Cyware Weekly Threat Intelligence - September 16–20
Weekly Threat Briefing • Sep 20, 2024
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Sep 20, 2024
German law enforcement has dealt a double blow to cybercriminals, first by dismantling infrastructure used by the Vanir Locker ransomware group. In a separate operation, they took down 47 cryptocurrency exchanges used for illegal money laundering, redirecting users to an Operation Final Exchange page that exposes the platforms’ deceptive activities. The CISA and the FBI are calling on software manufacturers to rethink their approach, issuing a Secure by Design Alert to tackle the widespread occurrence of cross-site scripting (XSS) vulnerabilities.
Microsoft flagged Vanilla Tempest as the latest ransomware affiliate preying on the U.S. healthcare sector. In a recent attack, the Storm-0494 group used the INC ransomware, along with leveraging malware like Gootloader and Supper to breach networks. GitHub users are under fire as cybercriminals weaponize the platform, spreading Lumma Stealer through fake vulnerability issues and phishing email alerts. The Russian Key Group is deploying Chaos ransomware to encrypt files and steal data, leaving victims with little hope of recovery. Using Telegram channels to demand ransom payments, the group disables system recovery and leaves files scrambled.
Earth Baxia exploited a GeoServer vulnerability in spear-phishing attacks, targeting government networks in Taiwan and the APAC region. Using tools like GrimResource and EAGLEDOOR, they compromised energy and telecom sector firms across South Korea, Vietnam, and Thailand. UNC2970 used fake job offers in energy and aerospace to deliver the MISTPEN backdoor through a trojanized SumatraPDF, gaining access to critical infrastructure with phishing lures. The CISA urged immediate patching of an Apache HugeGraph-Server flaw after reports of active exploitation.