top of page

Daily Threat Intelligence, November 30, 2023

Updated: Dec 16, 2023

The cyber threat group Kimsuky is utilizing new techniques, distributing malware through malicious JSE files disguised as import declarations. The files target South Korean research institutes. Separately, a vulnerability was uncovered in Zoom Rooms that could have enabled threat actors to hijack service accounts, gaining unauthorized access to sensitive data. Zoom has disabled the affected functionality.


Additionally, severe command injection flaws were found in Zyxel NAS products, posing risks of attackers executing system commands without authorization. In other news, the CACTUS ransomware is leveraging a cloud analytics platform to exfiltrate data, demonstrating how adversaries creatively exploit technologies.


Overall, cybercriminals are continuously evolving techniques, requiring defenders to remain vigilant through best practices like patching, least privilege access, monitoring, and user education. A proactive, layered security posture can help organizations manage risk. The cyber threat landscape will likely continue to expand.


Top Breaches Reported in the Last 24 Hours


King Edward VII Hospital hacked


The King Edward VII Hospital in London suffered a cyber attack by the Rhysida ransomware group, which claimed to have breached the hospital's network. The hackers published stolen confidential data, including medical reports, x-rays, and registration forms as proof of the breach. Rhysida threatened to publicly release more of the stolen sensitive patient, employee, and potentially Royal family data.


Data Breach Exposes Details of Nearly Two Million


Discount retail chain Dollar Tree experienced a data breach following an incident involving their third-party service provider, Zeroed-In Technologies. The breach, occurring between August 7-8, 2023, exposed the personal information of nearly two million Dollar Tree and Family Dollar employees. Compromised data included names, dates of birth, and social security numbers.


Cyber Attack Disrupts Israel’s National Archives


The website of Israel's National Archives faced a cyberattack by the hacker group CyberToufan, disrupting search services and compromising user data. While some functions remain operational, the hackers claimed to have leaked details of over 10,000 Israeli researchers and government employees, escalating the frequency of cyber incidents amid heightened regional tensions.


New Jersey Hospital Group Faces Cyber Attack


Capital Health, operating hospitals in Trenton and Hopewell, New Jersey, faces network outages due to a cybersecurity incident. While patient care continues, the attack has affected elective surgeries, outpatient radiology, and certain cardiology testing. Experts suggest ransomware as the likely motive, given the financial incentives behind such attacks. The hospital expects at least a week of operating under system limitations.


Top Malware Reported in the Last 24 Hours


Baiting Users with Promises of Personal Data Leaks


Analysts at ASEC uncovered a malware distribution campaign that tempts users by claiming to offer leaked personal data for sale. The malicious sites contain files with investment-related keywords that promise sensitive information like names, phone numbers, investment amounts, and credit ratings. Downloading these files unknowingly executes malicious scripts that install remote-controlled malware.


South Korean Institutes Targeted via Malicious Import Files


ASEC discovered a new campaign by the cyber threat group Kimsuky targeting South Korean research institutes. The threat actors distribute malicious JSE files disguised as import declarations containing obfuscated PowerShell scripts and backdoor files. The backdoors collect and exfiltrate system data to attacker-controlled servers after compromising anti-malware protections.


CACTUS Ransomware Leverages Cloud Software Vulnerabilities


Researchers identified the CACTUS ransomware exploiting vulnerabilities in the cloud analytics platform Qlik Sense, including flaws enabling HTTP tunneling, path traversal, and unauthenticated remote code execution. By chaining the flaws, attackers gain an initial foothold, manipulate services to download tools, achieve persistence, and take control of systems.


Top Vulnerabilities Reported in the Last 24 Hours


Critical Bug in Zoom Rooms Enables Account Takeovers


Analysts discovered a severe vulnerability in the Zoom Rooms platform allowing threat actors to fully compromise associated service accounts. Successful exploitation provides access to meetings, contacts, whiteboards, and sensitive data in Team Chat channels. The flaw stems from the direct inheritance of privileged account IDs by users with the Zoom Room Owner role.


Zyxel NAS Devices Impacted by Critical Command Injection Issues


Zyxel NAS products faced three highly critical command injection vulnerabilities enabling attackers to execute system commands without authentication. The flaws, tracked as CVE-2023-35138, CVE-2023-37928, and CVE-2023-4473 can be exploited by sending crafted HTTP requests and URLs. Zyxel has released patches to address each vulnerability.

Comments


bottom of page