We use cookies to improve your experience. Do you accept?

Cyware Announces Healthcare TIP

Check it Out

Skip to main content

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Jan 4, 2024

The Good

For safeguarding Operation Technology (OT) and Industrial Control Systems (ICS), MITRE introduced a new threat model framework dubbed EMB3D. Meanwhile, the U.S. federal agencies and industry partners issue an advisory to enhance security against software supply chain attacks for OSS and SBOMs.

  • Increasingly prevalent data privacy threats have prompted the Federal Communications Commission's Privacy and Data Protection Task Force to partner with attorneys general of New York, Connecticut, Pennsylvania, and Illinois in consolidating resources crucial in bolstering investigations and enforcement actions on various threats. These resources also include information related to SIM swapping scams, port-out frauds, and data breaches.

  • MITRE unveiled a novel threat model framework named EMB3D to help government agencies and private organizations safeguard their OT and ICS. It offers a knowledge base on cyber threats to embedded devices, enabling users to map these threats with vulnerabilities using frameworks like CWE, CVE, and MITRE ATT&CK. The framework suggests mitigations, emphasizing technical mechanisms for device vendors to implement against specific threats. It is set for public release in early 2024.

  • The NSA, the ODNI, the CISA, and industry partners released a joint advisory to bolster the security against software supply chain attacks. The guidance primarily covers how to manage and maintain SBOMs, open-source software. Additionally, it provides details on things to consider when adopting open-source software and distribution of approved software components using an SBOM.

  • NASA released its first Space Security Best Practices Guide, a 57-page document aimed at improving cybersecurity for future space missions. The guide leverages security controls outlined in the NIST’s Special Publication 800-53 and serves as a translation guide between NIST verbiage and NASA flight project language. It aims to enhance cybersecurity not only for NASA's missions but also for its international partners and the growing space industry. The guide provides principles applicable to various organizations and space missions, addressing risks such as cyberattacks on ground systems, communications jamming, and spoofing attempts.

The Bad

Ohio Lottery and Yakult Australia have been hit by DragonForce, a relatively new ransomware group. In a separate incident, Iran experienced a nationwide cyberattack on gas stations. Additionally, Real Estate Wealth Network's 1.16TB database was found exposing records via an unprotected database.

  • The Ohio Lottery faced a cyberattack on Christmas Eve, leading to the shutdown of some key systems. While the gaming system remained operational, certain services, such as mobile cashing, prize cashing above $599 at Super Retailers, and the display of winning numbers for KENO, Lucky One, and EZPLAY Progressive Jackpots, were affected. Again, DragonForce has claimed responsibility for the attack, stating they stole data worth over 600GB.

  • Yakult Australia, the manufacturer of a popular probiotic milk drink, fell victim to a cyber incident, allegedly by the DragonForce group. The group claimed to have pilfered 95GB of data belonging to the company. The leaked data includes company databases, contracts, passports, and other sensitive information. The company's IT systems in both Australia and New Zealand were affected, but operations remain open.

  • LoanCare, a subsidiary of Fidelity National Financial (FNF), has reported a data breach to state regulators following a cyberattack in November. The breach, claimed by the ALPHV/Blackcat ransomware gang, resulted in unauthorized access to FNF’s IT network. The hackers were able to obtain personal information, including names, addresses, social security numbers, and loan numbers of 1,316,938 individuals.

  • Iran confirmed a nationwide cyberattack that disrupted the operations of 70% of gas stations. An Israel-linked hacking group called Predatroy Sparrow claimed responsibility for the attacks while adding that it breached the central servers of gas stations, gaining access to specific station information, payment system details, and management systems.

  • An unprotected database with a size of 1.16 TB, leaked the real estate records of several people, including major celebrities. The database belonged to Real Estate Wealth Network and contained 1.5 billion records spanning from April 2022 to October 2023. It is unclear how long the database was exposed or who else may have accessed the data but researchers reported that user names, phone numbers, emails, and device information were among the leaked data.

  • A passwordless MongoDB database belonging to Goyzer was found leaking details of around 690,000 customers before it was secured. The exposed details included names, email addresses, phone numbers, and scanned copies of receipts, checks, contracts, and IDs. According to security researchers, the specific database was populated with data about customers from Dubai.

  • A ransomware attack on cold storage giant Americold affected nearly 130,000 people, including the information of current and former employees. Investigation revealed that details like names, addresses, Social Security numbers, passport numbers, financial information, and medical information were compromised in the incident.

