Cyware Daily Threat Intelligence

Daily Threat Briefing • Sep 21, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Sep 21, 2023
The security of industrial control systems has come under scrutiny as a Japanese electronics company addressed PLC and engineering software vulnerabilities while analyzing a malware intrusion from last year. It includes a high-severity bug in Omron PLCs using the FINS protocol, and a pair of medium-severity flaws in Omron Engineering software, that may lead to arbitrary code execution. A series of warnings has also been released against different threat groups. While the U.S. federal agencies alerted organizations regarding a spike in ransomware attacks by the Snatch group, Canadian authorities urged everyone to stay cautious of imminent DDoS attack attempts by NoName057(16).
Additionally, Android malware mayhem grips Singaporeans with 750 victims and a staggering loss of $10 million. The malware's unique twist is performing a factory reset, erasing evidence, and leaving victims with both a compromised device and potential financial loss.
DDoS attack cripples Canadian airports
A suspected pro-Russia hacking group is believed to have conducted a DDoS attack resulting in significant service disruptions at multiple Canadian airports. The Canada Border Services Agency (CBSA) confirmed that the attack affected check-in kiosks and airport electronic gates. Last week, NoName057(16) claimed responsibility for various cyberattacks on Canadian organizations, including the CBSA. The Canadian Centre for Cyber Security issued a warning about DDoS campaigns targeting government, financial, and transportation sectors.
French group Exail exposes database credentials
Exail, a French high-tech industrial group specializing in robotics, maritime, navigation, aerospace, and photonics technologies, inadvertently exposed a publicly accessible environment (.env) file containing database credentials and information about its web server's operating system. Cybernews researchers discovered the exposure on the exail.com website. While the database wasn't open to the public, if accessed, it could have allowed attackers to view, modify, or delete sensitive data.
HiddenGh0st: A persistent threat against Chinese users
ASEC has identified HiddenGh0st, a variant of the Gh0st RAT, distributing the Hidden rootkit. This variant primarily targets poorly managed MS-SQL servers and is designed to conceal its presence and steal sensitive information. HiddenGh0st, active since at least 2022, exhibits advanced capabilities, including installing Mimikatz for harvesting account credentials. Chinese users are suspected to be the primary targets due to the malware’s ability to steal information from QQ Messenger, widely used in China.
FBI, CISA warns about Snatch ransomware
The FBI and the CISA have issued a joint advisory warning organizations about Snatch ransomware tactics, including its abuse of RDP credentials to gain access to Windows systems. The advisory also provides indicators of compromise for monitoring and protection. The group recently claimed the Florida Department of Veterans Affairs as one of its latest victims, although the extent of the data breach remains unverified. Data theft and double-extortion tactics are common among Snatch affiliates.
Critical Omron bugs fixed
Omron, a Japanese electronics giant, has addressed critical vulnerabilities in its programmable logic controllers (PLC) and engineering software. The vulnerabilities came to light after experts studied a BadOmen malware attack on Omron NX/NJ controllers where attackers exploited CVE-2022-34151. The CISA and Omron have issued advisories regarding the vulnerabilities tracked as CVE-2022-45790, CVE-2022-45793, and CVE-2018-1002205. The first one is a high-severity issue susceptible to brute-force attacks. The other two are medium-severity flaws, allowing file alteration and code execution.
New Android malware scam behind $10 million loss
Singapore Police have issued cybersecurity warnings regarding a new scam distributing Android malware that not only engages in bank fraud but also executes factory resets on infected devices. Over 750 victims have been affected, resulting in over $7.3 million in financial losses. The attack begins with seemingly innocent advertisements on social media platforms like Facebook and Instagram, luring victims into downloading an APK file. Once installed, the malware secretly steals internet banking credentials while urging victims to make small payments.