Cyware Monthly Cyber Threat Intelligence

Cyware Monthly Cyber Threat Intelligence February 2018 - Featured Image

Monthly Threat Briefing February 28, 2018

The Good

February witnessed many new developments in cyber-technology especially in the domain of machine learning, artificial intelligence, and government technology amongst others. MIT university is launching Intelligence Quest aimed at creating new algorithms for machine learning and artificial intelligence. To combat the sophisticated malware being developed by hackers, researchers are coming up with various techniques--Quantum physics, being one of it. MIT researchers have also designed a new chip that is hardwired to perform public-key encryption. Microsoft released the new Insider Preview update for Windows 10 S users, that would render passwords useless.Finally, reports released by National Cyber Security Centre (NCSC) about its Active Cyber Defense (ACD) show improved statistics against phishing scams. Meanwhile, NIST published a report to provide the basis for the evolution of a standardized approach to entity attributes.

  • The Massachusetts Institute of Technology is launching an initiative called MIT Intelligence Quest in an effort to combine multiple disciplines to reverse engineer human intelligence, create new algorithms for machine learning and artificial intelligence and foster collaboration. The biggest takeaway from the structure of MIT IQ is that artificial intelligence needs to be a team sport to develop breakthroughs. MIT IQ is an effort to break down multiple research silos across the institute to rally around human and machine intelligence.
  • The Canadian government is helping to test a new airport security and screening system that will allow travelers to digitize and share travel documents and biometric information with authorities in advance. Launched at the World Economic Forum (WEF) meeting in Davos, Switzerland, the “Known Traveller Digital Identity” system aims to exploit an array of emerging technologies including biometrics, the blockchain, and artificial intelligence to boost cross-border security, reduce the threat of cyber-terrorism and streamline international travel.
  • Much like the sci-fi movies, new eyeglasses have been invented that could take pictures and recognize faces. According to the Hong Kong Free Press, four police officers in the city of Zhengzhou have already started wearing these glasses. The camera attached above the left eye allows officers to look in the direction of an individual and take their photo. The glasses are also linked to a smartphone-like handheld device that scans the individual’s face and pulls information--such as name, gender, ethnicity, full address, and whether they have been charged with any crimes or have outstanding warrants--about him/her from a central database. Police can also access information about their internet usage.
  • The new Insider Preview update released by Microsoft for Windows 10 S users allows them to ditch system passwords. Individuals can now use an Authenticator App, that can be installed on their phones, to unlock the security-focused Windows flavor. Once users set up Windows Hello with the app, they will no longer be asked to use password as a sign-in option. As per reports, Microsoft plans to drop 10 S as a standalone product in order to offer it as a mode to both Home and Pro users.
  • The National Cyber Security Centre (NCSC) launched its Active Cyber Defense (ACD) initiative a year ago. Results to the initiative were released. This free technology blocks malicious emails, removes phishing attacks and stops public sector systems veering onto malicious servers. According to a report--named Active Cyber Defense - One Year On, since the inception of the ACD, UK’s share of visible global phishing attacks has dropped from 5.3% (June 2016) to 3.1% (Nov 2017). It also reported that 121,479 phishing sites hosted in the UK have been removed. There was also a drop of scam emails from bogus ‘@gov.uk’ domains, and take down availability times for sites spoofing government brands came down from 42 hours to 10 hours. An average of 4.5 million malicious emails per month have been blocked from reaching users, by deploying more than one million security scans and seven million security tests across public sector websites.
  • A new scalable, secure and decentralized digital currency and payment platform, called Algorand, has been founded by Silvio Micali. Silvio is a Turing Award-winning cryptographer and professor of computer science at MIT. Pillar and Union Square Ventures are providing seed funding, of worth $4 million, for the same. Algorand attempts to address the scaling challenges of the blockchain technology through rapid and efficient user consensus, enabling even the smallest transactions, regardless of volume or number of users.
  • A new feature, which eliminates the need for passwords, is under testing by Microsoft for Windows 10. The latest Insider preview release (build 17093), relies on the Authenticator app on Android and iOS. The Authenticator app can authorize or block requests to login, thus rendering passwords redundant. The feature is also available in Windows 10 S. However, users are advised to configure Windows Hello and the Authenticator app properly.
  • Mastercard announced that all users of its service will not be able to use biometrics--including fingerprint and facial recognition. A deadline of April 2019 has been set for biometric identification for users. Along with PIN numbers and passwords, all banks that accept Mastercard payments will have to support biometric identification mechanisms, for all remote payments. The biometric authentication will be used in conjunction with a mobile device.
  • Microsoft has released new features to allow IT professionals better assess if their devices are patched against the Meltdown and Spectre flaws. The feature is available in Windows Analytics, and offers details on the firmware installed on the device and if necessary security patches have been applied to the firmware.
  • Researchers at MIT have come up with a new chip that is hardwired to perform public-key encryption. The chip is highly energy efficient as it consumes only 1/400 as much power as software execution of same protocols would require. Furthermore, the chip uses about 1/10 as much memory and executes 500 times faster. The researchers have described the technique used in the chip as ‘elliptic-curve encryption’ that relies on a type of mathematical function called an elliptic curve.
  • Quantum physics is gaining much importance in cybersecurity because of stronger security features it can help create. An Australian cyber security company is using quantum physics to create stronger data security tools. The entire concept focuses on the concept of quantum tunneling, an intriguing property in diodes, that paves way for the creation of stronger encryption keys. As per classical mechanics, Quantum tunneling is a phenomenon as per which a particle is able to cross a barrier that technically it should not be able to do.
  • The National Institute of Standards and Technology (NIST) has published the 'Attribute Metadata: a Proposed Schema for Evaluating Federated Attributes' in order to provide the basis for the evolution of a standardized approach to entity attributes. This is an internal report that can be used by public and private organizations. The report will not be imposed on the federal agencies. The purpose is to allow a system that uses federated IAM to better understand and trust different attributes; to apply more granular and effective access authorizations, and to promote the federation of attributes.

