Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Nov 20, 2023

Threat actors continuously update their tools and techniques to enhance stealth and functionality. For instance, the LummaC2 malware has been found employing a sophisticated anti-sandbox technique rooted in trigonometry, in its newest version, delaying sample detonation until human mouse activity is detected. Individuals in financial and blockchain corporations need to watch out for compressed files in their inbox titled "Blockchain Corporate Solution Handbook Production.zip" or similar promotion files. It contains a malicious LNK file instead of a DOCX file.

On the vulnerability side, a critical flaw was discovered affecting Johnson Controls' Frick refrigeration products. The vulnerability could have potentially granted full administrative control over the Quantum HD system, impacting products used globally in the critical manufacturing sector. Also, an APT group that now aims its attack at users of cryptocurrencies worldwide is reportedly exploiting a WinRAR zero-day bug.

Top Breaches Reported in the Last 24 Hours

Yamaha and WellLife Network listed on leak site

Yamaha Motor and healthcare organization WellLife Network have confirmed cyberattacks after being added to the leak site of the INC Ransom group. A server of Yamaha Motor, managed by its motorcycle manufacturing and sales subsidiary in the Philippines, was hit with a ransomware attack, leaking employees’ personal data. WellLife Network also disclosed that it fell victim to the attack by the group, leading to the compromise of names, dates of birth, demographic data, and other personal or health information.

Carpet cleaning firm targeted

Stanley Steemer International, a carpet cleaning company based in Ohio, fell victim to a data breach that impacted almost 67,000 customers. The company detected suspicious activity on March 6 and found that attackers gained access to its systems starting February 10, acquiring certain records during their presence in the network. The breach exposed customer names, SSNs, driver's license numbers, and financial account information, including credit and debit card details with security codes and PIN codes.

MoveIT breach blurts out healthcare data

The attack on the MOVEit file transfer service exposed the sensitive data of more than 330,000 Medicare recipients, according to the U.S. Center for Medicare & Medicaid Services (CMS). The breach occurred through the network of CMS contractor Maximus Federal Services. The compromised data includes names, Social Security numbers, addresses, medical history, and more.

NoEscape threatens release of 1.5TB of data

The NoEscape ransomware group claimed responsibility for a cyberattack on PruittHealth, a private healthcare organization in Norcross, Georgia. With a threat to release 1.5TB of exfiltrated data, the group demands contact from a negotiator within three days. NoEscape infiltrated the victim’s network on November 13. The threat actors allegedly claim to have approached Randall Loggins, Chief Financial Officer (CFO) of PruittHealth.

Top Malware Reported in the Last 24 Hours

LummaC2 malware evolves to version 4.0

The LummaC2 stealer malware has introduced a new anti-sandbox technique using trigonometry principles to delay detonation until human mouse activity is detected. The new version checks for different cursor positions at short intervals, treating them as Euclidean vectors and calculating angles formed between them to determine if human mouse behavior is present. Developed in C programming language, LummaC2 has continued to evolve since it was discovered in December 2022.

LNK file targets financial and blockchain corporations

ASEC took the wraps off of a cyberattack campaign using a malicious LNK file to target personnel in financial and blockchain corporations. Disguised as a legitimate file, the compressed "Blockchain Corporate Solution Handbook Production.zip" contains an unusually large LNK file with obfuscated PowerShell commands. Upon execution, the malware prompts users to enter information while performing various malicious actions, including system information collection and downloading additional files.

Top Vulnerabilities Reported in the Last 24 Hours

Critical flaw exposes supply chain risks

Johnson Controls addressed a critical vulnerability (CVE-2023-4804) in its Frick refrigeration products, impacting Quantum HD Unity Compressor and control panels used globally, particularly in the food and beverage industry. The flaw could grant unauthorized access to debug features, potentially allowing full administrative control. While immediate impact is unclear, cyberattacks on refrigeration systems pose threats to disruption and financial loss. The six-month delay in patch release posed the risk of a complex supply chain attack.

WinRAR Zero-Day abused in phishing campaign

Cybersecurity firm NSFOCUS spotted DarkCasino APT exploiting the WinRAR zero-day vulnerability (CVE-2023-38831) in phishing attacks. Initially targeting users in Mediterranean and Asian countries, the economically motivated group has shifted its focus to global cryptocurrency users, including non-English-speaking Asian nations. DarkCasino employs specially crafted archives to deliver the Trojan DarkMe. Experts noted that some variations of the CVE-2023-38831 vulnerability exploits are challenging to identify.

Related Threat Briefings