Cyware Daily Threat Intelligence

Daily Threat Briefing • Sep 26, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Sep 26, 2023
A new remote access tool, named ZenRAT, has been discovered on a fake website mimicking Bitwarden. To add to the mystery, the installer claims to have been signed by Tim Kosse, a prominent open-source software developer. The malware harvests browser data, such as user credentials, which could be leveraged for potential breaches. Meanwhile, security experts have advised immediate patching of a high-severity vulnerability in JetBrains’s TeamCity CI/CD Tool to mitigate an RCE risk. The flaw poses a significant threat to the integrity of software releases and downstream users.
Additionally, cyber adversaries were observed actively exploiting a critical vulnerability in Openfire messaging servers to create admin accounts, install malicious Java plugins, and compromise servers with ransomware and cryptominers. The bug affects both old and recent versions of Openfire.
BlackCat cripples three entities
Ransomware group BlackCat has issued a warning on its website, stating to be in possession of confidential patient data belonging to MNGI Digestive Health, a Minneapolis-based physician-owned gastroenterology practice. In a post dated September 24, BlackCat gave MNGI a 48-hour deadline to contact before threatening to make the stolen data public. The group has also added Clarion and Phil-Data Business Systems Inc. to its victim list.
3.4 million patients’ data stolen
The Better Outcomes Registry & Network (BORN) in Ontario fell victim to a Cl0p ransomware attack. The breach stemmed from a zero-day vulnerability in Progress Software’s MOVEit Transfer. An investigation revealed that sensitive data of approximately 3.4 million people, primarily newborns and pregnancy care patients from January 2010 to May 2023, had been compromised. The exposed data includes personal details, health card numbers, care dates, lab results, and pregnancy-related information.
Cyberattack potentially affects 40 Million
Progressive Leasing, a significant lease-to-own company with partnerships with major retailers, suffered a cyberattack. The attack may have exposed a substantial amount of PII, including SSNs, belonging to both customers and other individuals. Cybersecurity experts attribute the attack to the AlphV/BlackCat ransomware gang, who claim to have accessed data belonging to over 40 million customers. The full extent of the incident's impact is still under evaluation.
A new RAT lurks on Windows
Proofpoint has uncovered a new modular RAT called ZenRAT, distributed through counterfeit Bitwarden password manager installation packages. Capable of stealing information, ZenRAT specifically targets Windows users and redirects users of other platforms to benign web pages. The malware distribution method remains unknown, however, similar fake software installers have historically been delivered through SEO poisoning, adware bundles, or phishing emails.
Threat actors with multiple ransomware affiliations
ShadowSyndicate, a threat actor active since July 2022, raised serious concerns among researchers as it was found collaborating with various ransomware groups and their affiliates. Employing a mix of off-the-shelf tools, including Cobalt Strike, IcedID, and the Sliver toolkit, they have used at least 52 servers for Cobalt Strike's C2 framework. In multiple instances, Quantum, Nokoyawa, and ALPHV ransomware activities have been attributed to ShadowSyndicate with a high level of confidence. While connections between ShadowSyndicate and Cl0p/Truebot have been identified, the proof of its affiliations with Royal, Cl0p, Cactus, and Play ransomware isn’t so strong.
Authentication bypass flaw in JetBrains
JetBrains, the software development tool company, has issued a critical security advisory urging customers to apply updates addressing an authentication bypass vulnerability (CVE-2023-42793) in its TeamCity CI/CD tool. The flaw impacts on-premises instances of TeamCity CI/CD servers, which are considered high-value targets due to their access to source code and data related to software builds and deployment. If exploited, an attacker with HTTP(S) access could pull off an RCE attack, gaining administrative control of the server.
Critical bug in Openfire servers exploited
Hackers have been spotted actively exploiting a high-severity vulnerability (CVE-2023-32315) in Openfire messaging servers to deploy ransomware and cryptominers. The widely used Java-based open-source chat server suffered from the authentication bypass flaw that allows unauthenticated attackers to create admin accounts. The flaw affects Openfire versions dating back to 2015, with fixes released in May 2023. Despite the release of patches, over 3,000 vulnerable servers were identified by mid-August 2023. Active exploitation was first observed in June 2023.
TikTok flooded with Temu referral scams
A wave of scams has emerged on TikTok, featuring fake celebrity photo leaks that lure users into downloading the Temu app and entering referral codes. Temu is an online megastore offering low-priced products, mainly shipped from China. To promote the site, Temu allows customers to generate referral links and numbers, which are now being exploited by scammers on TikTok. These scammers create videos promising to provide access to the leaked content of celebrities and prompt viewers to enter referral numbers to access it.