ShadowTalk Update – Zoom Zero-Day Vulnerabilities and Fin7 Delivering Malware Via Snail Mail

The Chinese state-associated threat group “APT41” exploited Citrix Application Delivery Controller (ADC), Cisco routers, and Zoho ManageEngine Desktop Central, targeting at least 75 organizations. Initially the group targeted CVE-2019-19781, a vulnerability on Citrix ADC and Gateway devices, in January. The group began to target a Cisco RV320 router on 21 February, using a Metasploit module combining CVE-2019-1653 and CVE-2019-1652. APT41 moved on to exploit CVE-2020-10189, targeting the Zoho ManageEngine Desktop Central product less than a week after the proof of concept was published. The breadth of targeted geographies and sectors highlights the significant threat the group poses to a variety of organizations.

Healthcare provider and hospitals fall victim to Ryuk ransomware

The threat group behind the “Ryuk” ransomware variant recently targeted hospitals and an unspecified, United States-based healthcare provider. Various other ransomware groups have stated their intention to not target healthcare organizations during the COVID-19 pandemic, but this incident shows that healthcare organizations remain vulnerable to cyber threats for the short-term future (next three months). These would come from threat actors either continuing pre-pandemic attacks or deliberately targeting healthcare entities to exploit pandemic-related opportunities.

Georgian citizen data published online

Voter information for more than 4.9 million Georgian citizens was published on a hacking forum on 28 Mar 2020. The database contains personal details, including full names, home addresses, dates of birth, identification numbers, and mobile-phone numbers. Although highly classified or sensitive information was not included, the size of the database and number of affected citizens means any resulting cyber-threat operations against Georgian citizens would be highly effective.

For more details, read the full Weekly Intelligence Summary