identified.

Ducktail stealer hijacks Facebook account

Threat actors used the Ducktail stealer to target marketing professionals in India between March and October, revealed security experts. Unlike previous campaigns using .NET applications, this one utilized Delphi as the programming language. Victims received archive files posing as PDFs, launching a PowerShell script and rogue library to alter browser shortcuts. The rogue extension, disguised as Google Docs Offline, sent information to a server in Vietnam, hijacking Facebook business accounts.

Hardcoded credentials found in PyPI packages

GitGuardian and researcher Tom Forbes discovered nearly 4,000 unique secrets, including valid credentials, hardcoded in almost 3,000 Python packages on PyPI. Over 760 of these secrets were confirmed as valid, posing an immediate threat to organizations. The leaked secrets included AWS, Azure AD, GitHub, MongoDB, MySQL, PostgreSQL, SSH, Coinbase, and Twilio Master credentials.

Top Vulnerabilities Reported in the Last 24 Hours

Private RSA keys can be snooped on

A study conducted by researchers at the University of California, San Diego, revealed a potential security risk in certain devices' SSH connections. The researchers demonstrated the ability to snoop on SSH connections and impersonate equipment by deducing private RSA keys. A Man-in-the-Middle (MitM) attack could allow attackers to silently observe users' login details and monitor their activities on remote SSH servers. The vulnerability primarily affects some IoT and embedded devices using RSA keys.

Top Scams Reported in the Last 24 Hours

Ethereum network exploited to steal $60 million

Cybercriminals are reportedly exploiting the Ethereum network's CREATE2 opcode, bypassing security measures in specific wallets, which has been leading to substantial losses for cryptocurrency investors. The opcode, originally designed for contract address anticipation, is now used by scammers to create addresses with bad signatures, evading security checks. Uniswap's decentralized exchange is notably affected. Investigations by Scam Sniffer and SlowMist reveal that one group collected $60 million from nearly 99,000 victims in six months.

Related Threat Briefings