The Bad

This month was also witness to many breaches along with disclosure of breaches from the past. Security experts have found millions of emails credentials belonging to employees of Fortune 500 companies on the dark web. A wave of cyber attacks disrupted Netherlands tax office. iBoot, the source code for a core component of the iPhone’s operating system was published on GitHub by an unknown user. Reports also noted that Fancy Bear, the Russian hacker group has exploited a key vulnerability in the US cyber defenses and managed to steal secret documents.

  • Security experts found that a trove of over millions of email credentials, which belongs to employees of Fortune 500 companies, has been leaked to the dark web. Experts analyzed data from over a three-year period, which represented the largest ever trove of stolen credentials – amounting to eight billion. It was found that over 2.7 million of these eight billion stolen credentials have found their way into the dark web.
  • The national tax office in the Netherlands said its website briefly went offline on Monday due to a DDoS cyber attack, after the country’s largest banks were targeted. ABN Amro and ING said they were both targeted by hackers, temporarily disrupting online and mobile banking services. The tax office said its website went down for 5-10 minutes after a DDoS attack.
  • It appears cryptocurrency startup BeeToken, which promised to disrupt the home sharing industry by putting its service on the blockchain, has been hacked. The attackers are actively targeting its initial coin offering (ICO) with phishing attacks and have already duped gullible investors for over $1 million worth of Ethereum. The company has confirmed the phishing attacks on its official Twitter and Medium accounts, warning that users should treat emails and Telegram messages directly encouraging users to send funds are likely fraudulent.
  • A wave of attacks leveraging the popular third-party services Google+, Pastebin, and bit.ly is targeting individuals and organizations within the Palestinian Territories. Dubbed “TopHat” the campaign uses Arabic language decoy documents related to current political events to lure victims into opening the documents and subsequently infecting themselves with malware from the “Scote” family.The ultimate payload is a new malware family that has been dubbed “Scote” based on strings found within the malware samples. Scote provides backdoor access for an attacker and we have observed it collecting command and control (C2) information from Pastebin links as well as Google+ profiles.
  • The source code for a core component of the iPhone’s operating system, labeled ‘iBoot’, was found on the GitHub. Who published there is still unknown. This code is responsible for ensuring a trusted boot of the operating system--meaning, once you turn on the device, the code loads and verifies that the kernel is duly signed by the apple and then executes it. Hackers can use this code to find vulnerabilities in iOS and devise new techniques to jailbreak the OS.
  • It has been reported that Fancy Bear, the Russian group of hackers have exploited a key vulnerability in the US cyber defenses and almost managed to steal secret documents and advanced defense technology. What documents have been stolen isn’t clear yet. The investigation revealed that hackers were able to breach the systems due to poor email protection and minimal direct notification of victims.
  • Business Wire, the corporate news release distributor announced that they have been a victim of DoS (Denial of Service) attacks. As per the company, the DoS attacks were initiated on 31st January. Fortunately, no customer information was compromised. Security researchers are speculating that the attacks were launched due to the company’s dealings with Fortune 500 companies and the sensitive data it might be holding.
  • Worblaufen, a Switzerland based firm revealed details of a security incident that occurred in late 2017, which resulted in leakage of sensitive customer data--including names, addresses, telephone numbers and date of birth. However, as per the Swiss laws, the information falls under “non-sensitive” category. According to the company, the data leak occurred due to misappropriation of a sales partner’s access rights.
