Cyware Weekly Threat Intelligence - November 06–10

Weekly Threat Briefing • Nov 10, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Nov 10, 2023
Securing critical infrastructure and sensitive data from sophisticated cyberattacks is a crucial parameter for smooth business operations. Keeping this in mind, the DHS, along with the CISA and the FEMA, launched a new project named Shields Ready, that outlines strategies for organizations to identify critical assets, assess risks, and improve incident response plans. In another development, the NIST updated its security guidelines for controlled unclassified information, to protect data stored and transmitted across federal agencies and government contractors.
The DHS, along with the CISA and the FEMA, launched a new project named Shields Ready to bolster the security of critical infrastructure. This initiative, complementing Shields Up, addresses cyber threats, physical security risks, and natural disasters. It encourages organizations to enhance resilience by identifying critical assets, assessing risks, and improving incident response plans. The CISA provides resources, including cybersecurity guidance and operational resilience evaluations, to support preparedness efforts.
The NIST updated its guidelines to protect controlled unclassified information across federal agencies and government contractors. The guidelines also apply to components of non-federal systems that process, store or transmit CUI or that provide protection for such components. Available as part of NIST special publication 800-171, it includes security requirements and assessment procedures for evaluating threats to controlled unclassified information.
The Ransomed.vc gang claimed to shut down its operations after six of its affiliate members were arrested. The gang was initially found selling its operation for domain names, VPN access to 11 breached companies, and access to affiliate groups and social media channels under their control, for about $10 million. However, the post was later deleted. The gang, emerged in August, initially threatening victims with European data breach fines if the ransom payment was not made.
The infamous Cl0p ransomware group made it back in the headlines for exploiting a zero-day flaw in the SysAid IT service management software. Microsoft reported that Lace Tempest, an affiliate associated with Cl0p, leveraged the flaw to deliver Gracewire malware. Meanwhile, a new victim confirmed being targeted by the MOVEit hack. The government of Maine revealed that the personal information of over a million state residents was stolen by the Cl0p group in the hack. In another concerning event, a threat actor named USDoD dumped a scraped LinkedIn database that contained the personal information of over 35 million users.
In a notification, Kyocera AVX Components Corporation (KAVX) disclosed a ransomware attack that affected the personal information of about 39,111 individuals. The attackers had accessed its systems between February 16 and March 30 and stole sensitive information from the servers, which included full names and Social Security numbers of users. Meanwhile, the LockBit ransomware group had claimed responsibility for the attack on May 26 by adding the firm to its data leak site.
Dolly.com, an on-demand moving and delivery service provider, had their stolen data leaked despite making a partial ransom payment. The attackers posted the details on a Russian-language forum and included high-level account login details, credit card information, full names, email addresses, and home addresses of customers. Besides these, 95 AWS S3 bucket names belonging to the company, including backups, were attached to the post.
The Maine government confirmed that the personal information of over a million state residents was stolen earlier this year in the MOVEit software hack. The Russia-based Cl0p ransomware group exploited the flaw to access and download files belonging to certain state agencies between May 28 and May 29. The stolen information includes dates of birth, names, SSNs, driver’s license numbers, and taxpayer identification numbers.
A threat actor under the alias ‘DrOne’ leaked the scraped database of Chess.com, containing the personal information of more than 800,000 registered users, on the BreachForums dark web. User full names, profile links, email addresses, UUI, and user IDs, among others, were part of the leaked data.
A Monero Project maintainer disclosed that one of its wallets was hacked on September 01 to drain around $437,000 in Monero cryptocurrency. The funds were drained in nine separate transactions that took place in a couple of minutes. While the team is trying to determine the initial access vector of the attack, it claims that none of the project’s other wallets were affected.
Widespread exploitation of a zero-day vulnerability (CVE-2023-47246) affecting SysAid IT service management software came to the notice of researchers. A threat actor named Lace Tempest (aka DEV-0950), an affiliate of the Cl0p ransomware group, was found exploiting the flaw to deliver the Gracewire malware. The firm released an advisory to inform organizations about the flaw, by adding that it was addressed in version 23.3.36 of the software.
A data breach at Marina Bay Sands, Singapore, impacted the personal data of 665,000 customers. The incident was discovered on October 20 and the type of information accessed includes names, email addresses, mobile phone numbers, and country of residence of individuals. The luxury resort clarified that the Sands Rewards Club members have not been impacted by the incident.
Multiple ransomware groups were found exploiting recently disclosed flaws in Atlassian Confluence and Apache ActiveMQ. Attackers exploited the Atlassian Confluence Data Center and Server flaw (CVE-2023-22518) after an exploit code was released last week. In one instance, the exploitation of the vulnerability led to the deployment of Cerber ransomware. Meanwhile, Arctic Wolf Labs disclosed that the flaw impacting Apache ActiveMQ was weaponized to deliver SparkRAT malware and a ransomware variant that shares similarities with TellYouThePass ransomware.
A threat actor named USDoD leaked a scraped LinkedIn database, holding the personal information of over 35 million users. The data was dumped on the BreachForums cybercrime marketplace. The leaked data primarily includes full names, email addresses, and profile bios of users, with some screenshots showing that many of these email addresses belong to various government agencies worldwide.
Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital confirmed that their patient and employee data was stolen in a ransomware attack. While Bluewater Health disclosed that the data of approximately 267,000 unique patients was stolen, Chatham-Kent Health Alliance revealed that information of 1,446 patients was impacted. For Windsor Regional Hospital and Hôtel-Dieu Grace Healthcare, cybercriminals accessed limited patient and employee information. Meanwhile, Erie Shores HealthCare concluded that the social insurance numbers of around 352 employees were compromised.
OpenAI and Cloudflare confirmed IT and service outages due to DDoS attacks. While investigation and restoration are ongoing, a threat actor named Anonymous Sudan claimed responsibility for the attacks. In OpenAI’s case, the attackers further added that the Skynet botnet was used to launch attacks.
Russian financial organization Sberbank disclosed suffering the most powerful DDoS attack two weeks ago. The attack reached one million requests per second, roughly four times the size of the most powerful DDoS attacks that Sberbank had experienced up until then. Hackers from the ‘DumpForums’ group and the Ukrainian Cyber Alliance took responsibility for the attack while claiming to have stolen 31GB of data.
Cook County Health, a healthcare provider in Chicago, notified that the personal information of around 1.2 million patients was compromised following an attack at its third-party vendor, Perry Johnson & Associates. The data includes names, birthdates, addresses, medical information, and dates and times of service of patients.
Moving on to other threats, researchers observed a surge in Iranian cyber activity since the onset of the Israel-Hamas war. The Agonizing Serpens APT group launched three new wiper malware against Israeli education and technology sectors. Iranian Imperial Kitten APT group leveraged compromised websites to infect Israeli entities with IMAPLoader and eventually dropped a RAT. The week also witnessed a new RedLine stealer campaign that leveraged a Windows news portal for propagation.