Cyware Weekly Threat Intelligence - February 12–16
Weekly Threat Briefing • Feb 16, 2024
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Feb 16, 2024
In a decisive week of cyber enforcement, the DOJ, alongside international partners, took down the Warzone RAT malware operation, arresting suspects in Malta and Nigeria for their roles in enabling cybercriminals to steal information and spy on victims. Concurrently, the U.S. government disrupted a MooBot botnet, used by Russia-linked APT28 for cyberespionage through vulnerable Ubiquiti routers, demonstrating unparalleled global cooperation against cyber threats.
Korean researchers identified a security hole in Rhysida ransomware's encryption process, which helped create a decryptor. Rhysida, linked to double extortion tactics, encrypts files using a 4096-bit RSA key and ChaCha20 algorithm. Analyzing its encryption routine, the experts found that the ransomware's PRNG relies on execution time, allowing them to decipher the order of file encryption.
The DOJ, in collaboration with international agencies, reportedly shut down domains selling the Warzone RAT malware. The sophisticated RAT allowed cybercriminals to conduct various malicious activities, including stealing information and spying on victims. Two suspects were arrested in Malta and Nigeria for their involvement in distributing the malware.
The FCC will soon require telecommunications and voice over IP providers to report data breaches to authorities within seven business days of discovery. Phone carriers must also notify customers of breaches in a timely manner. The new rule expands the definition of a breach and is intended to align with state and federal data breach laws.
The U.S. government disrupted a botnet of small office and home office routers used by the Russia-linked APT28 to conceal cyberespionage activities targeting various organizations. The botnet, known as MooBot, exploited vulnerable Ubiquiti routers using default credentials to conduct spear-phishing campaigns and steal credentials.
This week, the cybersecurity landscape was shaken by significant breaches and cyberattacks across the globe. In Romania, the DNSC revealed the Backmydata ransomware's wider impact on the Hipocrate Information System, affecting 100 hospitals. Across the Atlantic, Integris Health reported a cyberattack compromising the data of 2.4 million individuals, with no network interruption but resulting in extortion attempts. Meanwhile, France faced its largest cybersecurity incident, with nearly 33 million people affected by breaches at healthcare payment servicers Viamedis and Almerys, exposing sensitive personal and insurance information.
The Minnesota-based internet provider U.S. Internet Corp., through its Securence division, inadvertently exposed over a decade's worth of internal emails and those of thousands of clients online in plain text. The company's CEO attributed the exposure to an incorrect configuration in the Ansible playbook for their IMAP servers, but has not provided details on the duration of the exposure or taken sufficient responsibility for the incident.
The U.K’s Southern Water confirmed that between 5% and 10% of its customers had their personal details stolen in a Black Basta ransomware attack. The stolen data included sensitive information such as names, dates of birth, national insurance numbers, bank account details, and payment reference numbers, prompting the company to offer credit monitoring services to affected individuals.
The DNSC announced that the Backmydata ransomware attack on the Hipocrate Information System impacted 26 hospitals across Romania, instead of 18. Another 74 hospitals connected to the system have been cut off from the internet. The attackers demanded a 3.5 Bitcoin ransom and claimed to have stolen confidential data, prompting hospitals to isolate impacted systems, save ransom notes, and investigate the point of entry.
Cybercriminals utilized a stolen private key to mint and steal over $290 million in PLA tokens from the PlayDapp ecosystem, a blockchain-based platform facilitating NFT trading within games. It has now suspended trading, frozen hacker wallets, and advised users to be cautious. Despite efforts to mitigate the breach, stolen tokens are being laundered, impacting market value.
Proofpoint researchers uncovered an active campaign targeting Microsoft Azure environments, banking on credential phishing and cloud account takeover techniques. The threat actors target diverse roles, including senior executives, to access accounts associated with valuable resources across organizational functions. Attackers employ a complex operational infrastructure, including proxies and hijacked domains, to evade detection.
Oklahoma's largest not-for-profit healthcare network Integris Health disclosed that it suffered a cyberattack last year, compromising the personal information of nearly 2.4 million individuals. Despite no network interruptions, threat actors accessed sensitive data, including full names, dates of birth, contact details, demographic information, and SSNs. The breach reportedly led to extortion emails sent to patients.
