Cyware Monthly Threat Intelligence

Monthly Threat Briefing • May 2, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Monthly Threat Briefing • May 2, 2022
Digital modernization in the federal sphere took a leap with the announcement of the bureau of cyberspace and digital policy. However, threats to the critical infrastructure have their own set of challenges. To address the rise in attacks on the country’s industrial systems, some top industry players have joined hands. Meanwhile, Cert-In mandated organizations to report infosec incidents within six hours of detection.
The Bureau of Cyberspace and Digital Policy was launched officially under the State Department to address the national security challenges, economic opportunities, and implications for the U.S. in the areas of cyberspace, digital technologies, and digital policy.
The U.S. is partnering with six other countries—Canada, Japan, South Korea, Singapore, the Philippines, and Taiwan—to create privacy and cybersecurity standards for the data that cross over into each other’s borders.
A group of cybersecurity companies that help defend industrial systems from hackers, joined forces to launch the Operational Technology Cybersecurity Coalition, which aims to strengthen the ICS and critical infrastructure in the U.S. The coalition aims to streamline how the founding members share threat information with each other and the government.
CERT-In rolled out a new set of rules for organizations that mandate organizations to report 20 different types of infosec incidents within six hours of detection. The rules will apply to service providers, data center operators, intermediaries, government organizations, and companies.
Google released a new Data Safety program for Android apps on the Play Store that will have the details of the type of data being collected and shared with third parties. The Data Safety section will include information such as if the developer is collecting data and for what purpose, whether the data is shared with third parties, and app security practices, among others.
Crypto and NFT platforms are undoubtedly the new crime paradise. Several crypto firms and major NFT projects were targeted to nest millions of dollars. There’s been a significant development in the ransomware landscape. Conti continues to give nightmares to government as well as private sector organizations as it claimed at least five potential victims. Also, organizations may have to gear up as REvil and Emotet are back in the game!
A compromised Trezor hardware wallet mailing list was used by hackers to send fake data breach notifications to steal cryptocurrency wallets and the assets stored within them. Attackers leveraged one of the newsletters hosted at MailChimp to launch the attack. The notifications prompted recipients to download a fake Trezor Suite software that would steal their recovery seeds.
Cadbury UK has issued a warning to its 315,000 followers on Twitter about a scam that steals their personal information. The scam, which goes with the title ‘Free easter chocolate basket,’ is making the rounds on WhatsApp and social media sites. The recipients are asked to click on a link to claim the free gift. But, before that, the recipients are asked to answer a series of questions appearing on the screen.
Multiple crypto platforms were targeted in April. An attack on Ethereum-based stablecoin protocol Beanstalk Farms resulted in a loss of about $182 million. More than $15 million were stolen after hackers exploited the DeFi platform Inverse Finance. In similar news, hackers bilked over $13.4 million from Deus Finance.
Wind turbine giant Nordex was forced to shut down its IT systems after discovering a cyberattack. The incident affected multiple systems in the firm. As a part of the precautionary measure, the company took immediate actions to prevent further propagation of the attack.
The Texas Department of Insurance (TDI) disclosed a data security incident that affected roughly 1.8 million people. It occurred due to a vulnerability in one of its web applications. The exposed information included names, phone numbers, addresses, dates of birth, and social security numbers of individuals.
A report found that Fraudsters made nearly $1.7 million by promising cryptocurrency giveaway scams on YouTube. Over 36 YouTube channels used for the purpose were observed between February 16 and February 18, attracting at least 165,000 viewers. The videos were made using footage of tech entrepreneurs and crypto investors like Elon Musk, Brad Gralinghouse, Michael Saylor, Changpeng Zhao, and Cathie Wood to add legitimacy to scams.
The Conti ransomware group added at least five new organizations to its list of victims. These were Snap-on Tools, Panasonic Corp, TrustFord UK, Elgin County (Ontario), BlueForce, and industrial component giant Parker Hannifin. Additionally, Security researchers found a connection between the Conti group and the recently emerged Karakurt data extortion group and Conti and Emotet, which resumed its operations after a ten-month hiatus.
Researchers revealed that LockBit ransomware group managed to maintain its persistence on a regional U.S. government agency for at least five months. However, logs retrieved from the compromised machines showed that two threat groups were engaged in reconnaissance and remote access operations. The toolset included utilities for brute-force attacks, scanning, and command execution.
Researchers spotted REvil ransomware’s servers being up in the Tor network after several months of inactivity. A new leak site associated with the ransomware is being promoted on a RuTOR dark web marketplace. The site includes a list of organizations targeted by ransomware, out of which two are new ones.
The Instagram account and Discord server of Bored Ape Yacht Club were hacked by cybercriminals to steal 24 Bored Apes and 30 Mutant Apes (which are estimated to be worth $13.7 million). In another streak, Discord communities of multiple major NFT projects were hacked as part of a phishing scam to mint a fake NFT by sending ETH and in some instances an NFT to wrap into a token.
Iranian-linked threat actor group, Rocket Kitten, has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems. Tracked as CVE-2022-22954, the remote code execution vulnerability affects VMware Workspace ONE Access and Identity Manager.
Coca-Cola launched an investigation into a ransomware attack after hackers claimed to steal documents from the beverage giant. The Stormous ransomware group took to underground forums to claim the attack by putting 161 GB of stolen data on sale. The group is offering the stolen data for about $64,000.
The Italian luxury fashion house Ermenegildo Zegna confirmed a ransomware attack that resulted in an extensive IT systems outage. The attack occurred in August 2021 and was the work of the RansomEXX ransomware group.
On the other side, hackers continue to evolve their tools and tactics. There was a new Russian-linked malware developed to target ICS and SCADA systems. A group of security researchers uncovered the new Parrot TDS posing risks to web developers worldwide. In separate news, LemonDuck was spotted targeting exposed Docker APIs to mine cryptocurrency.