Cyware Daily Threat Intelligence

Daily Threat Briefing • July 27, 2023
Daily Threat Briefing • July 27, 2023
Cybercriminals are quick to find ways to adapt to new technologies. As we speak of AI, a sophisticated and multi-faceted tool called FraudGPT has emerged on dark web marketplaces and Telegrams channels. It comes with multiple features, ranging from writing malicious code and creating undetectable malware to crafting spear phishing emails. Organizations need to upgrade their defensive approach to beat threat actors in the face of such novel threats.
Yet again Lazarus hackers are in the news. This time, the North Korean APT group has been linked to a $60 million cryptocurrency theft from a payment processing platform. Besides, a new malware dubbed Nitrogen has popped up, which is being distributed via Google and Bing search ads.
Maximus updates on MOVEit hack
Maximus disclosed that personal information, including Social Security numbers, of up to 11 million individuals has been stolen in a MOVEit cyberattack earlier this year. An investigation is underway, following which the company plans to send notifications to those affected.
Lazarus linked to $60 million crypto heist
The North Korean Lazarus hacking group has been blamed for a recent attack on payment processing platform Alphapo and stealing almost $60 million in cryptocurrency. The theft includes over 6 million USDT, 108k USDC, 100.2 million FTN, 430k TFL, 2.5k ETH, 1,700 DAI, and $37M of TRON and BTC, all of which were stolen from hot wallets, possibly using leaked private keys. The attack was carried out on July 23.
**Update on Akira ransomware **
A report by Arctic Wolf revealed that the Akira ransomware group has compromised at least 63 organizations since March, with 80% of victims being SMBs. Further, it found that the ransomware’s code overlaps with the Conti ransomware, including similar functions and implementation of the ChaCha algorithm for encryption.
Emergence of FraudGPT
A new AI tool, called FraudGPT, comes with a wide range of capabilities such as writing malicious code, creating undetectable malware, and crafting phishing emails. The tool is being circulated on underground marketplaces and Telegram channels at prices ranging from $200 per month to $1700 per year. This malicious AI tool is similar to WormGPT that was launched on July 13.
New Nitrogen malware
A new campaign leveraging Google and Bing search ads is being used to distribute a malware dubbed Nitrogen. The malware provides threat actors initial access to corporate networks, allowing them to conduct data theft and cyberespionage, and ultimately deploying BlackCat ransomware on compromised systems. The campaign primarily targets technology and non-profit organizations in North America, impersonating popular software such as AnyDesk, AnyConnect VPN, TreeSize Free, and WinSCP.
**Mirai botnet variant spotted **
A variant of Mirai botnet has been identified in a new cryptocurrency mining campaign that targets misconfigured Apache Tomcat servers. Upon gaining a successful foothold, the attackers deployed a malicious web shell designed to receive and execute commands on compromised servers. The first-stage malware is a Mirai variant that leverages infected hosts to orchestrate DDoS attacks.
**Ubuntu impacted by two flaws **
Around 40% of Ubuntu’s userbase is vulnerable to two Linux vulnerabilities tracked as CVE-2023-32629 and CVE-2023-2640. Identified as privilege escalation flaws, they can be abused to gain privileges on a massive number of devices. While CVE-2023-32629 affects the Linux kernel memory management subsystem, CVE-2023-2640 impacts the Ubuntu Linux kernel.
Update on Zenbleed exploitation
Researchers claim that around 62% of AWS environments are likely exposed to the AMD Zenbleed flaw (CVE-2023-20593). A new speculative execution flaw, it impacts all Zen 2 processors, including Ryzen 3000 (PRO and Threadripper), 4000 (PRO), 5000, 7020, and Epyc (Rome). The flaw can enable threat actors to steal sensitive data, such as passwords and encryption keys.