  • Kentucky-based Norton Healthcare confirmed that attackers stole around 2.5 million users’ data in the May ransomware attack. The data included driver’s licenses, government ID numbers, financial information, and digital signatures of people. Health information, insurance information, and medical ID numbers belonging to former patients, employees, and employee dependents and beneficiaries were also impacted by the incident.

  • Healthcare device manufacturer LivaNova PLC fell victim to the LockBit ransomware group. The attack, detected on December 9 allegedly exposed a substantial 2.2TB of sensitive data, including product specifications, employee information, financial documents, and more. The threat actor has uploaded the stolen data on its leak site and set a deadline for its potential public release.

  • A hacker group, which goes by the name of Malek Team, leaked 500GB of data, including 70,000 documents, stolen from Ziv Medical Center. The data was leaked on a Telegram channel and dates back to 2022 and contains personal and medical information of patients and Israeli soldiers. Meanwhile, the investigation is ongoing to determine whether an information leak occurred.

  • The notorious Akira ransomware group added two organizations—Compass Group Italia and Aqualectra Utility—to its list of victims. While the group obtained a staggering 107GB of sensitive data from Compass group, a plethora of payment records, and business documents were stolen from the utility provider.

  • Andariel, linked to the Lazarus APT, was accused of stealing anti-aircraft system data from South Korean companies connected to the defense industry. According to Seoul Investigators, the attackers specifically targeted defense companies as well as research institutes and pharmaceutical companies and stole 1.2TB of data in attacks.

New Threats

Kimsuky brings a new twist to its spear-phishing attacks, whereas Carbanak evolved with ransomware tactics. Additional threats from the last month include Fancy Bear's HeadLace campaign, China-linked KV-Botnet, pfSense vulnerabilities, Cisco IOS exploits, MrAnon Stealer, and more.

  • The North Korean group Kimsuky has been observed using spear-phishing attacks to deliver various backdoors and tools, including AppleSeed, Meterpreter, and TinyNuke, to compromise targeted machines. Cybersecurity firm AhnLab attributed the activity to Kimsuky. The group's espionage campaigns involve spear-phishing attacks with malicious lure documents that deploy different malware families, with a notable Windows-based backdoor being AppleSeed.
  • Cybercriminals breached the fan expansion "Downfall" for the game Slay the Spire, distributing the Epsilon information stealer malware through the Steam update system. The compromised package was a standalone modified version, not a mod installed via Steam Workshop. The attackers compromised one of the developers' Steam and Discord accounts, allowing them to control the mod's Steam account. The malware collects cookies, saved passwords, credit card details, and more from browsers, as well as Steam and Discord information.
  • According to cybersecurity firm NCC Group, Carbanak, a notorious banking malware, has evolved to incorporate ransomware attacks with updated tactics. In recent attacks observed in November 2023, Carbanak was distributed through compromised websites, impersonating various business-related software such as HubSpot, Veeam, and Xero. The malware, initially known for banking fraud, has been utilized by the FIN7 cybercrime syndicate.
  • ESET Research discovered 116 malicious packages on the PyPI repository. These packages infected both Windows and Linux systems and were used to deliver either a W4SP stealer variant or a clipboard monitor designed to steal cryptocurrency. In some cases, a backdoor was delivered in the final stage to execute arbitrary commands, exfiltrate data, and take screenshots. These packages were downloaded over 10,000 times.
  • An attack campaign, associated with the Fancy Bear, was observed using lures related to the ongoing Israel-Hamas war to deliver a custom backdoor called HeadLace. The campaign targeted critical infrastructure organizations across Hungary, Turkey, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania. The infection chain exploited a WinRAR flaw called CVE-2023-38831 to propagate the backdoor.
  • Researchers linked a sophisticated botnet, tracked as KV-Botnet, to the China-linked Volt Typhoon threat actor. The botnet is designed to target SOHO devices and VPN devices, some of which have reached End-of-Life. The botnet has been active since at least 2022 and, based on its target scope, it is believed that attackers are using it for espionage and information gathering.
  • A month after the patches were made available by Netgate, around 1,459 pfSense instances were found vulnerable to command injection and cross-site scripting flaws, allowing attackers to perform remote code execution on the appliance. The flaws were tracked as CVE-2023-42325 (XSS), CVE-2023-42327 (XSS), and CVE-2023-42326 (command injection).
  • The Shadowserver Foundation observed a spike in the number of devices hacked via recently patched Cisco IOS vulnerabilities. As part of the attacks, threat actors exploited the flaws (CVE-2023-20198 and CVE-2023-20273) to create high-privileged accounts and deploy and Lua-based backdoor implant to take over 23,000 vulnerable devices, mainly in Mexico and Chile.
  • Security researchers discovered the Krasue RAT that has been targeting the Linux systems of telecommunications companies since 2021. The malware is based on code from three open-source projects (Diamorphine, Suterusu, and Rooty) and includes seven variants of a rootkit that supports multiple Linux kernel versions. It is believed either to be deployed through a botnet or sold by initial access brokers. Research highlights that the attacks are limited to telecommunications companies in Thailand.
  • Over 15,000 Go module repositories on GitHub were found to be vulnerable to repojacking, a supply chain attack that exploits changes in GitHub usernames and account deletions. Out of these, over 9,000 repositories were at risk due to GitHub username changes, while more than 6,000 were vulnerable due to account deletions. This issue particularly affected Go modules as they are decentralized, allowing attackers to register unused usernames, duplicate module repositories, and publish malicious modules.
  • Cado Security spotted a new version of the P2PInfect botnet targeting MIPS-based devices, including routers, and IoT devices. The new variant includes several evasion mechanisms, such as debugger detection, anti-forensics on Linux hosts, and VM detection methods for embedded payloads, to make it more difficult for researchers to analyze. It is believed to be propagated via vulnerable SSH servers.
  • FortiGuard Labs identified an email phishing campaign that leveraged deceptive booking information to distribute a Python-based information stealer named MrAnon Stealer. The email masqueraded as a company looking to reserve hotel rooms and tricked victims into opening a malicious PDF file to learn more about booking details. The malware is designed to steal its victims' credentials, system information, browser sessions, and cryptocurrency extensions.

