Cyware Weekly Threat Intelligence - October 16–20

Weekly Threat Briefing • Oct 20, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Oct 20, 2023
Phishing attacks rank among the prevalent ways to steal credentials and deploy malware across organizations. To educate organizations and employees about the risks associated with such threats, the CISA, along with the NSA, FBI, and MS-ISAC, issued a new advisory. In a different guide release, addressed to software manufacturers, the agency brings focus on developing products that are secure for end users and, at the same time, provides customers a way to evaluate security protocols. Furthermore, an international law enforcement operation seized data leak sites belonging to the Ragnar Locker ransomware gang.
The CISA, along with the NSA, FBI, and MS-ISAC, released a guide to reduce the impact of phishing attacks that lead to credential theft and malware deployment. The guidance recommends small- and medium-sized organizations with limited resources prioritize the best cybersecurity practices to protect network resources from prevalent phishing threats. Some of the recommendations include implementing an anti-phishing training program, enabling MFA across all accounts, and employing DNS filters.
The U.S. and the UAE signed a memorandum to work closely to improve the security of critical infrastructure in the financial sector. The MoU emphasizes increased information sharing about digital threats, more staff training, and conducting cross-border cybersecurity exercises. This new partnership is part of the U.S. Treasury Department’s continued effort to improve cybersecurity outcomes across the financial service sector.
The CISA, along with 17 U.S. and international partners, issued new security guidance for software manufacturers to develop products that are secure by design. The new recommendations include evaluating security protocols, conducting field tests, creating secure configuration templates, and eliminating the use of default passwords. The goal of updated guidance is to equip end-users with more transparency around software companies and their cybersecurity measures.
The HHS Office of Civil Rights (OCR) unveiled two resource documents to educate patients about the privacy and security risks of their PHIs when using telehealth services. These resources offer tips on basic cybersecurity hygienes such as employing strong and unique passwords, enabling lock screen functions to protect stored health information, activating MFA on accounts, and avoiding public WiFi networks at public charging stations.
RagnarLocker ransomware group's leak site was seized as part of an international law enforcement operation. The ransomware group has been active since late 2019 and uses stolen data from enterprises in double-extortion schemes. The operation was carried out by law enforcement agencies from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, Czech Republic, and Latvia.
Meanwhile, D-Link and Casio landed in the soup after threat actors stole troves of sensitive data from their servers; around 1.2GB of data stolen from D-Link was put up for sale on a hacking forum. Separately, the personal data of more than 820,000 DNA Micro customers was exposed online owing to a misconfiguration issue in the company’s systems. Be careful with this one - a zero-day vulnerability in Cisco IOS XE software has led to the compromise of over 40,000 devices.
In a new update, a threat actor going by the name ‘Golem’ leaked an additional 4.1 million stolen 23andMe genetic data profiles for people on a hacking forum. The data primarily belong to the people in Great Britain and Germany. The development comes after a threat actor leaked 1 million of stolen data belonging to Ashkenazi Jews earlier this month. The company, on its part, confirmed that the sensitive data was stolen using weak passwords or credentials exposed in other data breaches. However, there was no evidence of a security incident on their IT systems.
The ALPHV ransomware group claimed attacks on QSI Inc., a prominent ITM and ATM solutions provider. It stole 5TB of data, including financial and work-related information, from the firm. Moreover, the attackers listed the names of 10 banks, associated with QSI Inc., which were impacted by the attack. Meanwhile, the firm did not confirm the cyberattack.
A researcher revealed that around 35 vulnerabilities affecting Squid caching proxy were found unpatched despite being their disclosure in 2021, raising a security concern for more than 2.5 million Squid instances exposed on the internet. While many of these vulnerabilities could lead to a system crash, some can also be exploited for arbitrary code execution.
Personal information of around 8,000 global employees of Decathlon, stolen in an alleged data breach that occurred two years ago, was found dumped on the dark web. The exposed data contained a wide range of records, such as full names, usernames, phone numbers, email addresses, details of countries and cities of residence, authentication tokens, and even photographs.
The CERT-UA revealed that a threat actor group tracked as UAC-0165 targeted at least 11 telecommunication service providers in Ukraine between May and September. These attacks were launched via exposed RDP or SSH interfaces and used two specialized programs called POEMGATE and POSEIDON to steal credentials and gain remote control of the infected hosts.
Taiwanese manufacturer D-Link confirmed a data breach after a threat actor offered 1.2GB of stolen data for sale on the BreachForums platform. The threat actors claimed to have stolen three million lines of individual information and the source code for D-Link’s D-View network management software. Other data stolen included information for many Taiwanese government officials, as well as the CEOs and employees of the company.
Casio experienced a data breach on its ClassPad education platform, exposing the personal information of customers from 149 countries. The compromised data included customer names, email addresses, service usage details, and purchase information.
A high-severity zero-day vulnerability (CVE-2023-20198) in Cisco IOS XE software was exploited to infect over 40,000 devices with a backdoor. The vulnerability impacts switches, industrial routers, access points, wireless controllers, and branch routers from Cisco. Successful exploitation of the flaw was observed across the U.S., the Philippines, and Chile.
DNA Micro, a California-based IT company, exposed the sensitive data of more than 820,000 customers due to a misconfiguration issue in its systems. The victims affected by the data leak were those using screen warranty services from InstaProtek, Liquipel, and Otterbox. The exposed data included full names, addresses, email addresses, phone models, purchase dates, and IMEI numbers of customers.
Courts across Kansas faced IT system disruptions following an alleged ransomware attack. While municipal court and probation and prosecution divisions remained closed to the public on Monday, the Kansas Supreme Court was forced to use pen and paper to record cases. The investigations are ongoing and officials are working with experts to understand the scope and impact of the attack.
Major shipping companies across Europe were hit by a possible DDoS attack that impacted their websites. One of the confirmed victims was Viking Line. While more information about the attack is awaited, security teams are working to restore the impacted systems.
In new threats this week, researchers noted a surge in cyberattacks leveraging the Discord messaging platform. In one instance, cybercriminals used compromised Discord accounts to distribute Lumma Stealer malware. Threat actors behind Qubitstrike malware abused Discord’s bot functionality to deliver malicious commands for cryptojacking attacks. Lest we forget, the ongoing Israel-Gaza conflict has given rise to new cyber threats. Researchers uncovered a spyware campaign that mimicked a rocket alerting app.