  • Hackers have injected an in-browser Monero miner to 4,275 sites--including government websites such as uscourts.gov, ico.org.uk, & manchester.gov.uk--in order to use the visitors’ CPU to mine for Monero digital currency. These sites utilized the Coinhive in-browser mining (cryptojacking) script.
  • BitGrail, an Italian cryptocurrency exchange platform, announced on its website that 7 million Nano (worth around $202.3 million) was found missing. The company claims unauthorized transactions as the reason. Currently, all withdrawals and deposits from the site have been halted. Nano cryptocurrency was worth $11.90 at the time the announcement was made.
  • A hacker using the alias NullHumanity managed to find a critical vulnerability in Canadian Freedom Mobile and used the bug to download confidential customer data, and warned the company to establish proper security measures. Customer data--including phone number, address, call history and other information--was reportedly stolen.
  • Two different data leaks have taken place due to misconfigured databases exposing the personal details of thousands of people. One of the victims is the Maryland Joint Insurance Association, which left access to a customer file repository, unsecured. The data repository contained customer details such as names, addresses, phone numbers, birth dates, and full Social Security numbers; along with financial data such as check images, full bank account numbers, and insurance policy numbers. Another victim is MDJIA access credentials for ISO ClaimSearch. The exposed database contained millions of reports on individual insurance claims for industry professionals. Both breaches occurred due to NAS server with an open port 9000.
  • Several core domains names of Newtek Business Services Corp., were stolen resulting in shut off of emails and stranded websites of several customers. Newtek is a web services conglomerate that operates more than 100,000 business websites and around 40,000 managed technology account. As per sources, three of the core domains were hijacked and replaced by a Vietnamese hacker. The hacker replaced the login page many Newtek customers used to remotely manage their Web sites (webcontrolcenter[dot]com) with a live Web chat service. However, Newtek mentioned in an email that the company was changing domains due to “increased” security.
  • Tesla fell victim to the hackers this month when it came to be known that their cloud environment was exploited by hackers to mine cryptocurrencies. Security researchers reported the discovery of an unprotected Kubernetes console that belongs to Tesla. The console is used to automate the deployment, and for scaling and operating application containers and virtualized software among others. The researchers discovered that hackers have deployed mining scripts on Tesla’s unsecured Kubernetes instances to perform cryptojacking.
  • Hackers stole away the personal details of at least 685,000 registered forum users of Hardware Zone. As per statistics, this breach is the largest breach in Singapore to date. Although the hacking took place in September 2017, it was discovered when security researchers discovered suspicious posting from a senior moderator’s account that was found to be compromised by an unknown hacker.
  • California seems to be on hackers radar. Now in a new breach, the hackers have stolen the personal data of thousands of state employees and contractors from the Department of Fish and Wildlife. However, what is different about this breach is that the data was stolen by an insider (former employee) who downloaded it to an unencrypted personal device and took the data outside the department’s perimeter. As of now, the threat actor has not been named by the department.
  • The Russian Central Bank came with an astonishing revelation when it disclosed that unknown hackers had stolen $6 million from a Russian bank last year. The hackers had compromised SWIFT international payments messaging system. Although the bank did not provide much inside details of the hack but it did mention that the hackers employed a ‘common scheme’ to compromise SWIFT and steal the money.

