Hey all you cool cats and kittens! We’ve got a brand-new threat intel episode for you coming from our virtual podcast studio with Adam, Jamie, and Viktoria.

The team chat through the latest Zoom zero-day flaws discovered, and the story around Fin7 delivering malware via USB sticks and teddy bears in the mail.

Listen to this week’s episode now 👇

APT41 exploits Cisco, Citrix, Zoho vulnerabilities

The Chinese state-associated threat group “APT41” exploited Citrix Application Delivery Controller (ADC), Cisco routers, and Zoho ManageEngine Desktop Central, targeting at least 75 organizations. Initially the group targeted CVE-2019-19781, a vulnerability on Citrix ADC and Gateway devices, in January. The group began to target a Cisco RV320 router on 21 February, using a Metasploit module combining CVE-2019-1653 and CVE-2019-1652. APT41 moved on to exploit CVE-2020-10189, targeting the Zoho ManageEngine Desktop Central product less than a week after the proof of concept was published. The breadth of targeted geographies and sectors highlights the significant threat the group poses to a variety of organizations.

Healthcare provider and hospitals fall victim to Ryuk ransomware

The threat group behind the “Ryuk” ransomware variant recently targeted hospitals and an unspecified, United States-based healthcare provider. Various other ransomware groups have stated their intention to not target healthcare organizations during the COVID-19 pandemic, but this incident shows that healthcare organizations remain vulnerable to cyber threats for the short-term future (next three months). These would come from threat actors either continuing pre-pandemic attacks or deliberately targeting healthcare entities to exploit pandemic-related opportunities.

Georgian citizen data published online

Voter information for more than 4.9 million Georgian citizens was published on a hacking forum on 28 Mar 2020. The database contains personal details, including full names, home addresses, dates of birth, identification numbers, and mobile-phone numbers. Although highly classified or sensitive information was not included, the size of the database and number of affected citizens means any resulting cyber-threat operations against Georgian citizens would be highly effective.


For more details, read the full Weekly Intelligence Summary

Weekly Intelligence Summary 03 Apr 2020