A highly severe Android threat hovers over banking customers in Vietnam. Dubbed GoldDigger, the malware is capable of exploiting users of dozens of financial apps, e-wallets, and crypto apps and gaining access to Android Accessibility Services to extract a variety of sensitive data. While currently focused on Vietnam, the trojan features translations for Spanish and traditional Chinese languages, suggesting potential expansion plans. In another headline, semiconductor companies in East Asia came under the radar of cybercriminals who are using a previously undocumented malware downloader to deploy Cobalt Strike. Chinese actors are believed to be behind this attack campaign.

On the vulnerability side, the CISA has removed five vulnerabilities affecting Owl Labs Meeting Owl from its KEV catalog, citing "insufficient evidence” of exploitation. However, it has added JetBrains TeamCity and Microsoft Windows bugs to the catalog. At least 74 unique IP addresses have attempted to exploit the JetBrains flaw.

Top Breaches Reported in the Last 24 Hours

23andMe investigates data breach

DNA testing company 23andMe is investigating a potential data breach after information about its customers was offered for sale on a cybercrime forum. The company has stated that unauthorized access to individual accounts led to the loss of user information. Preliminary findings suggest that attackers may have used login credentials leaked from other platforms to access the customers’ accounts. The exact scope of the data breach remains unclear.

Melbourne hospital exposed patient data

The Royal Women’s Hospital, Melbourne, experienced a data breach after cybercriminals gained unauthorized access to a staff member's private email account used for patient appointments and care coordination. A forensic investigation revealed that the personal details of 192 patients may have been accessed. While there was no breach of the hospital's official email or IT systems, the incident has raised concerns among affected patients.

Customer and employee data leak

Builders Mutual Insurance Co., a commercial construction underwriter based in North Carolina, experienced a data breach that exposed the personal information of 64,761 customers, current employees, and former workers. The breach was detected in December 2022, and potentially compromised data included names, Social Security numbers, medical information, health insurance details, and workers' compensation data.

Top Malware Reported in the Last 24 Hours

New threat targets banking apps and crypto-wallets

Researchers have discovered a new Android Trojan called GoldDigger that primarily targets users of over 50 Vietnamese banking apps, as well as e-wallets and crypto-wallets. The trojan disguised itself as a fake Android application, impersonating a Vietnamese government portal and a local energy company. Once installed, it requests access to the Android Accessibility Service, allowing it to steal sensitive information, intercept SMS messages, and exfiltrate them to a command-and-control server.

Malware attack hits East Asia companies

A China-linked threat actor, believed to be Lucky Mouse (APT27), is targeting semiconductor companies in East Asia using lures impersonating Taiwan Semiconductor Manufacturing Company (TSMC). The attackers use the HyperBro backdoor to deploy Cobalt Strike beacons, along with a previously undocumented malware downloader. The attack involves social engineering techniques, such as using a TSMC-themed PDF document as a decoy to minimize suspicion.

Lorenz group leaks two years' worth of contact data

The Lorenz ransomware group inadvertently exposed the details of individuals who contacted it through its online contact form over the past two years. A security researcher discovered an issue on Lorenz's leak site that laid bare its backend code. The exposed data includes names, email addresses, and subject lines from the form submissions of individuals who sought information from Lorenz. The misconfiguration appeared to persist despite Lorenz's closure of its online contact form.

Top Vulnerabilities Reported in the Last 24 Hours

Owl Labs' Meeting Owl flaw removed from CISA’s record

The CISA has removed five vulnerabilities affecting Owl Labs' Meeting Owl smart video conferencing product from its Known Exploited Vulnerabilities (KEV) Catalog. These vulnerabilities, discovered by Swiss cybersecurity firm Modzero, included issues like inadequate encryption and hardcoded credentials. While the CISA had initially added them to the KEV catalog, it later removed them citing insufficient evidence of exploitation. Additionally, there were no public reports of exploitation via Bluetooth in such a context.

JetBrains and Microsoft bugs added to KEV

The CISA added two security flaws to its KEV catalog due to active exploitation. CVE-2023-42793, with a CVSS score of 9.8, is an authentication bypass vulnerability affecting JetBrains TeamCity. The other flaw, CVE-2023-28229, rated 7.0 on the CVSS scale, is a privilege escalation vulnerability in Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service. There are no documented in-the-wild exploitation cases for CVE-2023-28229; CISA has deemed its "exploitation less likely."

100,000 ICS exposed on public web

Approximately 100,000 Industrial Control Systems (ICS) were discovered vulnerable to unauthorized access. These exposed ICSs include components of critical infrastructure like power grids, traffic light systems, security systems, and water systems. Cybersecurity firm BitSight noted that this threat affects several Fortune 1000 companies across 96 countries. The U.S., Canada, Italy, the U.K, and France are among the most exposed countries.