Cyware Weekly Threat Intelligence - May 22–26
Weekly Threat Briefing • May 26, 2023
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • May 26, 2023
This week witnessed a new round of significant developments in the cybersecurity world. Cyber agencies unveiled an updated version of the #StopRansomware guide that was first released in 2020. This comes in the wake of escalating ransomware attacks across multiple sectors. In other news, the FTC proposed amendments to the Health Breach Notification Rule, owing to an increase in the use of health apps and connected devices.
The FTC proposed changes to the Health Breach Notification Rule, owing to an increase in the use of health apps and connected devices, many of which are not covered by HIPAA. The proposed amendments are aimed at enhancing patient data privacy and preventing organizations from improperly disclosing users’ data without their knowledge.
Google announced the launch of the 0.1 Beta version of Graph for Understanding Artifact Composition (GUAC) for organizations to enhance security against software supply chain attacks. The graph gives organizations actionable insights into their software supply chain security posture by aggregating software security metadata from different sources.
The CISA, along with the Joint Ransomware Task Force, has updated the #StopRansomware guide to help organizations reduce the impact of ransomware attacks. This latest version of the guide is a response to the new tactics and techniques adopted by ransomware attackers in the last three years. It includes best security practices that are aligned with the CPGs developed by the CISA and the NIST.
Although organizations and governments are trying their best to stay ahead of threat actors, the number of attacks doesn’t seem to be getting any lower. While the Black Basta group was held responsible for attacks on a German arms company, the BlackByte group claimed the city of Augusta as its latest victim. In separate news, a Brazilian cybercrime group infiltrated over 30 Portuguese organizations to steal users’ personal and financial information.
Microsoft and the NSA revealed that a stealthy China-based group, called Volt Typhoon, managed to infiltrate critical infrastructure organizations in the U.S. and Guam using living-off-the-land techniques. The attackers also used a network of compromised SOHO routers to proxy and hide connections from infected networks inside residential internet traffic. The targeted organizations were in the communications, manufacturing, transportation, maritime, and education sectors, among others.
More than 1.5 million WordPress sites using the Beautiful Cookie Consent Banner plugin have been targeted in an ongoing attack campaign that enabled attackers to gain unauthorized access to sensitive information and launch malware attacks. The attackers exploited the XSS vulnerability in the plugin to infiltrate the sites.
A Brazilian cybercrime group targeted more than 30 Portuguese financial institutions, including government organizations and private institutions in a campaign dubbed Operation Magalenha. The attacks were aimed at stealing credentials and PII data from users associated with these organizations.
A phishing campaign impersonating OpenAI was found stealing users’ business email account credentials. The email requested recipients to verify their email addresses to continue using their personal ChatGPT. To further deceive the victims, threat actors manipulated the sender’s domain address to make it appear as if the email originated from the organization’s IT support.
Apria Healthcare, a manufacturer of medical equipment for home, notified that the personal data of almost 1.9 million patients and employees may have been impacted by data breaches that occurred over a series of months in 2019 and 2021. The impacted data included medical, health insurance, financial information, and in some cases, Social Security numbers of individuals.
An unprotected database belonging to SuperVPN exposed 133 GB of sensitive data that included email addresses, IP addresses, and geolocation info of users. The database also revealed secret keys, Unique App User ID numbers, and UUID numbers, which can be used to identify other useful information.
The FBI warned U.S. citizens and individuals who travel or live abroad of the risk of false job advertisements. Scammers contact victims, primarily in Asia, in employment fraud schemes on social media and online employment sites. Upon job seekers’ arrival in a foreign country, criminal actors use multiple means to coerce them into committing cryptocurrency investment scams.
German arms manufacturer Rheinmetall confirmed that the Black Basta ransomware group was responsible for a cyberattack detected in April, which affected the company's civilian business. According to officials, the attack affected only the company’s civilian business.
The Cuba ransomware group claimed responsibility for the cyberattack on The Philadelphia Inquirer, publicly releasing financial documents, account movements, balance sheets, tax documents, compensation details, and source code allegedly attributed to the newspaper. Meanwhile, the firm has denied the data leak claims in a fresh update.
BlackByte ransomware group added the city of Augusta, Georgia, to its list of victims and has demanded $50 million in ransom to prevent the release of stolen data. Meanwhile, the city is investigating whether any data was stolen in the intrusion.
Coming to new threats, a new Android malware, which is based on AhMyth RAT, targeted over 50,000 users by masquerading as a trojanized recorder app on Google Play Store. The DarkCloud info-stealer was observed in a fresh campaign that also employed Clipbanker to steal the crypto wallet addresses of users. Besides, two new botnets inspired by the Mirai botnet, capable of launching massive DDoS attacks, were also uncovered by researchers.