Cyware Weekly Threat Intelligence - October 30–03

Weekly Threat Briefing • Nov 3, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Nov 3, 2023
To keep pace with the rapidly changing digital threat landscape, MITRE and FIRST have released new versions of the ATT&CK and CVSS frameworks to assess emerging threats and new vulnerabilities, respectively. While the new iteration of the ATT&CK framework (v14) incorporates more information on attackers’ tactics against mobile and ICS matrices, the new version of CVSS (v4.0) comes with additional security metrics to denote the severity of vulnerabilities.
The Forum of Incident Response and Security Teams (FIRST) officially released a new version (v4.0) of CVSS, eight years after the release of CVSS v3.0 in June 2015. The latest version addresses some of the shortcomings in the previous version by providing additional metrics such as Safety (S), Automatable (A), Recovery (R), Value Density (V), Vulnerability Response Effort (RE), and Provider Urgency (U). It also debuts a new nomenclature to enumerate CVSS scores using a combination of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings.
MITRE has announced the release of version 14 of the ATT&CK framework, bringing improvements to ICS, and mobile matrices. The new version covers a total of 760 pieces of software, 143 activity clusters (groups), and 24 campaigns across enterprise, mobile, and ICS. The mobile category has been expanded to include various types of phishing (smishing, quishing, and vishing), with structured detection methods. Additionally, the version has been enhanced to include significant detection analytics by drawing relationships between detection, data sources, and mitigations.
The U.S. and a consortium of 49 countries plan to sign an agreement, as part of the International Counter Ransomware Initiative, to not pay ransomware to cybercriminals. This comes as the number of ransomware attacks grows worldwide, with attendee nations pledging to improve information sharing about crypto payment accounts used by the ransomware actors. Additionally, the U.S. DoT will circulate the list of blacklisted digital wallets used by threat actors.
On the cyberattacks and data leaks front, a major ransomware attack on western Germany paralyzed its services, including payments, emails, and phones, of 70 local municipalities. A major data leak impacting the COVID-19 test details of nearly 815 million Indians was also reported after a threat actor was found selling the stolen data on the dark web. Besides these, a critical Citrix Bleed vulnerability was exploited in different campaigns targeting government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region.
According to crypto fraud researchers, hackers stole $4.4 million in cryptocurrency on October 25th using private keys and passphrases stored in stolen LastPass databases. Once the hackers gained access to the information, they loaded the wallets on their devices and drained funds. The amount was stolen from over 25 victims affected in a LastPass breach in 2022.
Mandiant researchers uncovered four active campaigns leveraging the Citrix Bleed vulnerability (CVE-2023-4966) to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region. The flaw affects Citrix NetScaler ADC and Gateway appliances, allowing threat actors to access sensitive information on devices. All four campaigns extensively used csvde.exe, certutil.exe, local.exe, and nbtscan.exe, while two activity clusters were seen using Mimikatz.
The aerospace giant, Boeing, confirmed that its systems were compromised by the LockBit ransomware group. While an investigation is underway, the firm disclosed that it has begun notifying customers and suppliers about the incident. Meanwhile, the attackers had given the company until November 2 to pay the ransom or have their sensitive files released publicly.
A ransomware attack paralyzed 70 local municipalities in western Germany. As a result, most of the administration’s online services, including those of Wermelskirchen and Burscheid, remained unavailable and the administrations of Siegen canceled appointments with citizens.
An unprotected Elasticsearch instance belonging to World-in-HD (WiHD), a popular torrent tracker specializing in HD movies, exposed 97,327 accounts, including the email and passwords of users. The exposed data also included service information and hashed passwords for all the users. Threat actors can gain access to this data to perform illicit activities.
Data of almost 5,000 Okta employees was accessed in a third-party data breach that occurred on October 12. In a breach notification, the firm revealed that attackers stole a file containing names, Social Security numbers, and medical insurance details of current and former employees.
The COVID-19 test details of nearly 815 million people were dumped on the dark web and put up for sale by cybercriminals. The data sample, which amounted to over 90 GB, was in the possession of the Indian Council of Medical Research (ICMR). It included names, phone numbers, and addresses of individuals.
The BlackCat ransomware gang added healthcare giant Henry Schein to its dark web leak site, claiming that it stole 35 TB of their data, including payroll data and shareholder information. The group asserted that they had re-encrypted the company's devices after a failed negotiation with the victim firm, who nearly completed system restoration. Additionally, they have threatened to release internal payroll and shareholder data on a daily basis.
The British Library and the Toronto Public Library suffered major IT outages due to cyberattacks. While the attack at the British Library impacted some of its online services and public Wi-Fi, the attack at the Toronto Public Library disrupted its website, account features, digital collections, and printing services.
In the new threat landscape, threat actors took advantage of the ongoing Israel-Hamas conflict in an attempt to deploy a new wiper called BiBi Linux Wiper against Israeli entities. In other prominent news, the Russia-based Turla group introduced a new version of the Kazuar backdoor that supports over 40 malicious commands to take control of victims’ systems and pilfer sensitive data. A two-year-long cryptojacking campaign, dubbed EleKtra-Leak, was also discovered, raising security concerns about IAM credentials stored in GitHub repositories.