Related Threat Briefings

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024

Cyware Monthly Threat Intelligence

The Good The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and t

Sep 2, 2024

Cyware Monthly Threat Intelligence

The Good In a series of proactive measures aimed at bolstering global cybersecurity resilience, significant strides were made in the education and law enforcement sectors to safeguard critical systems against evolving threats. The NASA Katherine Jo

Aug 1, 2024

Cyware Monthly Threat Intelligence

The Good The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disin

Jul 1, 2024

Cyware Monthly Threat Intelligence

The Good Recent developments showcase a proactive stance in bolstering cybersecurity across critical sectors. The collaboration between the U.K’s National Crime Agency (NCA) and the FBI to dismantle the Qilin ransomware gang highlights internationa

Jun 3, 2024

Cyware Monthly Threat Intelligence

The Good In recent AI developments, NIST, OpenAI, and government bodies are taking significant steps to ensure the responsible use of AI technologies. NIST's new ARIA program aims to ensure AI technologies are valid, reliable, safe, secure, private

May 3, 2024

Cyware Monthly Threat Intelligence

The Good In a major stride towards security with AI, the Five Eyes agencies released a cybersecurity guide to help organizations secure AI system deployments. Separately, heightened attacks on mobile networks made the GSM Association unveil the MoT

Apr 11, 2024

Cyware Monthly Threat Intelligence

The Good Revolutionizing cybersecurity with innovative and adaptive measures, the Pentagon unveiled the first-ever strategy to protect the defense industrial base from cyber threats, emphasizing resilience and cooperation to defend critical infrast

Mar 4, 2024

Cyware Monthly Threat Intelligence

The Good In a move towards enhancing quantum computing security, the Linux Foundation revealed an initiative in collaboration with major global technology corporations. The past month marks a step forward in file-type detection tooling as Google op

Feb 1, 2024

Cyware Monthly Threat Intelligence

The Good With cloud environments facing an ongoing battle against complex cyber threats, the NCSC stepped in to help SMBs enhance cloud service security. Account takeovers are the ultimate impersonation tactic and pose a significant threat. To tack

Dec 4, 2023

Cyware Monthly Threat Intelligence

The Good Crafting robust cyber policies is pivotal against evolving threats. Over 18 countries, including the U.S. and the U.K, introduced a non-binding agreement outlining general guidelines for secure AI design and deployment. The U.S. Navy also

Nov 1, 2023

Cyware Monthly Threat Intelligence

The Good Nations are uniting in the face of growing cybersecurity threats, pooling their resources and expertise to tackle shared challenges. The U.S. and the UAE have inked an agreement to enhance cybersecurity collaboration with information shari