Cyware Weekly Threat Intelligence - April 17–21

Weekly Threat Briefing • Apr 21, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Apr 21, 2023
Cyberattacks continue to grow in complexity creating overwhelming consequences. Therefore, protecting these devices against any cyber threat requires a collaborative effort from individuals, organizations, and law enforcement authorities. Keeping this aspect in view, the agencies from Five Eyes countries have issued a cybersecurity best practice guide to improve the security posture of smart city systems. Meanwhile, the EU Commission is working on new security regulations with the aim to boost defense and establish a common incident response plan across EU member states.
The CISA, in collaboration with the NSA, the FBI, the NCSC-UK, the ACSC, the CCCS, and the NCSC-NZ, has issued guidelines on best cybersecurity practices for smart cities. It provides an overview of risks associated with ICT supply chain risks, interconnected attack surfaces, and increased use of automation in operations.
The European Commission has published the first draft of its Cyber Solidarity Act which focuses on improving cybersecurity across EU member states and establishing a common incident response plan. The new regulations include three major areas of interest; the establishment of a European Cybersecurity Shield, the introduction of a new Cyber Emergency Mechanism, and the creation of the Cybersecurity Incident Review Mechanism.
The HHS cybersecurity task force has updated the Health Industry Cybersecurity Practices (HICP) with three new resources to help healthcare organizations address cybersecurity risks effectively. The HICP 2023, which is based on inputs from more than 150 industry experts, includes a free educational platform to train staff on social engineering, malicious data loss, identity theft, and more.
ESET researchers, with the help of GitHub, have temporarily disrupted the operations of RedLine Stealer. The experts managed to pull off this act as the malware used GitHub repositories as dead-drop resolvers in the control panel. ESET shared this finding with GitHub, which immediately suspended the repositories.
Despite the positive developments, the cybersecurity space witnessed some massive data leak incidents arising due to misconfigured cloud assets. More than 8,000 poorly-secured servers were found exposing sensitive information such as login credentials, database backups, and configuration files online. On the other hand, an unprotected database belonging to the Philippine National Police had laid bare over 1.2 million records containing personal details and tax identification numbers of its employees. Researchers also warned about obsolete routers leaking corporate network information, which increases the chance of fraudulent schemes.
A misconfigured database exposed more than 1.2 million police records on the internet. The database also included 800 GB of information on people who applied for employment in law enforcement in the Philippines, along with documents on tax identification numbers of law enforcers. It is believed that the database had been left exposed for at least six weeks.
Network infrastructure provider CommScope confirmed suffering a ransomware attack that took place last month. Vice Society had claimed responsibility for the attack and for stealing the sensitive data of over 30,000 employees.
Capita, a London-based corporation, admitted to a ransomware attack that may have compromised the data of some of its staff, potential customers, and vendors. Meanwhile, BlackBasta claimed responsibility for the attack and further added that it has put up for sale sensitive data stolen from the firm. This includes bank account information, addresses, and passport photos.
Researchers indexed more than 8,000 misconfigured servers that exposed sensitive information and database backups to the public. Furthermore, over 18,000 comma-separated value files and another 2,000 SQL database files could also be accessed without any authentication. This huge volume of exposed data can be used by attackers to launch malicious attacks.
Researchers warned that decommissioned core routers from Cisco, Juniper, and Fortinet were found leaking corporate network information, including credentials, and data on applications, customers, vendors, and partners. The applications exposed in the routers included Microsoft SharePoint, Microsoft Exchange, Spiceworks SQL, VMWare Horizon View, and Salesforce.
Point32Health, a New England health insurance firm, is dealing with a ransomware attack that impacted several of its systems. The firm detected the attack on April 17 after it was unable to access the systems for service members, accounts, brokers, and providers. Upon detecting the unauthorized activity, it proactively took certain systems offline to contain the threat.
Payment processing giant NCR disclosed that it was a victim of a ransomware attack that occurred last weekend. This caused a PoS outage and affected multiple companies using the service. One of the affected systems was Aloha, the payments service which is used by multiple restaurants.
Microsoft uncovered a Remcos RAT campaign that targeted organizations dealing with tax preparation, financial services, CPA, bookkeeping, and accounting. As part of the campaign, the attackers relied on legitimate links that redirected recipients to fake tax documents sent by clients.
Besides data leaks, a surge in the adoption of new attack tactics and techniques was also observed this week. While the MuddyWater APT was found abusing yet another legitimate tool, SimpleHelp, to bypass traditional security checks, the Play ransomware group upgraded its arsenal with two new .NET tools to improve the effectiveness of its attacks. Furthermore, a hacking tool, dubbed AuKill, came in handy for intruders deploying backdoors and ransomware in BYOVD attacks.