Cyware Weekly Threat Intelligence - February 05–09

Weekly Threat Briefing • Feb 9, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Feb 9, 2024
In a week of significant cybersecurity developments, the Linux Foundation introduced the Post-Quantum Cryptography Alliance with industry behemoths such as Google and IBM. Parallelly, the U.S. government took a decisive stand against the global misuse of commercial spyware, implementing visa restrictions on individuals linked to espionage activities that have ensnared governments and corporations worldwide.
The Linux Foundation announced a new initiative called the Post-Quantum Cryptography Alliance, with industry partners like Google, IBM, Amazon Web Services, and Cisco. This initiative responds to the potential security threats posed by quantum computing, which could render current cryptographic practices insufficient.
The U.K and France will host a diplomatic conference to address the proliferation of commercial cyber intrusion tools, with 35 nations and big tech leaders participating.
The U.S. government set forth global visa restrictions on individuals involved in the misuse of commercial spyware, targeting governments and companies around the world, including major U.S. allies like Israel, India, Jordan, and Hungary.
Google and the Singapore government announced a collaborative move to roll out a new security feature in Google Play Protect to block the installation of potentially risky side-loaded apps in order to combat growing scam problems in the country.
Cybersecurity challenges escalated as Hyundai Motor Europe admitted to a ransomware attack by the Black Basta group, with claims of 3TB of stolen corporate data. In a separate incident, HPE grappled with allegations of sensitive data theft by a threat actor named IntelBroker, prompting a thorough investigation that traced the compromised data back to a test environment. Meanwhile, Dutch intelligence agencies disclosed a sophisticated cyberattack by Chinese state-backed attackers on Dutch military systems, exploiting a zero-day vulnerability in Fortinet VPN technology.
SEIU Local 1000, a major California union, confirmed network disruptions following a cyber incident. The LockBit ransomware group claimed to have stolen 308GB of sensitive data, including SSNs and financial documents. Despite disruptions, the union asserts continued advocacy for workers' rights amidst ongoing operations, emphasizing resilience against coordinated attacks.
Hyundai Motor Europe confirmed a ransomware attack by Black Basta threat actors, who claim to have stolen 3TB of corporate data. Initially downplayed as IT issues, Hyundai later acknowledged the breach, citing unauthorized access to a portion of its network. While the type of data impacted remains undisclosed, stolen folder lists hint at sensitive information across legal, sales, human resources, accounting, IT, and management departments.
Korneuburg Municipality in Austria reported being targeted by a ransomware attack. This incident resulted in the cancellation of funerals and the town hall's announcement that its staff is only reachable via telephone. Media outlets indicate that the attack has impacted all data managed by the administration, including the backup system.
Lurie Children's Hospital in Chicago experienced a cyberattack, leading to the temporary shutdown of IT systems. The incident affected the internet, email, phone services, and access to the MyChat platform. Although the hospital remains open and focused on delivering patient care, the cyber incident has caused delays in scheduled procedures, unavailability of certain medical test results, and disruptions in prescription processes.
German company AnyDesk Software GmbH confirmed a security breach involving the compromise of its production systems. The company plans to revoke the previous code signing certificate for its binaries. It has already revoked all security-related certificates and is recommending users change their passwords for the web portal. AnyDesk assured users that, despite the incident, there is no evidence of affected end-user devices.
A threat actor, named IntelBroker, allegedly stole HPE credentials and sensitive data and offered it for a price. While no evidence of intrusion has been found, HPE has taken the claims seriously. HPE urges caution and continues its investigation. An update from HPE indicates that the data offered for sale was obtained from a test environment, not production systems.
Escape's security research team uncovered over 18,000 exposed API secrets, with 41% posing high financial risks. The findings, spanning diverse platforms like Stripe, GitHub, AWS, and more, underline the growing challenge of API secret sprawl. GitGuardian's report noted a 67% surge in secret exposure on GitHub alone in 2023. The research firm emphasized the need for comprehensive security measures beyond code repositories.
Group-IB discovered a large-scale malicious campaign targeting job search and retail websites primarily in the APAC region. Dubbed ResumeLooters, the group employed SQL injection and XSS attacks to compromise at least 65 websites between November and December 2023. The stolen data included over 2 million unique emails and other records. The group utilized penetration testing frameworks and open-source tools to execute their attacks.
Dutch intelligence agencies revealed that Chinese state-backed hackers breached Dutch military systems in early 2023, utilizing a zero-day exploit in a Fortinet VPN. The attack targeted a segmented network with limited users, stealing user account data from the Active Directory server. The backdoor malware used for persistence was Coathanger, specifically tailored for FortiGate appliances. Despite applying patches, the devices may still be infected, necessitating system reformatting.
Verizon notified more than 63,000 individuals, mostly current employees, of a breach where an insider accessed personal data without authorization. The incident, attributed to "inadvertent disclosure" and "insider wrongdoing," exposed names, addresses, SSNs, and other sensitive information. There's no indication of malicious intent or external sharing, an investigation revealed.
Raspberry Robin malware operators adopted a shift in strategy, who now expedite their attacks by purchasing newer, less-than-a-month-old exploits. Additionally, a newly identified banking trojan named Coyote has emerged, targeting numerous online banking applications in Brazil with the potential for global impact. Furthermore, AhnLab discovered a RAT, disguised as gambling content and spread through malicious shortcut files.