Cyware Weekly Threat Intelligence - September 19–23
Weekly Threat Briefing • Sep 23, 2022
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Sep 23, 2022
In a bid to make digital infrastructures resilient, the Biden Administration has launched a cyber grant program of up to $1 billion. The goal of this program is to address the enormous challenge that the state and local governments currently face when defending against cyber threats. Meanwhile, the NSA and CISA have issued several new guidelines to improve the security of ICS/OT networks. The new guidelines are built upon the 2021 guidance provided to stop malicious ICS activity against connected OT and the 2020 guidance to reduce OT exposure.
Another week, another new attack on a DeFi protocol was reported, with crypto trading firm Wintermute being the latest victim. As a result, the firm suffered a loss of over $160 million in crypto assets. A reputed US airline carrier and a fintech startup also had the personal information of their customers compromised after falling victim to phishing attacks.
In a technical report on cyberattacks against the Albanian government, the FBI and CISA revealed that the Iranian hackers had acquired access to the networks approximately 14 months before launching the attacks. The attackers used ransomware and disk-wiping malware to target victims.
Frontline operations in Suffolk County, New York, came to a halt following a ransomware attack. With all the systems impacted, the 911 operators were forced to work with pen and paper.
Cryptocurrency market maker Wintermute was breached, with attackers stealing $162.5 million worth of cryptocurrency from the company’s DeFi business. The hackers exploited a privileged function with the private key leak to replace a swap contract with their contract. This is the fifth largest cryptocurrency theft, so far, this year.
American Airlines reported a data breach that affected the names, birth dates, mailing addresses, and passport numbers of its customers. The incident occurred after a few employee email addresses were compromised through phishing emails.
Fintech startup Revolut also confirmed a data breach that affected around 50,000 of its customers. The attackers gained unauthorized access to the personal information of customers.
Hive ransomware claimed an attack on the New York Racing Association (NYRA). The attack took place on June 30 and resulted in the exfiltration of customers’ data such as their Social Security Numbers, health records, and health insurance information.
American video game publisher 2K confirmed that its help desk platform was hacked and used to infect customers with RedLine Stealer malware. The malware was distributed via fake support tickets.
The spell-checking feature in Google Chrome and Microsoft Edge browsers was found leaking sensitive user information when users filled out forms for websites or cloud-based web services. The issue, dubbed ‘Spell-jacking,’ could affect users of various enterprise applications, including Alibaba, Amazon Web Services, Google Cloud, LastPass, and Office 365.
A phishing email that appeared to be from British email security firm Egress was used to trick Microsoft users to share their credentials. The threat actors used a valid sender signature to bypass email security filters.
Phishing actors are abusing LinkedIn’s Smart Link feature to bypass email security products. This can enable the bad actors to redirect users to phishing pages designed to steal their payment information.
The UK and international allies issued a joint advisory to highlight new threats from cyber actors affiliated with Iran’s Revolutionary Guard Corps (IRGC). The advisory reveals that attackers are exploiting vulnerabilities on unprotected networks to launch ransomware operations.
Threat actors exploited an unauthorized access vulnerability to target over 39000 Redis servers to deploy XMRig cryptominer. Most of the vulnerable Redis servers were located in China, followed by Germany and Singapore.
Microsoft warned of an ongoing large-scale click fraud campaign targeting gamers by stealthily deploying extensions on their systems. A threat cluster tracked as DEV-0796 is behind this campaign.
The City of Quincy, Illinois, recently revealed that the personal information— SSNs, names, and health insurance information—of some residents was potentially compromised in a data breach earlier this year.
Australia-based telecommunications provider Optus notified that it is dealing with a cyberattack that might have affected its customers’ personal data. The information which may have been exposed includes names, dates of birth, phone numbers, ID document numbers, and email addresses of customers.
GitHub is warning of an ongoing phishing campaign that leverages fake CircleCI notifications to target its users. CircleCI has also posted a notice on its forum to raise awareness of the malicious campaign.
An unpatched 15-year-old Python flaw has slithered into software worldwide, leaving multiple applications vulnerable to remote code execution attacks. Given the risks associated, the vulnerability can open doors for widespread software supply chain attacks. There’s a rising concern about the LockBit spinoff groups after since the leak of the Lockbit Black builder. The BlackCat ransomware gang has revised its double extortion strategy as it adds a new version of the ExMatter exfiltration tool to its arsenal.