Cyware Weekly Threat Intelligence - November 20–24
Weekly Threat Briefing • Nov 24, 2023
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Nov 24, 2023
With new cyberattacks and threats emerging everyday, it has become crucial for organizations to go beyond traditional security approaches and adopt new strategies. Taking an initiative in this aspect, the U.S. Navy has released its first cyber strategy that outlines plans to secure defense critical infrastructures and foster collaboration with allies. In another story, the healthcare sector has been issued a new vulnerability mitigation guide by the CISA to reduce the risk across hospitals and clinics.
The U.S. Navy released its first cyber strategy as part of an effort to revamp the security posture across its services. Touted to be a more detailed version of the two-page Navy Cyberspace Superiority Vision, the strategy will focus on multiple areas. These include securing critical infrastructure and weapon systems, improving and supporting the cyber workforce, conducting cyber operations, and defending enterprise, IT, data, and networks against threats while bolstering collaboration and cooperation with allies and partners. The plans are outlined with the help of the Navy’s principal cyber advisor and chief information officer.
The CISA issued a cybersecurity vulnerability mitigation guide for the healthcare sector to help organizations address encryption weaknesses, web application vulnerabilities, and other security threats. The guideline provides a detailed roadmap for implementing an asset inventory, in addition to basic recommendations, such as changing default passwords, implementing MFA, and maintaining encryption protocols.
The Australian government published its Cyber Security Strategy for the period 2023-2030. The plan, for which AU$586 has been allocated, outlines ways the government and its agencies would work together to protect themselves, businesses, and individuals from cybercriminals. Major points include creating a playbook to guide organizations to respond to ransomware and cyber threats and increasing cyber awareness among people.
The US Department of Justice (DoJ) dismantled the infrastructure and seized almost $9 million worth of Tether cryptocurrency collected in a pig butchering scam that impacted over 70 victims. As part of the infection chain, cybercriminals convinced victims to make cryptocurrency deposits by fraudulently manipulating them into making investments with “trusted” firms and cryptocurrency exchanges.
With good comes the bad. Two new organizations were added to the ever-expanding list of MOVEit data breaches, with a Denver-based healthcare SaaS provider disclosing that nearly 8.5 million patients had their data stolen. Autopart giant AutoZone was another victim added to the list. This week, the legal sector was in the wreck as the New York City Bar Association and the Kansas Judicial Branch shared details of people and systems impacted. Separately, a data leak incident that involved the exposure of over 50 million sensitive records by a Korean IT company was also reported.
Researchers identified a data leak incident that exposed the personal details of over 2 million Turkish citizens. The leak was related to vaccination data from 2015 to 2023 and included details like birth dates, dates of vaccinations, dose numbers of specific vaccinations across the country, and patients’ partial Turkish Identification Numbers.
Auto parts giant, AutoZone, disclosed in a notification that the data of around 184,995 people was affected in the Cl0p MOVEit file transfer attacks that occurred earlier this year. It took the company three more months to determine what data the intruders had stolen from its systems, and the listing on the Office of the Maine Attorney mentioned full names and Social Security numbers were among the breached data.
The Denver-based patient engagement firm, Welltok, also confirmed that it was one of the victims of the Cl0p hacking group’s MOVEit hack. It was initially unclear how many people were affected, but the HHS’ Office for Civil Rights highlighted that the data of nearly 8.5 million patients was exposed in the incident. This includes full names, email addresses, physical addresses, and telephone numbers.
Insurance company Fidelity National Financial shuts down some of its IT systems in the aftermath of a major cyberattack. The Florida-based company disclosed the incident a day before the Thanksgiving U.S. holiday, shortly after the intrusion took place. As soon as it was made public, the AlphV ransomware operation took credit for the intrusion.
An unsecured Kibana instance belonging to TmaxSoft, a Korean IT company, exposed over 2TB of data containing over 50 million sensitive records. The leaked data included names, email addresses, phone numbers, contents of sent attachments, and contract numbers of employees. According to Cybernews, the data was left open to the public for two years.
SiegedSec hacktivists group claimed responsibility for the hack on the Idaho National Laboratory (INL) and leaked stolen human resources data. It announced on BreachForums marketplace on its Telegram Channel that it stole the data, such as full names, dates of birth, email addresses, and SSNs, of thousands of users, employees, and citizens.
The New York City Bar Association confirmed that the data of more than 27,000 members and employees was compromised in a Cl0p ransomware attack that occurred between December 2 and December 24. In January, the group had claimed the attack and threatened to leak 1.8TB of information stolen from the firm.
The Kansas Judicial Branch also suffered a cyberattack last month, wherein threat actors stole sensitive files containing confidential information from its systems. The incident impacted multiple systems, including the eFiling system, electronic payment systems, and case management systems.
