Go to listing page

Cyware Daily Threat Intelligence, January 30, 2023

Cyware Daily Threat Intelligence, January 30, 2023

Share Blog Post

A lot has happened on the cyber front in Ukraine and Russia ever since the war began. Joining the bandwagon, on the behalf of Russian Sandworm APT, is a pack of five wiper malware, including the new Golang-based SwiftSlicer. Also in the headlines is a disclosure by security analysts at Sonar who reported several code vulnerabilities in OpenEMR. While a combination of two vulnerabilities poses a remote code execution threat, the third bug lets an attacker manipulate OpenEMR’s configuration to eventually steal confidential records. 

What more? Gootkit received an upgrade, in the form of new components as well as obfuscation capabilities, and cybercriminals were observed distributing Titan Stealer malware on Telegram channels for a price.

Top Breaches Reported in the Last 24 Hours


American telecommunications firm targeted
A third-party vendor engaged with Charter Communications, the second largest cable operator in the U.S., blurted out customer data for about 550,000 individuals. Researchers found a dark web forum containing user data allegedly stolen from the company. The database blob contained names, account numbers, full addresses, and more.

Russians behind attack on Latvian Ministry
Gamaredon, the Russian cyber-espionage group, conducted a phishing attack on Latvia’s Ministry of Defense, the ministry revealed. The attack, though unsuccessful, was sent to employees at the ministry via malicious emails camouflaged as Ukrainian government officials. 

Jamaican health system impacted
The information system of South East Regional Health Authority (SERHA) was hit by a cyberattack, also disrupting some of its public services. Some of the services were restored but some continue to suffer. In light of the attack, the regional health authority raised the alarm for the relevant government agencies for greater protection.

Top Malware Reported in the Last 24 Hours


Russia’s new data wiper tool
SwiftSlicer emerged as the latest data-wiping malware used against a target in Ukraine. The malware is launched using Active Directory Group Policy that enables a hacker to overwrite crucial files used by the Windows operating system. In another report, Ukraine officials said they were targeted by five data wiper malware: CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD). All the samples were attributed to Russian group Sandworm.

Who’s behind Golden Chickens?
During an investigation, eSentire’s Threat Response Unit uncovered the identity of the threat actor behind Golden Chickens Malware-as-a-Service (MaaS) who goes by the name badbullzvenom. Cybercriminals from Cobalt Group, Evilnum, and FIN6 have leveraged the services of the MaaS group, aka Venom Spider, to cause a loss of over $1.5 billion in total. The service would offer a variety of tools, such as Taurus Builder and More_eggs.

Gootkit gets an upgrade
The UNC2565 hacker group appears to have restructured its GOOTLOADER (or Gootkit) malware by adding new components and implementing new obfuscation techniques. Gootkit is used by adversaries to drop additional malicious payloads, such as SunCrypt, REvil (Sodinokibi) ransomware, Kronos trojan, and Cobalt Strike, on compromised systems.

Titan Stealer on Telegram
Security experts at Uptycs revealed, in a report new, that Titan Stealer malware, is being currently advertised on Telegram channels. The malware threat can pilfer a range of information from infected Windows machines, including credentials stored on browsers and cryptocurrency wallets, FTP client details, take screenshots, capture system information, and affect other files.

Top Vulnerabilities Reported in the Last 24 Hours


Researchers roll out exploit
Security experts with Horizon3's Attack Team will release an exploit against a vulnerability chain that can let hackers execute code remotely on unpatched VMware vRealize Log Insight appliances. As per the claim, they exploit three (out of four) bugs to execute code as root. All the bugs were patched last week by VMware.

Hoards of flaws in OpenEMR
Researchers uncovered three separate vulnerabilities in OpenEMR, an open-source software for EHR and medical practice management. By abusing two of these flaws, remote attackers can gain access to execute arbitrary commands on any OpenEMR server. This may lead to the exposure of sensitive patient information and even the collapse of critical infrastructure.

Four flaws in DNS suite
The Internet Systems Consortium (ISC) addressed four security bugs in the Berkeley Internet Name Domain (BIND) 9 DNS software suite. Several major financial firms, national and international carriers, ISPs, manufacturers, and government entities use the open source software. The exploitation of these bugs could lead to denial-of-service (DoS) conditions and system failures.

 Tags

gamaredon group
openemr
south east regional health authority
gootkit trojan
badbullzvenom
vmware vrealize log
isc berkeley internet name domain bind
charter communications
titan stealer
swiftslicer

Posted on: January 30, 2023


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite