Cyware Daily Threat Intelligence, December 23, 2020

Share Blog Post

Researchers have deciphered a lesser-known attack technique that was a part of the recently disclosed SolarWinds supply attack chain. Dubbed as Golden SAML, the technique gives threat actors a way to maintain persistent access to all of an enterprise’s ADFS federated services.

Two cyberespionage campaigns associated with the notorious Lazarus threat actor gang have also been tracked by researchers. These attacks involved the use of wAgent malware.

In a major update, the recently discovered Pay2Key ransomware has been found to be the work of the Iranian-linked Fox Kitten hacking group.

Top Breaches Reported in the Last 24 Hours

iSofH affected
Vietnamese tech firm Innovative Solution for Healthcare (iSofH) has leaked 12 million records due to a misconfigured Elasticsearch database. Struck by the infamous meow attacker, the records include information such as full names, dates of birth, email addresses, and passport details of roughly 80,000 patients and healthcare staff.

Lazarus’s attack campaign
Researchers have uncovered two attack campaigns linked to the notorious Lazarus group. The first one is an attack against a government health ministry on October 27, which resulted in the compromise of two Windows servers. The second one involves a pharmaceutical company that was breached on September 25. The malware used in these attacks was wAgent.

TennCare members hit
TennCare has announced a security breach impacting certain TennCare members. According to the statement, around 3,300 Medicaid members in the state of Tennessee have been notified of the issue.

Top Malware Reported in the Last 24 Hours

New updates on Pay2Key ransomware
Iranian-backed hacking group Fox Kitten has been linked to the Pay2Key ransomware that was recently used against organizations in Israel and Brazil. The hacking group has been active since at least 2017 and is known for orchestrating and being involved in cyber espionage and data theft campaigns. The group was responsible for selling access to compromised corporate networks on underground forums.

Golden SAML attack vector
The recently disclosed SolarWinds campaign has drawn the attention of researchers to a dangerous Active Directory Federation Services (ADFS) bypass technique. Dubbed as Golden SAML, the technique gives threat actors a way to maintain persistent access to all of an enterprise’s ADFS federated services.

Top Scams Reported in the Last 24 Hours

COVID-19 vaccine fraud scheme
The FBI is warning of ongoing COVID-19 vaccine phishing schemes that aim to steal personal information from users. Potential indicators of such fraudulent activity include offers for early access to vaccines conditioned by payment in advance, requests to pay out to receive a vaccine or to get added to a waiting list, and offers to ship doses of the vaccine in exchange for money transfers.

Facebook message scam
An ongoing Facebook message scam is luring users into parting away with their funds. The message appears to come from a person known to the user asking for financial help.

 Tags

wagent
active directory federation services adfs
pay2key ransomware
solarwinds supply attack chain
facebook message scam

Posted on: December 23, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!