New Threats

New botnets and ransomware have been discovered this months. Smominru, a botnet has been discovered infecting machines to mine Monero; and GandCrab ransomware was found exploiting systems. More details of the flash zero-day exploited by the North Korean hackers were disclosed. In addition, a new PoS malware was discovered by the researchers targeting people in the USA and for the first time, cryptomining attacks targeting SCADA systems were found out. New attack techniques, dubbed MeltdownPrime and SpectrePrime, used to exploit the Intel chip flaws were discovered.

  • A global botnet dubbed “Smominru” has been secretly mining Monero on infected machines and making millions of dollars for its owners. The operators have mined about 8,900 Monero valued at up to $3.6 million at a rate of 24 Monero ($8,500) per week. Researchers have watched the Smominru botnet spread since May 2017. Now including over 526,000 infected Windows hosts, Smominru uses EternalBlue, a Windows exploit developed by the NSA and leaked by the hacking group Shadow Brokers.
  • South Korean authorities have issued a warning regarding a brand new Flash zero-day deployed in the wild. According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number. An attacker can persuade users to open Microsoft Office documents, web pages, spam emails, etc. that contain Flash files that distribute the malicious [Flash] code. The malicious code is believed to be a Flash SWF file embedded in MS Word documents.
  • Fitness wearables and apps are very useful when trying to keep in shape, and members of the U.S. military have embraced the technology wholeheartedly. However, easy access to all that information online may have an unexpected downside. Strava is a social networking app geared toward athletes, where users can upload their fitness data, and it uses GPS tracking data for a variety of website applications. One of the projects of Strava Labs is a “Global Heatmap,” an easily accessible visualization of the network data, that shows popular running and cycling routes. The heatmap boasts data from more than one billion activities all around the globe.
  • A new ransomware called GandCrab has been released that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld. Unfortunately, at this time there is no way to decrypt files encrypted by GandCrab for free.
  • Researchers have unearthed a new strain of Gojdue ransomware on the dark web. Named, ShurL0ckr, the ransomware has been found to evade being flagged by two major cloud platforms, Google Drive and Microsoft Office 365, with malware protection features. ShurL0ckr has been classified as a zero-day ransomware-as-a-service that is similar to the infamous Satan ransomware in functionality.
  • South Korean-CERT disclosed an Adobe Flash Player zero-day vulnerability being exploited by the North Korean hackers. Although rare, it was not the first time that North Korean hackers had exploited a zero-day. Given the highly sophisticated campaigns carried out by the Lazarus group in 2016, the flash player exploit came as a surprise for the researchers. Later, it was found out that another threat actor going by the name of ScarCruft, alias Group 123 and Reaper) was behind the flash player exploit.
  • The arrival of the GrandCrab ransomware was reported. It is a new malspam campaign that comes disguised as PDF receipts but instead delivers the malicious ransomware code. Now, further research has revealed that the ransomware is installed through PowerShell script. Initially, the victim receives an email with a subject like “Receipt Feb-078122” containing PDF attachments with names like Feb01221812. Users must exercise utmost caution while handling any email with similar subjects and attachments.
  • Researchers have identified a new Point of Sale (PoS) malware in a relatively long time. The malware steals data from the magnetic strips on the payment cards. It comes disguised as a service pack for LogMein, a remote connectivity services software. Researchers became suspicious after an unusually large number of unusual domain name system (DNS) requests were generated by the service pack. The malware is believed to target the US consumers instead of European consumers because the in latter, the payment cards mostly enjoy “Chip and Pin” protection.
  • There is an increasing evidence that hackers are now shifting from ransomware to crypto mining malware as the latter is generating more profits. Now, security experts have documented the first cryptominer attack on a critical infrastructure project. The attack particularly targeted the SCADA network of the water utility facility. As per the investigation, it was found out that the malicious code deployed was mining Monero currency which has lately found some popularity amongst the hacking community because of its stealth features. The malware could run in stealth mode and even render the security tools on the network devices disabled to operate latently and maximize the mining process.
