Cyware Daily Threat Intelligence
Daily Threat Briefing • September 4, 2023
SuperBear emerged as a new RAT in the cyber landscape specializing in targeted attacks, including spam emails with highly relevant information. It was detected in an ongoing attack against civil society groups in South Korea. Notably, the attack bears similarities to North Korean nation-state actor Kimsuky. In a new update, cybersecurity experts stumbled across a ransomware strain—purportedly a copy of Mimic ransomware—abusing unsecured MS SQL servers. The attackers involved prefer using RDP to connect to victims' machines.
On the software security issues side, Nozomi Networks Labs uncovered and addressed nine vulnerabilities in Schweitzer Engineering Laboratories' software applications, posing risks like RCE, privilege escalation, and data exfiltration for users.
Top Breaches Reported in the Last 24 Hours
Over 100,000 Pima County residents impacted
A MOVEit-related data breach at Maximus Health Services Inc. has put the personal information of more than 100,000 local residents of Pima County, Arizona, at risk. Recently, the health services firm started to notify the victims whose telephone numbers, email addresses, IP addresses, COVID-19 test results, and more were compromised.
School district faces ransomware attack
The Chambersburg Area School District in Pennsylvania experienced a ransomware attack that disrupted its computer systems. The incident caused a temporary shutdown, with the district urging students to refrain from using Chromebook and iPad devices for the week. No ransomware gang has claimed responsibility for the attack so far. The school continues to examine the attack event to gauge the scope of the attack.
Freecycle requests change of passwords
Freecycle, an online community promoting the sharing of unwanted items, has advised its users to change their passwords after a hacking incident. The breach exposed user data, including usernames, user IDs, email addresses, and hashed passwords. Although specific details about the hashing algorithm and salting were not disclosed, Freecycle not only recommended changing passwords but also reminded them not to reuse passwords across different online accounts.
LockBit laid bare sensitive military data
The LockBit ransomware group has exposed 10GB of sensitive data related to British military and intelligence sites. The attack targeted Zaun, a manufacturer of fencing systems based in Wolverhampton, who confirmed that LockBit had managed to download some data during the attack. While Zaun does not believe classified documents were stored on the system, reports suggest that the leaked data includes information about sensitive sites such as a nuclear submarine base, chemical weapon lab, and communications complex.
Data of Indiana Medicaid members compromised
The personal information of over 200,000 Indiana Medicaid members may have been compromised in a security breach involving CareSource, a managed care entity based in Ohio. The breach, which occurred in late May, exposed data such as names, addresses, Social Security numbers, dates of birth, member health information, and more through the MOVEit Transfer application. Affected members are being contacted and credit monitoring options are being offered by CareSource.
Top Malware Reported in the Last 24 Hours
Novel SuperBear RAT targeting South Korea
Civil society organizations in South Korea came under the brunt of a phishing attack that used a new RAT called SuperBear. The intrusion targeted an undisclosed activist, who received a malicious LNK file in late August, posing as a member of their organization. Upon execution, the LNK file triggers a series of actions, including fetching payloads from a compromised WordPress site. This includes an AutoIt script that injects the previously-unseen SuperBear RAT into a suspended Explorer.exe process.
DB#JAMMER campaign delivers new ransomware
A campaign named DB#JAMMER is utilizing poorly secured MS SQL servers to distribute Cobalt Strike and a ransomware strain called FreeWorld. Cybersecurity firm Securonix revealed that the attackers gain initial access by brute-forcing an MS SQL server, followed by reconnaissance, system firewall impairment, and establishing persistence. They transfer malicious tools, including Cobalt Strike, and deploy AnyDesk software to ultimately distribute FreeWorld ransomware.
Top Vulnerabilities Reported in the Last 24 Hours
Schweitzer Labs' Windows software vulnerable
Schweitzer Labs' QuickSet and Grid Configurator software were found to be affected by four high-severity and five medium-severity vulnerabilities. QuickSet is used for configuring and managing devices for power system protection, monitoring, metering, and control, while GridConfigurator is used for creating, managing, and deploying settings for SEL power system devices. The vulnerabilities could potentially lead to remote code execution and other malicious activities if exploited.