It’s ransomware’s world and we are just living in it! Security researchers have put forward evidence of the ALPHV/BlackCat ransomware group launching a series of cyberattacks using deceptive Google search ads to distribute the Nitrogen malware (disguised as legitimate software tools). The attacks targeted businesses and public entities. Meanwhile, a joint advisory from federal agencies underlines the threat emerging from the ever-expanding Rhysida ransomware attacks.

Patch update - Citrix has released hotfixes for a high-severity 'Reptar' flaw affecting Intel CPUs, causing potential instability, and a security vulnerability threatening AMD-based hosts with PCI device passthrough.

Top Breaches Reported in the Last 24 Hours

Samsung U.K online store faces data breach

Samsung Electronics suffered a data breach impacting customers who made purchases from the Samsung U.K online store between July 1, 2019 and June 30, 2020. The breach, disclosed a couple of days back, involved the exploitation of a vulnerability in a third-party business application, exposing personal information such as names, phone numbers, addresses, and email addresses. Samsung emphasized that financial information and passwords were unaffected.

Breach update on PJ &A and TPL

Nevada-based medical transcription company Perry Johnson & Associates (PJ&A) revealed that the data breach on its network affected over 8.95 million individuals. At least two PJ&A customers, Northwell Health and Cook County Health, confirmed the attack. In other news, Toronto Public Library (TPL) also confirmed a ransomware attack that occurred in October, resulting in the theft of personal information of employees, customers, volunteers, and donors.

Smart Wi-Fi service provider hit by data incident

Plume, a smart Wi-Fi service provider, allegedly fell victim to a data breach. The perpetrators, who announced the intrus on Breach Forums, asserted to have stolen over 20GB of the company's Wi-Fi database, containing information on over 15 million lines. Plume has not confirmed the breach but is investigating the claims. Dissatisfied with Plume's response, the attackers released two CSV files allegedly containing data of its customers and employees.

Top Malware Reported in the Last 24 Hours

BlackCat drops Nitrogen using Google Ads

The BlackCat ransomware gang is targeting corporations and public entities using Google ads laced with the Nitrogen malware, according to cybersecurity company eSentire. The threat actor is using Google ads to promote popular software, including Advanced IP Scanner, Slack, WinSCP, and Cisco AnyConnect, to lure business professionals across the Americas and Europe to attacker-controlled websites. The rogue installers promoted in the ads contain Nitrogen, an initial access malware capable of delivering next-stage payloads, including ransomware.

Warning against opportunistic Rhysida ransomware

The Rhysida ransomware group has been engaging in opportunistic attacks targeting organizations across various industry sectors, according to a joint advisory by the CISA, the FBI, and the MS-ISAC. Observed operating under a RaaS model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors. The group leverages external-facing remote services, such as virtual private networks (VPNs), the Zerologon vulnerability, and phishing campaigns for initial access and to gain persistence within a compromised network.

Top Vulnerabilities Reported in the Last 24 Hours

Citrix addresses high-severity flaw in hypervisor

Citrix released hotfixes to address two vulnerabilities in the Citrix Hypervisor, including a high-severity flaw dubbed 'Reptar' that impacts Intel CPUs used in desktop and server systems. The vulnerability (CVE-2023-23583) could lead to system instability, crashes, or rare instances of privilege escalation. Citrix recommends users update promptly. Another vulnerability (CVE-2023-46835) affects Citrix Hypervisor 8.2 CU1 LTSR, potentially allowing privileged code in a guest VM to compromise an AMD-based host via a passed-through PCI device.

Novel attack methods target GCPW

A set of novel attack methods has been demonstrated against Google Workspace and the Google Cloud Platform that could be leveraged by threat actors to conduct ransomware, data exfiltration, and password recovery attacks. The attacks exploit vulnerabilities in Google Credential Provider for Windows (GCPW), allowing threat actors to extend a single endpoint compromise to a network-wide breach. Google marked the issue as not eligible for fixing, stating it's outside their threat model and the behavior is in line with Chrome's practices of storing local data.

Top Scams Reported in the Last 24 Hours

Scammers impersonate crypto researchers and firms

Cybercriminals are impersonating cryptocurrency researchers and blockchain security firms on X to promote phishing pages targeting cryptocurrency wallets. The scammers impersonate accounts belonging to blockchain analytics or crypto fraud research firms and researchers on X, such as CertiK, ZachXBT, and Scam Sniffer, to threaten users about fabricated security breaches on Uniswap and Opensea. Attackers make roughly $50,000 a day through this tactic.