Daily Threat Intelligence – May 12 – 2023

e233 shutterstock 1974852155

Cryptomining attacks have become a prominent threat as they offer anonymity to illicit revenue earners in many ways. Security researchers have recently discovered a malicious cryptomining operation that involves a new version of RapperBot. This variant has the XMRig Monero miner specifically designed for Intel x64 architectures, and the campaign—operational since January—focuses on compromising only IoT devices. Jumping on the Papercut server flaw bandwagon is the Bl00dy ransomware group. Several ransomware groups, including Cl0p and LockBit 3.0, have been found taking advantage of the vulnerability.

A new variant of the Linux malware BPFDoor has surfaced with enhanced encryption capabilities and improved reverse shell communications. This updated version exhibits a higher level of persistence and operational stealthiness.

Top Breaches Reported in the Last 24 Hours


Victoria healthcare facility hit by breach
A security mishap at Ambulance Victoria exposed 600 confidential drug and alcohol test results of a few hundred graduate paramedics. The confidential spreadsheets, containing information about the pre-employment testing of graduate paramedics in 2017 and 2018, were accessible on the staff intranet until the union brought the issue to the attention of Ambulance Victoria.

Broadband provider suffers intrusion
Approximately 24,000 customers, accounting for roughly half of WhizComms’ customer base, had their personal information compromised in a data breach incident conducted by an external party. It is possible that hackers also acquired certain scanned images of work permits and visa approval documents. The firm clarified that customers’ contact payment details are safe.

Data leaked to journalist
The New Mexico Department of Health (DOH) reported a breach to the U.S. HHS that affected nearly 49,000 individuals. The breach was identified when DOH became aware of a spreadsheet containing details regarding individual deaths in New Mexico that had been inadvertently shared with a journalist. The information includes protected health information of individuals, however, it did not contain names, birthdates, addresses, or contact details.

Education platform compromised
Brightly Software, a Siemens subsidiary, is informing customers that their personal information and credentials were compromised. Attackers managed to gain access to the database of the SchoolDude online platform that led to the theft of sensitive personal data. Impacted data include customer account information and school district names.

Ransomware infects Swiss MNC
The Black Basta ransomware group has added another multinational firm, ABB, to its list of victims. The ransomware has reportedly crippled hundreds of devices after breaching the company’s Windows Active Directory. According to reports, the attack has had an impact on both project timelines and factory operations, leading to notable disturbances and hampering overall productivity.

Top Malware Reported in the Last 24 Hours


RapperBot can now mine
Fortinet’s FortiGuard Labs uncovered a newer version of the RapperBot botnet that can mine Monero cryptocurrency on infected Intel x64 machines. Developers introduced the cryptomining component independently from the botnet capabilities, however, they later integrated both by the end of January as a single unit. To optimize its mining performance, RapperBot locates and terminates other mining processes by enumerating the running processes on the compromised system.

Veeam bug concerns healthcare sector
The HC3 issued a warning to the healthcare sector regarding an increase in cyberattacks exploiting a bug in Veeam Backup & Replication software. The high-severity flaw allows unauthorized access to backup infrastructure hosts and affects all versions of Veeam software, including those responsible for backing up, replicating, and restoring data on virtual machines.

Bl00dy ransomware abuses PaperCut flaw
The CISA and the FBI released a joint advisory cautioning against the Bl00dy ransomware group abusing a critical security hole, identified as CVE-2023-27350, in PaperCut servers. The attackers’ primary targets are educational institutions in the U.S. Some of the successful operations have resulted in data exfiltration and encryption of victim systems.

Top Vulnerabilities Reported in the Last 24 Hours


Flawed WordPress plugin concerns millions
A security vulnerability in the WordPress plugin Essential Addons for Elementor has been reported by Patchstack researcher Rafie Muhammad. The severity of this vulnerability lies in its potential to be weaponized, impacting over one million active installations. Identified as CVE-2023-32243, the vulnerability can be exploited to reset passwords and gain elevated privileges on impacted websites. The plugin maintainers promptly addressed the issue in version 5.7.2, which was released on May 11. 

Security advisories by Rockwell Automation
Rockwell Automation released six security advisories this week, four of which have been shared by the CISA. These advisories outline over a dozen vulnerabilities that have been identified. While one advisory warns about a flaw in Kinetix 5500 industrial control routers, two other critical flaws were spotted in Rockwell Automation’s PanelView 800 graphics terminals. Moreover, three high-severity buffer overflows and nearly a dozen XSS flaws across its products have been detected.

New BPFDoor version identified
AI-based cybersecurity firm Deep Instinct took the wraps off of a newer variant of BPFDoor (BPF stands for Berkeley Packet Filter), which is capable of maintaining persistent access to breached systems for extended periods. Previously, the malware utilized RC4 encryption, bind shell, and iptables for communication, with hardcoded commands and filenames. However, the updated version now incorporates static library encryption and reverse shell communication, and all commands are transmitted by the C2 server.

Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn