Cyware Weekly Threat Intelligence - November 13–17

Weekly Threat Briefing • Nov 17, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Nov 17, 2023
While AI is touted to hold immense potential to enhance national cybersecurity, it also has a flip side, which may invite complex cyber risks. To mitigate the risks, the DHS has issued a roadmap that focuses on bolstering the digital ecosystem with AI tools. In another development, the FCC has proposed a pilot program to enhance the cybersecurity of K-12 schools and libraries. The initiative has been taken following a recent spate of cyberattacks that impacted the sensitive information of students and employees.
The DHS and the CISA released the first Roadmap to AI to ensure the secure development and implementation of AI capabilities across public and private organizations. As part of the effort, the roadmap outlines five strategies to help organizations build a resilient digital ecosystem while leveraging AI tools. These include using AI responsibly to support CISA’s mission, assessing and assuring AI systems, protecting critical infrastructure from malicious AI use, collaborating on key AI efforts, and expanding AI expertise in the workforce.
The FCC proposed creating a pilot program to help K-12 schools and libraries across the U.S. defend against rising cyber threats. Titled ‘Schools and Libraries Cybersecurity Pilot Program’, the initiative will run for three years with a budget of up to $200 million, with a primary focus on using advanced firewall services and enhancing the security of broadband networks and data.
The FBI dismantled the IPStorm botnet proxy network and its infrastructure after the hacker behind the operation pleaded guilty. The botnet was taken down along with its 23,000 proxies from all over the world. These proxies were used to infect over 13,5000 Linux, Mac, and Android devices across the U.S., Europe, and Asia. According to the DOJ, the convict sold illegitimate access to the infected devices, making a profit of at least $550,000 from the sale.
Vulnerable software leading to the compromise of sensitive data serves as a stark reminder to organizations of the importance of securing it. For instance, the LockBit ransomware gang exploited the Citrix Bleed vulnerability to breach the networks of large organizations and steal their data. Besides this, the group was also in the news for leaking over 43GB of data it stole from Boeing. In another incident involving the wild exploitation of vulnerabilities, the Russian GRU hacked 22 energy companies in Denmark by abusing Zyxell firewall vulnerabilities.
A cyberattack on international logistics firm DP World severely disrupted regular freight operations across multiple ports in Australia. In response, the company activated its emergency plans and engaged with cybersecurity experts to resolve problems caused by the incident. While investigations are ongoing, the firm fears the possibility of unauthorized access to data by perpetrators.
Threat actors exploited Ethereum's Create2 opcode function to bypass wallet security alerts and steal $60 million worth of cryptocurrency from 99,000 people over six months. The opcode, originally designed for contract address anticipation, was abused by scammers to create addresses with bad signatures, thus, enabling them to evade security checks. While one victim reportedly lost up to $1.6 million, 11 victims collectively suffered a loss of $3 million.
The LockBit ransomware group leaked over 43GB of data stolen from Boeing after the latter refused to pay the ransom. Most of the data listed on the leak site was backup data for various systems, the most recent of which dated back to October 22. The data included configuration backups, audit logs for IT management software, and logs for monitoring and auditing tools. Citrix backups were also listed in the leaked data.
In another update, the Lockbit ransomware attacks used publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the networks of large organizations, steal data, and encrypt files. Although Citrix issued security patches for the flaw more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances, with many in the U.S. Adding more woes, the Citrix Bleed vulnerability was also exploited by the MedusaLocker ransomware group to target Toyota Financial Services across Europe & Africa.
Denmark’s Computer Security Incident Response Team (CSIRT) disclosed that Russian GRU exploited zero-day vulnerabilities in Zyxel firewalls to coordinate attacks on 22 energy companies in Denmark. The first wave of attacks was launched on May 11 and the second wave began on May 22. The flaw in question was CVE-2023-28771 and affected Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73.
Michigan-based McLaren Health Care experienced a major cyberattack that impacted the PII and PHI of 2.2 million patients. The compromised data included names, birth dates, SSNs, and extensive medical information of patients. The ALPHV (BlackCat) ransomware gang claimed responsibility for the breach in October, boasting access to sensitive information.
A SQL injection vulnerability in the WP Fastest Cache plugin could expose more than 600,000 websites to attacks. The flaw, tracked as CVE-2023-6063, could allow attackers to read the contents of the site’s database. It has a high-severity score of CVSS 8.6 and impacts all versions of the plugin before 1.2.2.
U.S. mail-order pharmacy provider Truepill, also known as Postmeds, confirmed that hackers accessed the sensitive data of 2.3 million patients between August 30 and September 01. The compromised data contained names, medication types, demographic information, and Social Security numbers of patients.
An unprotected Elasticsearch instance belonging to Strendus, a Mexican-licensed online casino, exposed 85GB of personal data of hundreds of thousands of gamblers. The open instance also contained data from another online casino, MustangMoney. The leaked information contained user names, email addresses, dates of birth, gender, KYC status, withdrawal amounts, and home addresses of gamblers.
Samsung disclosed a cyberattack that impacted the personal details of customers who made purchases from its U.K online store, between July 1, 2019 and June 30, 2020. The attackers managed to steal the data by exploiting a vulnerability in a third-party application. The affected data included names, phone numbers, home addresses, and email addresses of customers.
Over 20GB of data stolen from Plume, a smart Wi-Fi service provider, was dumped by a threat actor on the Breach Forums marketplace. The stolen database contains over 15 million lines of information, including email addresses, full names, and device details of users. A majority of the leaked email addresses were associated with the @plume.com and @plumewifi.com domains.
Nevada-based Perry Johnson & Associates updated that the cyber incident earlier this year affected more than 8.95 million people. While the data stolen varied from patient to patient, it could include names, dates of birth, addresses, medical record numbers, and diagnosis details of patients.
A Kibana instance belonging to Vietnam Post Corporation had left 1.2 Terabytes of data exposed on the internet for 87 days. The database contained 226 million logged events collected by various SIEM tools, The leaked information also had employee names and emails.
Moving to new threats, four new info stealers—BBy Stealer, Nova Sentinel, Doenerium, and Epsilon Stealer—emerged in the threat landscape as researchers reported their usage against gaming communities. Meanwhile, an advisory from the CISA revealed that the Royal ransomware group has rebranded itself to BlackSuit to sidestep the security curbs by law enforcement and cybersecurity experts. There’s also an update on Scattered Spider actors leveraging BlackCat ransomware as part of their extortion tactics.