Cyware Weekly Threat Intelligence - September 04–08

Weekly Threat Briefing • Sep 8, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Sep 8, 2023
With cyberattacks against K-12 schools on the rise, the CISA is seeking commitments from ed-tech software manufacturers to design products that are more secure. The new initiative launched by the agency as part of this effort is believed to bolster cybersecurity in K-12 schools. Meanwhile, the U.S. and the U.K governments this week issued new sanctions against members involved in TrickBot/Conti operations. The development comes after both governments sanctioned seven members earlier this year in February.
Unfortunately, it remains an uphill task for organizations to protect the sensitive information of individuals. An Alabama-based pediatric dental care provider disclosed a cyberattack that impacted the personal and health details of nearly 130,000 patients, parents, and employees. In a separate incident, an online item exchange platform confirmed a widespread breach that resulted in the exfiltration of data belonging to over seven million users. Apart from data breaches, a global fraud investment campaign made the headlines for duping users worldwide and making a profit of $280,000.
Alabama-based Acadia Health LLC, which operates as Just Kids Dental, notified that the sensitive information of nearly 130,000 patients, parents, and employees was compromised in a recent cyberattack. The compromised details included names, addresses, email addresses, phone numbers, birthdates, Social Security numbers, driver's license numbers, health insurance policy information, and treatment information.
The Coffee Meets Bagel dating platform confirmed a cyberattack caused by hackers breaching the company’s systems and wiping sensitive data. This impacted the normal operations of production servers, which were immediately re-established with the help of the technology team.
Threat actors stole over $40 million in cryptocurrency from the crypto casino platform Stake after gaining unauthorized access to its Ethereum (ETH) and Binance Smart Chain (BSC) hot wallets. Meanwhile, the firm assured that user funds were safe.
Developers associated with npm, PyPI, and RubyGems repositories were targeted in an organized cybercrime operation that gathered basic system information (OS details and available free memory) and exfiltrated it to a server controlled by the attackers. The campaign was designed to target only macOS systems.
Ten years’ worth of pathology referral letters and other sensitive details such as patient names, contact details, and Medicare numbers were exposed in a cybersecurity incident affecting the Melbourne-based pathology clinic TissuPath. Russia-based BlackCat claimed responsibility for the attacks by threatening to release 4.95TB of data stolen from the firm.
In a joint advisory, the CISA revealed that an Iranian hacking group exploited critical Zoho and Fortinet vulnerabilities to breach a U.S. aeronautical organization. The flaws in question were CVE-2022-47966 and CVE-2022-42475, which enabled attackers to establish persistence on the organization’s firewall devices and move laterally through the networks.
Google reported that North Korean state hackers were involved in a campaign that exploited a zero-day flaw in an undisclosed popular software to target security researchers. The attackers used Twitter and Mastodon to lure researchers into switching to encrypted messaging platforms like Signal, Wire, or WhatsApp. Once communication was established, the attackers sent them malicious files designed to exploit the flaw.
Cybercriminals abused the Google Looker Studio service to create fake cryptocurrency phishing websites that stole the account details of digital asset holders. These fake websites were propagated via phishing emails, informing recipients that they had won roughly 0.75 Bitcoin ($19,200) as part of their participation in Google’s premium cryptocurrency insights and trading strategies program.
The city council of Seville, Spain, is still recovering from an alleged ransomware attack by the LockBit group. The attack began on September 4 and has affected a broad range of services, including police, firefighters, and tax collection. Officials are still investigating the incident.
Group-IB researchers warned of a major global investment fraud campaign that leveraged nearly 900 scam pages to target users in the Middle East and Africa region. These pages impersonated organizations in financial and insurance, stock trading companies, oil and gas, and construction sectors. It was found that scammers managed to steal around $280,000 between March and June as part of the campaign.
See Tickets suffered another web skimming attack in a span of a year, that enabled threat actors to access customers’ payment data. The information includes debit or credit card numbers, access codes, passwords, and PIN numbers of more than 323,000 customers.
The ShinyHunters group claimed to have stolen more than 30 million customer order records from Pizza Hut Australia, in addition to the personal information of more than one million customers. The data was stored in an unsecured Amazon Web services bucket used by the pizza chain.
Used item exchange portal Freecycle suffered a security breach after a hacker gained access to its systems and stole the account details of more than seven million users. The stolen data includes usernames, emails, and passwords, which are now being sold on underground hacking forums.
That’s not all! A new phishing kit, capable of helping adversaries conduct scams and impersonation attacks, was observed gaining traction in the cyber threat landscape. Researchers revealed that the kit has been used by around 500 cybercriminals to target more than 56,000 Microsoft 365 corporate accounts. In other headlines, advanced versions of the Chaes malware and the Atomic macOS Stealer (AMOS) emerged to target organizations and users in separate campaigns. There’s also an important piece of news for organizations using the vulnerable MinIO Object Storage systems; attackers were found exploiting two flaws in the systems.