HC3 warns of social engineering attacks targeting health sector
The US Health Sector Cybersecurity Coordination Center (HC3) issued an alert detailing ongoing social engineering attacks targeting IT help desks in the health sector in an attempt to gain unauthorised access to systems and divert payments. Threat actors are using phone calls to impersonate an employee in a financial role, claiming their phone was broken and that their new device needs to be enrolled for multi-factor authentication. The attackers use phone numbers from a local area code to appear more legitimate. They also provide stolen ID verification details, including corporate IDs and Social Security numbers, to appear more convincing.
Multiple China-linked threat actors exploit Ivanti Connect Secure VPN flaws for lateral movement
Since January 2024, Mandiant researchers observed eight distinct clusters of suspected China-nexus activity exploiting the then-zero-day Ivanti Connect Secure VPN vulnerabilities, CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. Different types of post-exploitation activity were seen, including the deployment of new malware families. One of the identified clusters was attributed to UNC5221, who deployed four distinct malware families to create a stealthy and persistent backdoor on infected appliances.
Magento Shoplift malware targets WordPress and Magento websites
Starting September 2023, Sucuri researchers identified several variants of a new malware, dubbed Magento Shoplift, impacting both WordPress and Magento websites. The malware’s most recent variation was found in a WordPress site, with malicious code injected into the webpage using function and file names to masquerade as a Google Analytics Script. The code included obfuscated JavaScript designed to fetch and execute a further script that can conduct credit card skimming, data theft, unauthorised access, and additional malware deployment.
New Lazy Koala threat actor uses LazyStealer to steal credentials of public servants
In Q1 2024, Positive Technologies researchers identified a new threat actor, dubbed Lazy Koala, targeting government, financial, medical, and educational organisations in Russia, Belarus, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Armenia. Lazy Koala leverages a new malware, dubbed LazyStealer, to steal credentials for various services from computers used by public servants. The group likely uses phishing as an initial attack vector. The victim geography and arsenal employed by Lazy Koala suggests a link to the YoroTrooper group.
Retailers targeted in multichannel attacks
Proofpoint researchers analysed the use of multichannel attacks in campaigns targeting the retail industry. Channels such as SMS, email, fake web pages, and compromised cloud accounts are used to establish persistence and compromise identities to elevate privileges and move laterally. Campaigns typically begin with smishing attacks, with an observed campaign using support ticket themes.
Ransomware
Volume of blog posts by operators during the last week.
Ransomware attack disrupts GBI GeniosSC Magazine US – Apr 10 2024GHC-SCW: Ransomware gang stole health data of 533,000 peopleBleepingComputer.com – Apr 09 2024Change Healthcare faces second ransomware dilemma weeks after ALPHV attackTheRegister.com – Apr 08 2024Unfolding KUIPER RansomwareMedium Infosec Cybersecurity Writeups – Apr 08 2024New Red Ransomware Group (Red CryptoApp) Exposes Victims on Wall of ShameHackRead – Apr 04 2024
Financial Services
New Technique to Trick Developers Detected in an Open Source Supply Chain AttackCheckmarx – Apr 10 2024Hackers deploy crypto drainers on thousands of WordPress sitesBleeping Computer – Apr 08 2024Pacific Guardian Life Insurance Data Breach Affects Confidential Information of 167,103 PeopleJD Supra – Apr 05 2024Google sues two crypto app makers over allegedly vast “pig butchering” schemeArsTechnica – Apr 04 2024Fake Lawsuit Threat Exposes Privnote Phishing SitesKrebs on Security – Apr 04 2024
Geopolitics
Turla APT Targets Albania With Backdooor in Ongoing Campaign to Breach European OrganizationsEclecticIQ Blog – Apr 10 2024Starry Addax targets human rights defenders in North Africa with new malwareTalos Intelligence Blog – Apr 09 2024‘Ukrainian Hackers Take Down Data Center Serving Russia’s Military Industry’Hosting Journalist – Apr 08 2024Israel’s Justice Ministry reviewing ‘cyber incident’ after hacktivists’ claim breachReuters – Apr 05 2024China tests US voter fault lines and ramps AI content to boost its geopolitical interestsMicrosoft – Apr 05 2024
High Priority Vulnerabilities
Name | Software | Base Score | Temp Score | |||
---|---|---|---|---|---|---|
CVE-2024-29988 | Windows | 8.8 | 8.2 | |||
Related: Microsoft fixes two Windows zero-days exploited in malware attacks | ||||||
CVE-2024-3273 | DNS-340L | 7.3 | 6.7 | |||
Related: Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks | ||||||
CVE-2024-20720 | Commerce | 9.1 | 6.9 | |||
Related: Magento vulnerability exploited to backdoor e-commerce sites | ||||||
CVE-2024-25744 | Kernel | 5.5 | 5.3 | |||
Related: Confidential VMs Hacked via New Ahoi Attacks | ||||||
CVE-2023-48788 | FortiClientEMS | 9.8 | 7.0 | |||
Related: FortiClient EMS flaw exploited to install RMM tools and PowerShell backdoors |