The Kimsuky group is back again with a new technique. The threat group is now disseminating malware through a malicious JSE file, camouflaged as an import declaration to South Korean research institutes. Zoom video conferencing platform is in the headlines for a sensitive security issue in Zoom Rooms that could allow attackers to hijack a Zoom Room’s service account, gaining unauthorized access to confidential information in Team Chat, Whiteboards, and other Zoom applications. To address this issue, Zoom eliminated the capability to activate Zoom Room accounts.

Moving on. Three severe command injection vulnerabilities in Zyxel NAS products have been uncovered, posing a risk of unauthorized execution of system commands. Also, read about CACTUS ransomware in action wherein it abuses a cloud analytics and business intelligence platform to exfiltrate data.

Top Breaches Reported in the Last 24 Hours

King Edward VII Hospital hacked

The Rhysida ransomware group has claimed responsibility for breaching King Edward VII Hospital network in London. The group published images of stolen documents, including medical reports, x-rays, registration forms, and more, as proof of the hack. Rhysida claims to have stolen a substantial amount of sensitive data, including that of patients, employees, and the Royal Family. The ransomware operators threatened to release the stolen data publicly.

Data Breach impacts two million

Discount store chain Dollar Tree experienced a data breach affecting almost two million people following a security incident at its service provider, Zeroed-In Technologies. The breach occurred between August 7 and 8, 2023. The personal information of Dollar Tree and Family Dollar employees, including names, dates of birth, and Social Security numbers, was stolen.

Attack on the National Archives of Israel

The National Archives of Israel website was targeted in a cyberattack by the CyberToufan group, disrupting search services and compromising user information. While some functions remain operational, the hackers claimed to have leaked details of over 10,000 Israeli researchers and government employees. The attack adds to the escalating frequency of cyber incidents in Israel amid heightened geopolitical tensions.

Cyberattack hits New Jersey hospitals

Capital Health, operating hospitals in Trenton and Hopewell, New Jersey, faces a cybersecurity issue causing network outages. While patient care continues, disruptions affect elective surgeries, outpatient radiology, and some cardiology testing. Experts suggest it may be a ransomware attack, noting the financial motivations behind such incidents. The hospital anticipates operating with system limitations for at least a week.

Top Malware Reported in the Last 24 Hours

Malware distributed using personal information bait

ASEC identified a case of malware distribution that leverages ‘personal information on sale’ lure as bait. Attackers’ site includes files with investment-related keywords, such as 'reading,' 'unlisted,' 'day trading,' and 'mid to long term.' These files claim to contain personal information, including names, phone numbers, investment amounts, and credit ratings. Unsuspecting users who download the files unknowingly execute malicious scripts that lead to remote-controlled malware.

Malicious JSE File disguised as import declaration

ASEC has uncovered a new campaign by the Kimsuky threat group targeting research institutes in South Korea. The threat actors distribute a malicious JSE file disguised as an import declaration. The JSE file contains an obfuscated PowerShell script, a Base64-encoded backdoor file, and a seemingly legitimate PDF file named 'Import Declaration.PDF.' Soon after a backdoor is created that collects system information, checks the anti-malware status, and uploads the data to the command-and-control server.

CACTUS ransomware exploits Qlik Sense flaws

A CACTUS ransomware campaign has been identified exploiting vulnerabilities in the Qlik Sense cloud analytics and business intelligence platform. Arctic Wolf researchers revealed the attacks leverage three flaws—an HTTP Request Tunneling vulnerability (CVE-2023-41265), a path traversal vulnerability (CVE-2023-41266), and an unauthenticated remote code execution flaw (CVE-2023-48365)— to gain an initial foothold on systems. Following the successful exploitation, threat actors manipulate the Qlik Sense Scheduler service to download additional tools, establish persistence, and achieve remote control.

Top Vulnerabilities Reported in the Last 24 Hours

Zoom Rooms bug exposes organizations

A critical vulnerability was discovered in Zoom Rooms, allowing attackers to seize control of a Zoom Room’s service account. Once exploited, attackers can hijack meetings, manipulate contacts, infiltrate whiteboards, and extract sensitive data from Team Chat channels without detection. The flaw arises from the direct inheritance of the Zoom Rooms service account ID from the user with the Owner role.

Zyxel NAS devices plagued by critical flaws

Zyxel NAS products were affected by three highly critical command injection vulnerabilities, posing severe security risks. These flaws, identified as CVE-2023-35138, CVE-2023-37928, and CVE-2023-4473, allow threat actors to execute system commands either without authentication or post-authentication. Exploitation involves sending crafted HTTP requests or URLs to the affected devices. Zyxel has released patches for the vulnerabilities.

Top Scams Reported in the Last 24 Hours

Booking[.]com users targeted

Customers of Booking[.]com are falling victim to a sophisticated scam, according to cybersecurity firm Secureworks. The scam involves cybercriminals targeting the website's partner hotels with phishing emails, claiming to be from guests who left valuable items during their stay. The emails contain malware known as Vidar Infostealer, allowing attackers access to the Booking.com account portal. Once compromised, the scammers send phishing emails to customers, threatening reservation cancellations unless payment information is provided urgently.