Cyware Weekly Threat Intelligence - January 01–05
Weekly Threat Briefing • Jan 5, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jan 5, 2024
A big relief for Black Basta victims. Researchers have unveiled the Black Basta Buster decryptor tool that decrypts files between 5000 bytes and 1GB. In another vein, the FTC is running a contest that is aimed at protecting users from AI-enabled voice cloning threats.
SRLabs released a decryptor to help Black Basta ransomware victims restore their files for free. The firm found a weakness in the encryption algorithm used by the ransomware to discover the ChaCha keystream used to XOR encrypt a victim’s file. The decryptor can help fully recover files between 5000 bytes and 1GB. Using the decryptor, Black Basta victims from November 2022 to December 2023 could potentially recover their files for free.
The Finnish Security Intelligence Service (Suojelupoliisi or Supo) reorganized its departments, from nine to eight, to enhance information gathering amidst rising cybersecurity concerns. The agency, responsible for foreign intelligence and domestic counterintelligence, anticipates a shift toward cyberespionage by Russia. The development highlights the growing importance of cybersecurity in the face of geopolitical tensions and potential cyber threats.
The FTC is seeking submissions for a contest that aims at encouraging the development of technologies and policies to protect consumers from the malicious use of AI-enabled cloning voice technology. The contest is part of an effort to monitor and stop scammers from exploiting voice cloning technology.
Massive data breaches rocked the healthcare sector as Fallon Ambulance Services and HealthEC disclosed that nearly one million and 4.5 million patients were impacted in separate incidents, respectively. Cross Switch, a payment gateway platform, also found itself in the soup after 3.6 million records were exposed online. Meanwhile, Gallery Systems reported an attack impacting around 800 museums.
The MyEstatePoint Property Search app had left a publicly accessible MongoDB server containing the sensitive details of nearly half a million of its users. The exposed instances contained details such as names, email addresses, plain-text passwords, and mobile phone numbers of users.
San Francisco-based Orrick, Herrington & Sutcliffe law firm fell victim to a data leak incident that exposed the health information of more than 637,000 users. The incident occurred in February 2023 and the type of stolen data includes names, dates of birth, email addresses, and government-issued identification numbers of users.
Orbit Chain lost $86 million in Ether, Dai, Tether, and USD Coin in a security breach. Although the identity and origin of the attackers are yet to be determined, it is believed to be the work of state-sponsored attackers based out of North Korea. The blockchain platform is working with South Korean police authorities to track the stolen funds and has warned users to be wary of phishing sites pretending to be connected with their wallets.
According to a breach notification, Fallon Ambulance Services disclosed that around 911,757 individuals nationwide, including 20,486 Maine residents, were affected by a ransomware attack between February and April 2023. The exposed data includes names, driver’s license numbers, and other identification numbers. The now-defunct ambulance service was a subsidiary of Transformative Healthcare.
A ransomware attack on Gallery Systems, a museum software solutions provider, impacted 800 museums, including MoMA, Met, the Chrysler Museum of Art, MoPOP in Seattle, the Barnes Foundation, and the Crystal Bridges Museum of American Art. The incident has also impacted its online public viewing platform called eMuseum, commonly used by museums and colleges to create searchable online collections. The firm has notified law enforcement authorities and is conducting an internal investigation and working to restore the impacted systems.
A threat actor under the moniker IntelBroker reportedly stole and leaked the personal information of 3.6 million users of Cross Switch, a leading online payment gateway management platform in Africa. This included details such as full names, email addresses, phone numbers, messages, banking information, and dates of birth of users.
Xerox confirmed that its subsidiary XBS is dealing with a security incident that involves the theft of personal information. This comes days after a ransomware group named INC Ransom claimed responsibility for the attack. Meanwhile, the incident had no impact on XBS operations or Xerox’s corporate systems, operations, and data.
A hacker group, identified as ‘irleaks’, claimed to have stolen more than 3TB of data associated with Snappfood, an online food delivery service in Iran. This includes 130 million records containing details of over 20 million customers, data from 180 million devices, information of 35,000 bikers, and records of 240,000 vendors. The company has acknowledged the breach and is actively working to identify the source.
TuneFab converter exposed over 151 million users' private data due to a misconfiguration on MongoDB. The leaked data included sensitive information such as IP addresses, user IDs, emails, and device information. The leak was discovered and fixed within 24 hours, but the company has not yet commented on the matter.
The Cactus ransomware group claimed to have hacked Coop, a major retail and grocery provider in Sweden, and threatened to release over 21,000 directories of personal information. Coop had previously been affected by a supply chain ransomware attack in July 2021, which was traced back to its software provider Visma.
Private freight shipper Estes Express Lines notified over 20,000 customers that their personal information, including names and SSNs, was stolen in a cyberattack. The company discovered unauthorized access to its IT network and ransomware deployment but chose not to pay the ransom. The LockBit ransomware crew later claimed responsibility and leaked stolen data.
Google Cloud subsidiary Mandiant had its X (Twitter) account compromised for more than six hours in a cryptocurrency scam. It’s currently unclear how the account was breached but the hacked Mandiant account was renamed as ‘@phantomsolw’ to impersonate the Phantom crypto wallet service. Scammers advertised an airdrop scam, created counterfeit websites, and urged users to click on a bogus link and earn free tokens, with a follow-up message to ‘change password please’ and ‘check bookmarks when you get account back.’
CloudSEK researchers revealed a surge in dark web activity targeting X’s (previously known as Twitter) Gold accounts, introduced in December 2022. Cybercriminals are actively selling compromised Gold accounts on the dark web to launch scams and disinformation campaigns. The compromise methods include brute-forcing passwords and malware.
Russian hackers from the Solntsepek group, believed to be linked to the Sandworm APT group, wiped 10,000 computers and thousands of servers associated with Kyivstar’s network. Following the incident, mobile and data services went down, leaving around 25 million mobile and home internet subscribers without an internet connection.
A data breach at HealthEC impacted close to 4.5 million individuals who received care through one of the company’s customers. The breach occurred between July 14 and 23, 2023, when attackers gained unauthorized access to some of its systems and stole sensitive data. This includes names, dates of birth, SSNs, taxpayer identification numbers, and medical record numbers.
The new Terrapin attack posed a massive threat worldwide as new research revealed that nearly 11 million SSH servers remain unpatched. In other updates, threat actors were found expanding their evasion tactics to deploy AsyncRAT and Remcos RAT onto victims’ systems.