Two Canadian government contractors, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, suffered a security breach that exposed the sensitive information of an undisclosed number of government employees. Data of current and former Government of Canada employees, Canadian Armed Forces members, and Royal Canadian Mounted Police personnel was compromised in the breach. Meanwhile, the LockBit ransomware group claimed responsibility for the attack and leaked 1.5TB of stolen data.
Researchers foresee a series of upcoming supply chain attacks as misconfigured Kubernetes instances were found exposing secrets of Fortune 500 companies, including two blockchain companies. These secrets, which were uploaded to public repositories, were mostly passwords, with 50% of them deemed as weak passwords.
Blender, an open-source 3D design software provider, confirmed suffering system outages due to DDoS attacks that started last weekend. The administrators attempted to block malicious IP ranges to contain the attack, however, the firm reported that facing the attacks, with over 240 million unwanted traffic requests hitting the servers.
The ever-changing threat landscape witnessed the emergence of a Mirai-inspired botnet named InfectedSlurs. It was found exploiting two zero-day vulnerabilities in routers and Network Video Recorder (NVR) devices to launch DDoS attacks. Remember the ClearFake campaign from last month? Now, the attackers have expanded their operations to target macOS devices as well. The successors of the QakBot trojan are here! Its operators have reportedly replaced QBot with DarkGate and Pikabot to venture into ransomware, espionage, and data theft attacks.
Akamai discovered a new Mirai-based DDoS botnet, named InfectedSlurs, actively exploiting two zero-day vulnerabilities in routers and NVR devices. One of these flaws is associated with a remote code execution issue. The botnet borrows its code from the JenX Mirai malware variant and leverages default admin credentials to launch DDoS attacks against devices.
North Korea-based threat actors deployed two new malware families, BeaverTail and InvisibleFerret, in a couple of campaigns targeting job seekers. These malware are designed to perform data theft on Windows, Linux, and macOS systems. While InvisibleFerret is a Python-based backdoor malware, BeaverTail is distributed as JavaScript inside npm packages.
Lumma Stealer (aka LummaC2) was updated with a new anti-evasion feature that allows cybercriminals to restore expired Google cookies. This enables the attackers to gain unauthorized access to Google accounts even after the legitimate owner has logged out of their account or their session has expired. The feature is available on a subscription basis on a forum that boasts that attackers can restore Google cookies using a key from restore files.
The relatively new ClearFake campaign was found expanding its operation to deliver Atomic Stealer on macOS systems. The campaign leveraged SEO poisoning to advertise fake browser updates for Safari or Chrome browsers and tricked users into downloading the malware. The malware was embedded within a password-protected DMG file.
Security researchers observed a new Konni RAT campaign that leveraged a Russian-language Word document purporting to be an assessment of Russia’s so-called Special Military Operation. A VBA script is triggered upon opening the document, which runs and performs system checks, UAC bypass, and DLL file manipulations on victims’ systems. The subsequent script stops redundant execution, copies files, creates a new service, and configures registry settings. The final payload encrypts its C2 configuration using AES-CTR encryption and gathers system information.
DarkGate and Pikabot replaced the now-defunct QakBot trojan, indicating that threat actors use two malware loaders with features similar to Qbot to perform ransomware, espionage, and data theft attacks. Cofense researchers drew a conclusion based on the recent phishing campaigns using tactics and techniques similar to previous QBot campaigns. One of these campaigns was observed hijacking email threads in September.
Microsoft observed mobile banking trojan campaigns targeting users in India with social media messages designed to steal users’ information for financial fraud. The attackers were found using two malicious applications mimicking official banking apps to steal user information. Upon installation, the fake apps displayed a bank icon to convince users and requested them to sign in by entering their mobile number, ATM pin, and PAN card details.
A new variant of Agent Tesla was found using an uncommon compression format ZPAQ to steal information from approximately 40 web browsers and various email clients. The file is sent via a phishing email in the form of a purchase order to trick recipients. The variant is also capable of capturing screenshots, recording keylogs, and gathering system information.
Trend Micro shared details of a new framework, dubbed ParasiteSnatcher, which is used by threat actors to create malicious Chrome extensions to monitor and steal data from browsers. The framework was observed in a campaign leveraging Banco do Brasil- and Caixa Econômica Federal (Caixa) banks to pilfer personal and financial details from Brazilian users.
Additionally, researchers from the same firm observed new malicious operations that infected users with Lu0bot malware. The infection chain leveraged the Google search engine to distribute the malware via loaders. It is capable of performing a number of functions that include gathering sensitive information and launching DDoS attacks.
The CISA added Looney Tunables Linux vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating its exploitation in the wild. The flaw, tracked as CVE-2023-4911, can enable attackers to execute code with elevated privileges. It affects multiple Linux distributions, including Debian, Fedora, and Ubuntu. Researchers at Qualys’ Threat Research Unit disclosed the vulnerability last week and published a PoC exploit.