Cyware Daily Threat Intelligence

Daily Threat Briefing • April 3, 2023
Daily Threat Briefing • April 3, 2023
The April 18 tax deadline is here and so are scams surrounding it. A cybercrime group identified as TACTICAL#OCTOPUS was seen using various tax-related forms and docs as lures to deploy malware on users’ systems. In another tax-related incident, Lockbit 3,0 actors reportedly leaked data of South Korean nationals. Another day, another malware joined the cyber threat landscape. Different security research groups uncovered two relatively new ransomware strains - Money Message and Cylance. The former group allegedly demands a ransom ranging in millions of dollars.
A new info-stealer dubbed OpcJacker has also entered the scene with wide-ranging capabilities. It can access sensitive browser data, deliver next-stage payloads, and can even perform clipboard hijacking to replace cryptocurrency wallet addresses.
Ransomware attack on Alabama school
The Jefferson County School District, Alabama, disclosed that it fell victim to a ransomware attack during spring break. While an investigation is ongoing, security experts have found no evidence of any sensitive data breach so far. Officials said they use multiple security protocols to protect their infrastructure and those helped mitigate the threat.
South Korean tax payers’ data leak
The Lockbit 3.0 ransomware gang announced publishing the data it stole from the systems of the South Korean National Tax Service. Security researchers say, if the hack and leak actually took place, the privacy and security of South Korean citizens are at severe risk. The hacking incident surfaced on March 29, 2023, and the tax agency was given two days to pay up.
Western Digital Corp suffers breach
An unwarranted network intrusion at data storage devices maker Western Digital Corp has exposed some of its system data. The firm is reportedly looking into the hack and working with enforcement authorities to understand the nature and scope of the impacted data. It has further warned that the incident may have operational repercussions.
**Money Message: a new ransomware **
A new ransomware group with two victims listed on its leak site has been observed making million-dollar ransom demands. The gang, called Money Message, has listed an Asian airline, which has revenue close to $1 billion, as one of its victims. Adversaries have shared a screenshot of the accessed file system as proof of the breach. Experts found that the encryption speed of the ransomware strain was relatively slower.
New information-stealing malware
Several fake websites were erected to advertise genuine software and cryptocurrency-related applications only to drop OpcJacker, an info-stealer, stated Trend Micro. The malware is capable of carrying next-stage payloads such as NetSupport RAT and a remote access-focused version with hidden virtual network computing (hVNC).
Cyclance group hides ransom demand
Palo Alto Networks’ Unit 42 discovered a new Cylance ransomware group that allegedly has several victims on its list. The ransomware appears to be at its nascent stage of development and has been targeting Linux and Windows users. Strangely, its ransom notes don’t mention any ransom amount, hence, probably the amount is disclosed when a victim gets in touch with the attacker.
WordPress bug threatens site takeover
A security vulnerability in the Elementor Pro website builder plugin for WordPress is under active exploitation by a threat actor. An authenticated user can take advantage of this to take full control over a WordPress site having WooCommerce enabled. The bug in the plugin, roughly deployed on over 12 million sites, impacts versions 3.11.6 and earlier.
Tax scams by Tactical Octopus
Cybercriminals associated with TACTICAL#OCTOPUS were spotted distributing tax-related email lures to spread malware. Security analysts at Securonix revealed that attackers are using authentic W-2 tax documents, I-9 forms, and real estate purchase contracts as bait. Devices with successful infection give criminals access to capture clipboard data or even track keystrokes.