Cyware Daily Threat Intelligence

Daily Threat Briefing • Nov 28, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Nov 28, 2023
NT LAN Manager (NTLM), the aged gatekeeper of Windows security and quite unpopular in regard to authentication, is once again facing a trial. Researchers have shared a study of "forced authentication" that could lead to the leakage of Windows NTLM tokens, thus, exposing users to potential attacks. Additionally, the threat landscape witnessed a new tactic by Lazarus to avoid detection. The North Korean APT group was observed performing a malware mix to exploit macOS devices, which involved leveraging RustBucket droppers to deliver the KANDYKORN malware.
Also, learn about a critical design flaw in Google Workspace's Domain-Wide Delegation (DWD) feature. The issue enables threat actors to exploit the weakness and gain unauthorized access to Workspace APIs, risking data exfiltration from Gmail, Google Drive, and other services for all identities in the target domain without requiring super admin privileges.
Slovenian power company hit by ransomware
Holding Slovenske Elektrarne, Slovenia's largest power generation company, experienced a ransomware attack that encrypted its files, however, did not disrupt power production. The attack reportedly occurred last Wednesday, with containment achieved by Friday. While no ransom demand has been received, unofficial information suggests the involvement of the Rhysida ransomware gang; the group is known for targeting high-profile organizations.
Ethyrial: Echoes of Yore’s Players Account Wiped
The multiplayer online role-playing game "Ethyrial: Echoes of Yore" fell victim to a ransomware attack, resulting in the deletion of every player's account and the loss of all characters. The attackers encrypted data on the game's servers and local backup, demanding a cryptocurrency ransom for a decryption key. While no customer data was accessed, all 17,000 user accounts and characters were lost.
Healthcare firm’s operations disrupted
Ardent Health Services, a healthcare organization operating in multiple states, suffered a ransomware attack. The incident prompted Ardent to proactively take its network offline, suspending user access to various IT applications, including clinical programs and corporate servers. The full impact and extent of compromised data, including patient health and financial information, are yet to be confirmed.
Healthcare firm faces second attack by the same group
Healthcare company Henry Schein has experienced a second cyberattack by the BlackCat/ALPHV ransomware gang within a month. The Fortune 500 company, which initially reported an attack on October 15, saw its e-commerce platform and certain applications affected in this recent incident. BlackCat claims responsibility and has threatened to publish sensitive data, alleging the theft of 35TB of information.
Major chipmaker suffered prolonged espionage
A Chinese-linked hacking group, known as Chimera or G0114, orchestrated a lengthy corporate network intrusion—spanning over two years—into NXP, a leading Netherlands-based chipmaker. The attackers sought chip designs and intellectual property, using cloud services to exfiltrate stolen data. The intrusion remained undetected until the Chimera attackers were identified in a distinct corporate network.
macOS malware campaigns blended
The Lazarus group has been observed combining elements from the macOS malware campaigns RustBucket and KANDYKORN in a new campaign. Cybersecurity firm SentinelOne discovered the group utilizing SwiftLoader, a backdoored PDF reader, to distribute the KANDYKORN malware. The researchers also linked a third macOS-specific malware, ObjCShellz, to the RustBucket campaign. The disclosure coincides with Andariel, a Lazarus subgroup, exploiting an Apache ActiveMQ security flaw to install backdoors.
Microsoft feature leaks NTLM tokens
Security researchers uncovered a case of "forced authentication" exploiting a feature in Microsoft Access, allowing an attacker to leak Windows user NT LAN Manager (NTLM) tokens. By embedding a specially crafted .accdb file in an MS Word document, the attacker-controlled server can receive NTLM hashes when a victim opens the file and clicks the linked table. This attack leverages the legitimate linking feature in Access, and Microsoft has issued mitigations in Office/Access versions.
Design flaw enables privilege escalation
Cybersecurity researchers have exposed a "severe design flaw" in Google Workspace's Domain-Wide Delegation (DWD) feature dubbed ‘DeleFriend’. The flaw allows threat actors to exploit the DWD feature and potentially gain unauthorized access to Workspace APIs without needing super admin privileges. Successful exploitation could lead to data exfiltration from Gmail, Google Drive, and other services, impacting multiple identities within the Workspace domain.