Cyware Daily Threat Intelligence

Daily Threat Briefing • Sep 18, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Sep 18, 2023
The ever-evolving digital realm bears witness to a surge in fraudulent cryptocurrency and NFT giveaway schemes. In the case of the crypto giveaways, these scams harnessed the popularity of TikTok and used deep fake technology to ensnare unsuspecting investors. Meanwhile, threat actors orchestrating NFT giveaway scams commandeered the Twitter account of Ethereum co-founder Vitalik Buterin and absconded with a staggering sum of approximately $700,000. Adding intrigue to the digital landscape, the Bumblebee malware, renowned for its recurring summer breaks from the cyber world, has reemerged, unveiling a plethora of updated techniques.
While monitoring a campaign by Earth Lusca, researchers stumbled across a Linux malware variant derived from the open-source Windows backdoor Trochilus. Named SprySOCKS, the malware is gaining traction for its agility and SOCKS implementation. The group is infamous for targeting government departments and using N-day vulnerabilities.
TransUnion data exposed by USDoD
Consumer credit reporting agency TransUnion faced a security breach when a threat actor known as USDoD claimed to leak sensitive data allegedly stolen from the agency. The leaked database, over 3GB in size, contains the personal information of approximately 58,505 individuals worldwide, dating back to March 2nd, 2022. The exposed data includes names, passport information, birthdates, employment details, financial transactions, credit scores, and more.
Cl0p targets healthcare in the U.S.
The Cl0p ransomware gang has stolen personal data from major North Carolina hospitals, including Atrium Health and the Duke University Health System, as part of its Progress MOVEit Transfer campaign, noted Microsoft-owned healthcare technology firm Nuance. Nuance, which itself is a victim of the MOVEit attack, revealed that criminals accessed the personal data and demographic information of the victims. Users are advised to monitor their accounts for suspicious activity.
Banking customers impacted in Thailand
CardX, a part of the SCB X Group in Thailand, experienced a cybersecurity incident that exposed personal information related to personal loan and cash card applications. The exposed data includes customer names, addresses, phone numbers, and emails. While CardX assures that this information cannot be used for financial transactions, customers are advised to be cautious of potential fraud attempts.
Bumblebee malware resumes activity
Intel 471 found that Bumblebee is back, reducing its reliance on hard-coded command and control (C2) servers and adopting a Domain Generation Algorithm (DGA) instead. A recent campaign employed Web Distributed Authoring and Versioning (WebDAV) servers to disseminate Bumblebee payloads, utilizing malicious spam emails with Windows shortcut (.LNK) and compressed archive (.ZIP) files. When activated by users, these files trigger a set of commands that download Bumblebee from WebDAV servers.
BlackCat adopts new tactics to hit Azure Storage
Sophos discovered the BlackCat ransomware group adopting new tactics by using stolen Microsoft accounts and the Sphynx encryptor to encrypt the Azure cloud storage of its targets. The attackers gained access to a victim's Azure portal using a stolen Azure key, enabling them to encrypt 39 Azure Storage accounts. They also utilized Remote Monitoring and Management (RMM) tools like AnyDesk, Splashtop, and Atera during the intrusion.
New Linux backdoor by Earth Lusca
Researchers have uncovered a new Linux backdoor called SprySOCKS that shares similarities with the Trochilus Windows backdoor. The Earth Lusca cyberespionage group is reportedly behind the malware threat. SprySOCKS is delivered via an encrypted file and contains various features, including an interactive shell, network connection listing, and file operations. The malware uses a fixed AES-ECB password for communication encryption and employs a C2 protocol reminiscent of the RedLeaves backdoor.
UNC3944 embraces ransomware operations
UNC3944, a financially motivated threat cluster, has transitioned from SIM-swapping attacks to deploying ransomware in victim environments, broadening its targeted industries to include hospitality, retail, media, entertainment, and financial services. The group employs SMS phishing, social engineering, and legitimate software, alongside publicly available tools. Operating with a high tempo, they focus on privilege escalation, data exfiltration, and aggressive communication with victims.
Hook: An Android banking trojan
A new Android banking trojan Hook has been found to be built upon its predecessor, ERMAC, with both sharing core features for SMS theft, overlay attacks, and credential theft from over 700 apps. Hook capabilities include offering 38 additional commands to capture victims' screens, take photos using the front camera, extract Google login cookies, and pilfer cryptocurrency wallet recovery seeds. As of April, Hook's developer announced a halt to the project, but its source code surfaced for sale in May, raising concerns about future variants.
Transparent Tribe launches new mobile RAT
Security researchers at SentinelLabs have identified three Android APKs linked to CapraRAT, a mobile RAT used by the suspected Pakistani threat actor Transparent Tribe. These APKs mimic the appearance of YouTube but are less fully featured than the legitimate YouTube app. CapraRAT, which hides RAT features within another application, grants attackers extensive control over Android devices. Transparent Tribe distributes these malicious Android apps through self-run websites and social engineering tactics.
Fortinet fixes critical vulnerabilities
Fortinet has addressed security vulnerabilities in its products, including a flaw impacting FortiProxy and FortiOS, tracked as CVE-2023-29183. If exploited, it could allow an attacker to execute malicious JavaScript code on compromised systems. The affected versions include FortiProxy 7.0.x and 7.2.x, and FortiOS 6.2.x, 6.4.x, 7.0.x, and 7.2.x. Additionally, Fortinet patched a high-severity issue, CVE-2023-34984, in its web application firewall and API protection solution, FortiWeb, which could allow an attacker to bypass existing XSS and CSRF protections.
$700k stolen in NFT scam
A hacker infiltrated Ethereum co-founder Vitalik Buterin's X (formerly Twitter) account, orchestrating a scam that resulted in a loss of over $690,000. The attacker posted a deceptive message about NFT giveaways, containing a fraudulent URL. Users who connected their wallets to claim the promised NFTs fell victim to the ploy, losing their assets instead.
Crypto giveaway scams spike
Cybercriminals were spotted impersonating Elon Musk, Tesla, or SpaceX to lure users into fake crypto investments, encouraging them to deposit cryptocurrency. Victims are promised substantial returns but are ultimately tricked into depositing funds, leading to theft by scammers. The scams exploit the popularity of TikTok and have the potential to generate significant revenue for threat actors. Social media platforms remain vulnerable to such fraudulent cryptocurrency schemes despite awareness of their existence.