A NodeStealer campaign has been found to be prevalent in segments of Southern Europe and North America. Cybercriminals are utilizing malicious Python scripts to pilfer Facebook user credentials and browser data through this campaign. Separately, a ransomware group has upgraded its arsenal by enhancing the BURNTCIGAR malware’s performance, posing a significant threat to businesses. BURNTCIGAR can exploit I/O control codes and terminate kernel-level processes.

In other news, a high-severity security vulnerability has been revealed in N-Able's Take Control agent. The flaw stems from a Time of Check to Time of Use (TOCTOU) race condition issue that can lead to unauthorized resource access and integrity loss.

Top Breaches Reported in the Last 24 Hours

Ransomware attack on a casino and hotel chain

Caesars Entertainment, a prominent Nevada-based casino and hotel chain, has reported a significant ransomware incident to the SEC. The breach, stemming from a social engineering attack on an IT support vendor, resulted in unauthorized access to its loyalty program database, potentially compromising driver’s license numbers and Social Security numbers of numerous members. A ransom of $15 million was reportedly paid to the Scattered Spider ransomware group.

LockBit ransomware hits major New York hospitals

The LockBit ransomware group has announced a successful attack on two major hospitals, Carthage Area Hospital and Claxton-Hepburn Medical Center, both serving a large population in upstate New York. The cyberattacks, occurring at the end of August, severely impacted hospital operations, leading to the diversion of emergency room patients and the rescheduling of appointments. LockBit has threatened to publish the stolen data on its Tor leak site by September 19.

U.S.-Canada water rights body impacted

The International Joint Commission (IJC), responsible for managing water rights along the U.S.-Canada border, has confirmed a cybersecurity incident after a ransomware gang, NoEscape, claimed to have stolen 80GB of sensitive data. While the IJC is working with relevant organizations to address the situation, specifics about the breach and data theft remain undisclosed. NoEscape has demanded a ransom and given the agency 10 days to respond.

Personal data of Manchester police out

A ransomware attack on a third-party supplier has led to the compromise of the personal details of thousands of officers from Greater Manchester Police (GMP) in the U.K. While no financial information or home addresses were exposed, the incident raises concerns about the personal data of officers, including those working undercover, falling into the hands of organized crime groups. The incident follows a similar one involving the Metropolitan Police Service in London.

Auckland Transport service comes to a halt

Auckland Transport (AT), New Zealand, is grappling with a widespread outage caused by a cyber incident. The disruption has impacted a range of customer services, particularly its HOP card services, which include integrated ticketing and fares systems. While AT suspects it was targeted by ransomware, investigations are ongoing. The incident has led to issues with online top-ups, Eftpos/credit card transactions, and customer service center functionality.

Top Malware Reported in the Last 24 Hours

NodeStealer campaign targets Facebook credential

A persistent campaign is actively targeting Facebook Business accounts with deceptive messages, seeking to harvest user credentials through a Python-based NodeStealer variant. The attacks are primarily directed at Southern Europe and North America, with a focus on manufacturing services and technology sectors. NodeStealer started as a JavaScript malware but has evolved to compromise Facebook, Gmail, and Outlook accounts.

Cuba operators unleash enhanced BURNTCIGAR malware

New versions of the BURNTCIGAR malware have been attributed to the Cuba ransomware group. These variants offer heightened stealth and functionality, including a custom downloader known as "komar65" or BugHatch that is deployed as a sophisticated backdoor in process memory. BugHatch connects to a command-and-control server, potentially facilitating the download of penetration testing tools like Cobalt Strike Beacon and Metasploit.

LokiBot malware exploits MS Office flaws

During the summer, researchers identified a surge in attacks employing malicious Microsoft Office documents to distribute the LokiBot malware. These attacks primarily targeted two vulnerabilities - CVE-2021-40444, a Microsoft Office MSHTML remote code execution flaw, and CVE-2022-30190, a vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT) that allows for remote code execution.

Top Vulnerabilities Reported in the Last 24 Hours

Memory corruption flaws in ncurses library

Researchers from Microsoft Threat Intelligence have identified memory corruption vulnerabilities in the ncurses library used in Linux and macOS systems. These flaws, collectively known as CVE-2023-29491 with a CVSS score of 7.8, could allow attackers to run malicious code and elevate privileges by manipulating environment variables. The flaws include stack information leaks, parameterized string type confusion, off-by-one errors, and denial-of-service risks.

Sensitive flaw in N-Able Take Control

A high-severity security issue was discovered in N-Able's Take Control agent that allows an attacker to delete arbitrary files on a Windows system, potentially leading to code execution. The flaw, tracked as CVE-2023-27470, is a Time of Check to Time of Use (TOCTOU) race condition issue that could enable a local unprivileged attacker to gain SYSTEM privileges. Attackers could exploit this flaw to manipulate file deletion events and compromise system integrity.