  • Security researchers from Nvidia and Princeton University have developed a new tool to explore how hackers could take advantage of the CPU flaws and discovered a brand new way of exploiting Meltdown and Spectre flaws. The techniques, dubbed MeltdownPrime and SpectrePrime, pit two CPU cores against each other to dupe multi-core systems and get access to their cached data. Thus, hackers can steal sensitive information like passwords.
  • Scammers are using a new, macro-less technique to infect users with a credential-stealing malware. This attack technique relies on users opening Word documents, but doesn’t require them to enable Macros. Evidence suggests that presently only one group is actively using this technique.
  • Two malware packages--referred to as HARDRAIN and BADCALL--were reportedly released by Hidden Cobra, aka Lazarus Group. Reports about the malware packages were given by the Department of Homeland Security (DHS) and FBI. The malware is capable of installing a remote access tool (RAT) payload on Android devices, and force infected Windows systems to act as a proxy server, disguising their command-and-control communications to appear as if they are encrypted TLS/SSL (HTTPS) sessions.
  • Kotlin is an open-source programming language, fully-supported for Android. Starting from Fortune 500 companies (like Twitter, Uber etc), many apps were built using Kotlin. As per Google’s claims, Kotlin reduces the amount of boilerplate code needed to create an app—which makes it much safer. However, first samples of Android malware created using Kotlin were found on Google Play by security researchers.
  • The infamous Coldroot Remote Access Trojan is still found to be undetectable by popular antivirus engines. It would be essential to mention that the trojan code was uploaded and made freely available on GitHub for around 2 years. Initially, the trojan was created to target the Mac users and fill in the void of a RAT targeting Macs but since then it has expanded its domain to cover Linux and Windows also.
  • Researchers have identified a multi-stage infection attack that deploys malware for stealing passwords from applications installed on the targeted computer. The attack is initiated through spam emails that are delivered via Necurs botnet. The botnet delivers macro-enabled documents including Word, Excel and PowerPoint documents. In the campaign, researchers found out that DOCX attachments containing en embedded OLE objects having external referenced were used.
  • The famous peer-to-peer apps BitTorrent and uTorrent have been found vulnerable to hijacking flaws. A security researcher unearthed a number of DNS rebinding exploits in the Windows versions of the software. The bugs allow the hackers to resolve web domains to the user’s computer thereby providing the keys to the kingdom. The hackers are able to execute remote code, download malware to Windows startup folder, take hold of downloaded files and scan your download history. The bug impacts all the unpatched versions of the software.
  • Researchers have unearthed new spam campaigns impacting a number of websites including the Bitcoin cryptocurrency. The spam campaign starts with the injection of a malicious script into different Joomla, WordPress and jBoss websites. The purpose is to create a binary file that is achieved by hiding the unwanted script on the embedded site. Once the binary file is created, the hackers misuse the PC’s CPU to access user’s computers to mine Bitcoin.

Related Threat Briefings

Jul 1, 2025

Cyware Monthly Threat Intelligence, June 2025

Jun 1, 2025

Cyware Monthly Threat Intelligence, May 2025

May 1, 2025

Cyware Monthly Threat Intelligence, April 2025

Apr 2, 2025

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors.  A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Mar 4, 2025

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024

Cyware Monthly Threat Intelligence

The Good The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and t

Sep 2, 2024

Cyware Monthly Threat Intelligence

The Good In a series of proactive measures aimed at bolstering global cybersecurity resilience, significant strides were made in the education and law enforcement sectors to safeguard critical systems against evolving threats. The NASA Katherine Jo

Aug 1, 2024

Cyware Monthly Threat Intelligence

The Good The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disin

Jul 1, 2024

Cyware Monthly Threat Intelligence

The Good Recent developments showcase a proactive stance in bolstering cybersecurity across critical sectors. The collaboration between the U.K’s National Crime Agency (NCA) and the FBI to dismantle the Qilin ransomware gang highlights internationa