Cyware Weekly Threat Intelligence - December 11–15
Weekly Threat Briefing • Dec 15, 2023
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Dec 15, 2023
As the cyber threats landscape continues to grow grim, proactive measures are being taken to mitigate potential impacts. Amidst the surge in software supply chain attacks, U.S. government agencies have issued a guideline for the safe use of SBOMs and open-source repositories. Separately, MITRE launched a new threat model framework, named EMB3D, to address threats against OT and ICS.
MITRE unveiled a novel threat model framework named EMB3D to help government agencies and private organizations safeguard their Operation Technology (OT) and Industrial Control Systems (ICS). It offers a knowledge base on cyber threats to embedded devices, enabling users to map these threats with vulnerabilities using frameworks like CWE, CVE, and MITRE ATT&CK. The framework suggests mitigations, emphasizing technical mechanisms for device vendors to implement against specific threats. It is set for public release in early 2024.
U.S. lawmakers allocated $874.2 billion for the 2024 National Defense Authorization Act, a portion of which will be used to refine the defensive and offensive cyber skill sets. These include creating a cross-functional team to defend threats against Nuclear Command, Control, and Communications (NC3), developing robust cyber support mechanisms, and creating a bureau chief data officer program to improve data fluency.
The NSA, the ODNI, the CISA, and industry partners released a joint advisory to bolster the security against software supply chain attacks. The guidance primarily covers how to manage and maintain SBOMs, open-source software.. Additionally, it provides details on things to consider when adopting open-source software and distribution of approved software components using an SBOM.
Microsoft's Digital Crimes Unit seized multiple domains operated by the Vietnam-based Storm-1152 cybercrime group, which sold over 750 million fake Microsoft accounts and tools, generating millions in illegal profits through fake websites and social media. These fake accounts were further used as a channel to conduct mass phishing attacks, identity theft, and DDoS attacks.
Database security is back in the limelight as DonorView and Dubai Taxi Company were found leaking a trove of sensitive data from their databases. Meanwhile, several top institutions and firms, such as Kyivstar, Toyota Financial Services, and Americold, fell victim to cyberattacks.
Tri-City Medical Center, California, despite resuming operations 17 days ago after a ransomware attack, was observed facing ongoing extortion attempts by the INC RANSOM group. The group claimed to possess stolen records from the hospital by posting proof on the dark web. The documents included prior authorization forms, financial records, and patient information. While the extent of the data breach remains unclear, there is no confirmation of access to the hospital's EMR system.
A misconfigured database owned by the fundraising platform DonorView exposed nearly one million records that contained addresses, names, phone numbers, emails, and payment methods of donors. The records also contained sensitive details, such as medical information, images, and names of attending doctors, of children.
The Dubai Taxi Company left a MongoDB database open to the public, exposing a trove of sensitive information about 197K users and 23K drivers. The exposed details included banking details and email addresses, phone models, login credentials, driver’s license numbers, work permit numbers, and nationality of users and drivers.
Ukrainian telecom operator Kyivstar was the target of a cyberattack that knocked its internet access and mobile communications offline. Market analysis firm Telegeography calculated that roughly half of Ukraine's mobile subscriber base was compromised during the incident. However, the operators confirmed that the personal data of subscribers were not compromised.
Researchers uncovered hundreds of fake profiles on LinkedIn, targeting professionals at companies in Saudi Arabia. As part of the campaign, attackers leveraged well-connected synthetic identities to create fraudulent profiles and later sent contact requests to victims to steal their contact lists and other information.
A ransomware attack on cold storage giant Americold affected nearly 130,000 people, including the information of current and former employees. Investigation revealed that details like names, addresses, Social Security numbers, passport numbers, financial information, and medical information were compromised in the incident.
Sony initiated an investigation into an alleged ransomware attack on its subsidiary Insomniac Games after the Rhysida threat actor threatened to sell the stolen data if a ransom of $2 million was not paid within seven days. Meanwhile, the officials believe that no other Sony Interactive Entertainment (SIE) or Sony divisions were impacted by the incident.
Toyota Financial Services disclosed a data breach that exposed the personal and financial data of customers. The incident occurred after threat actors gained unauthorized access to Kreditbank’s systems and stole the full names, residence addresses, contact information, and lease-purchase details of customers.
Kentucky-based Norton Healthcare confirmed that attackers stole around 2.5 million users’ data in the May ransomware attack. The data included driver’s licenses, government ID numbers, financial information, and digital signatures of people. Health information, insurance information, and medical ID numbers belonging to former patients, employees, and employee dependents and beneficiaries were also impacted by the incident.
A new wave of BazarCall attacks used Google Forms to install malware on victims’ systems. The forms were sent via phishing emails and included details of fake transactions, such as the invoice number, date, and payment method, to create a sense of urgency among recipients. To cancel the subscription or raise a dispute, recipients were urged to call a toll-free number, which was a threat actor’s phone number. At the final stage, the victim was tricked into installing BazarLoader malware onto their systems.
In an update, the Idaho National Laboratory revealed that the sensitive information of 45,047 current and former employees and their spouses and dependents was affected in the cyberattack that occurred on November 20. The exposed information includes names, SSNs, salary information, and banking details of individuals.
Healthcare device manufacturer LivaNova PLC fell victim to the LockBit ransomware group. The attack, detected on December 9 allegedly exposed a substantial 2.2TB of sensitive data, including product specifications, employee information, financial documents, and more. The threat actor has uploaded the stolen data on its leak site and set a deadline for its potential public release.
Food and beverage company, Kraft Heinz, started an investigation into a cyber incident after the Snatch ransomware group added the organization’s name to its victims’ list. However, the company did not verify the attackers’ claim and stated that criminals appeared to have targeted a decommissioned marketing site hosted on an external platform.
Ledger revealed that attackers pushed a malicious version of its Ledger dApp Connect Kit library to steal $600,000 in crypto and NFTs.The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet. It’s not immediately clear how many people fell victim to the hack.
This week, Lazarus and Fancy Bear expanded their malware arsenal to target more organizations. While Lazarus introduced three DLang-based malware, Fancy Bear was linked to the use of the custom HeadLace backdoor. Besides, SOHO routers came under attack by the operators of KV-Botnet and NKAbuse registered itself as the first-ever malware to abuse the NKN blockchain.