WEEKLY TOP TEN | SEPTEMBER 25, 2023 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- CLOP Gang Stolen Data From Major North Carolina Hospitals
The healthcare technology company Nuance, owned by Microsoft, disclosed that as part of the Progress MOVEit Transfer campaign, the Clop extortion gang has obtained personal information from major North Carolina hospitals. Microsoft attributed the campaign that exploited a zero-day vulnerability in the MOVEit Transfer platform to the Clop ransomware group (also known as Lace Tempest).
- Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor
Ballistic Bobcat, formerly identified by ESET Research as APT35/APT42 (aka Charming Kitten, TA453, or PHOSPHORUS), is a suspected Iran-affiliated advanced persistent threat group that targets education, government, and healthcare organizations, as well as human rights activists and journalists. It is most active in the Middle East, Israel, and the United States.
- Improper Usage of SAS Token Leads to Massive Microsoft Data Leakage
During the process of training open-source AI learning models, researchers from Microsoft leaked 38 terabytes (TB) of sensitive data to a public repository on GitHub. The Microsoft data breach began in July 2020, but it was only discovered and reported on June 22, 2023, by white-hat hackers
- PSA: Ongoing Webex Malvertising Campaign Drops BatLoader
A new malvertising campaign targets corporate users downloading the popular web conferencing application Webex. When conducting a Google search, threat actors have paid for an advertisement to be displayed at the top of the results page that pretends to be from Cisco.
- Inside the Code of a New XWorm Variant
XWorm is a comparatively new member of the group of remote access trojans. Despite its newness in the arena, it has already established itself as one of the most widespread global threats. Since it was discovered in 2022, it has undergone a number of major updates. These have significantly increased its functionality and permanence.
- New MidgeDropper Variant
Fortinet researchers recently discovered a new dropper they’ve named the MidgeDropper and it has a complex infection chain. It includes sideloading and code obfuscation which makes it an interesting use case.
- New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services
There is a new cloud-native cryptojacking operation that is going after uncommon Amazon Web Services (AWS) offers that include AWS Fargate, AWS Amplify, and Amazon SageMaker that let it secretly mine cryptocurrency.
- MGM Resorts Hit By a Cyber Attack
The Scattered Spider (0ktapus, UNC3944) ransomware group, a Black Cat/AlphaV ransomware gang affiliate said they had gained access to MGM Resorts’ Azure and Okta environments as of September 8th. Additionally, they had gained admin privileges, which allowed them broad access to the firm’s systems.
- A New Repojacking Attack Exposed Over 4,000 Github Repositories to Hack
A new Github vulnerability was discovered by Checkmarx researchers which could have exposed 4000 packages to repojacking attacks. Due to the vulnerability an attack could exploit a race condition in between the processes of renaming a username and creating a repository.
- Payment Card-Skimming Campaign Targeting North American Websites
After over a year of skimming credit card numbers from e-commerce sites and POS providers in the Asia Pacific reason this Chinese-speaking threat actor has turned its attention to similar targets in Latin and North America. The Blackberry researchers that uncovered the campaign are tracking it as “Silent Skimmer.”