EclecticIQ analysts noted a surge in DarkGate loader usage. DarkGate is in high demand by financially motivated groups like TA577 and Ducktail, and has been used against targets in Europe and the U.S. Exploiting legitimate services such as Google's DoubleClick and cloud storage, DarkGate is advertised as a Malware-as-a-Service (MaaS) on cybercrime forums. Recent phishing attempts targeted institutions like Bank Deutsches Kraftfahrzeuggewerbe using automotive-themed lures.
Nearly 33 million of France's population was impacted by a significant security breach at healthcare payment servicers Viamedis and Almerys. The breach, disclosed by CNIL, compromised data dates of birth, SSNs, and insurance details. Although banking and medical data remained untouched, the breach marks France's largest cybersecurity incident. Viamedis fell victim to a phishing attack targeting healthcare professionals, while Almerys' breach method remains undisclosed.
An unsecured database belonging to Nevada software startup Dexiga (developer of the My WinStar app for the WinStar casino resort) exposed customers' personal information, including names, phone numbers, emails, and addresses. Dexiga claimed the database contained publicly available information, but researchers said that sensitive data was also exposed.
The notorious IntelBroker group claimed responsibility for leaking a partial database of Facebook Marketplace, containing the sensitive personal information of approximately 200,000 users. The breach, allegedly orchestrated by a cybercriminal using the alias "algoatson," targeted a contractor managing Facebook's cloud services in October 2023. While passwords were not exposed, the leaked data includes full names, Facebook IDs, phone numbers, and physical IDs.
Willis Lease Finance Corporation disclosed a cybersecurity incident after Black Basta listed it as a victim on its leak site. The company detected a potential breach on January 31. While systems were taken offline and no unauthorized activity has been identified since February 2, the extent of data compromise is still under assessment. Black Basta claims to have stolen 910GB of company data, including customer information, HR documents, and passport scans.
Fulton County, Georgia, came under attack by the LockBit ransomware group, triggering widespread IT outages affecting phone, court, and tax systems. While initial investigations didn’t identify any citizen or employee data theft, LockBit threatens to publish confidential documents unless a ransom is paid by February 16. Fulton County Chair Robb Pitt confirmed disruptions in the property tax system and facing water billing issues due to the attack.
The Defense Intelligence Agency of the U.S. DOD informed approximately 20,600 individuals of a data incident, compromising their sensitive emails due to a misconfigured government cloud email server hosted by Microsoft. The breach occurred between February 3 and February 20, 2023. The exposed emails contained sensitive personnel information, including data related to U.S. Special Operations Command.
Medusa and LockBit ransomware groups may have the Venezuela electoral system under their control for some time. The breach allegedly targeted Smartmatic and other entities, raising alarms about the security of the country's electoral infrastructure. Screenshots circulating on the dark web and social media, purportedly from Smartmatic, hint at compromised voting information.
Bank of America alerted customers of a data breach at Infosys McCamish Systems, impacting names, addresses, SSNs, and financial data. Approximately 57,000 individuals were directly affected. The breach occurred in November 2023, attributed to the LockBit ransomware gang. This adds to a series of recent cybersecurity incidents affecting Bank of America's partners, highlighting ongoing security challenges.
Check Point Harmony Email researchers underscored a surge in cyberattacks leveraging fake voicemails, with over 1,000 incidents detected in the last 14 days. Scammers exploit corporate phone systems linked to email servers, embedding malicious links in voicemail playbacks to harvest credentials. Attackers send QR codes with conditional routing, impersonating reputable brands like payment processor Square.
In a striking display of cybercriminal innovation and resilience, the cybersecurity community faced formidable challenges as advanced malware campaigns resurfaced with new tactics and targets. The Glupteba malware made a notable comeback, introducing a previously unseen UEFI bootkit. Meanwhile, a new threat emerged with GoldPickaxe, a sophisticated trojan aimed at stealing facial biometric data and crafting deepfake videos to circumvent banking security measures. Adding to the digital onslaught, the Bumblebee malware reemerged with a revamped attack strategy, leveraging social engineering through deceptive emails.