Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Sep 2, 2020

The Good

There is a lot going on in the cyber world, but all is not bad. A group of academic researchers discovered a new AI technique to ward off cyberattacks on medical devices whereas, another research group developed an AI-model that identifies cryptocurrency supercomputers to mine cryptocurrencies. In another vein, the National Institute of Standard and Technology (NIST) released the penultimate version of its Zero Trust Architecture for organizations.

  • Researchers at the Ben-Gurion University of the Negev developed a new AI technique to protect medical devices from malicious operating instructions in a cyberattack, as well as other human and system errors. The technology will help analyze the instructions sent from PC to connected devices, detecting the presence of any anomalous code.

  • Researchers at Los Alamos National Laboratory developed a new AI-driven model that can identify malicious codes used to hijack supercomputers to mine for cryptocurrencies, such as Bitcoin and Monero.

  • MITRE released a new Shield framework to help organizations actively detect and counter intruders on their networks. The framework includes different tactics to detect, disrupt, and contain attacks from intruders.

  • The NIST unveiled the final version of its Zero Trust Architecture for cybersecurity leaders, administrators, and managers to provide a better understanding of the Zero Trust environment. This framework has been developed in collaboration with multiple federal agencies.

The Bad

Last month, several cybercriminal groups were observed evolving their TTPs and going on an attacking spree on organizations globally. A series of DDoS attacks on New Zealand’s stock exchange (NZX) disrupted its trading operations for four consecutive days. Meanwhile, ransomware actors rained attacks on Valley Health Systems, LG, Konica Minolta, and Brown-Forman, among other renowned firms. Moreover, the University of Utah had to pay a ransom of over $450,000 to prevent student data from getting leaked.

  • Utah Pathology Services disclosed undergoing a data breach that resulted in the exposure of the personal information of approximately 112,000 patients. The hackers also attempted to redirect funds exploiting an employee’s account.

  • NZX was offline for four days after a group of cybercriminals launched DDoS attacks on its networks. NZX resumed trading later without giving any clarity on the attacker.

  • REvil ransomware operators claimed to have breached and stolen sensitive data from Valley Health Systems, a regional healthcare system that serves nearly 75,000 patients in Southern West Virginia, Southeast Ohio, and Eastern Kentucky.

  • Active since 2018, the Lazarus threat actor group has been found to be associated with an ongoing cyberespionage campaign. The campaign, which is carried out through Linkedin, has targeted businesses in at least 14 countries including the U.K and the U.S.

  • The University of Utah paid a ransom of over $450,000 to prevent the ransomware gang from leaking student data on the internet. The decision was made by the university to protect the integrity of the data even after it was restored from backups.

  • Even the Japanese technology giant, Konica Minolta, and the U.S. wine and spirits company, Brown-Forman, were not spared from the terror of ransomware attacks. While the ransomware behind Konica Minolta is still unknown, the attack on Brown-Forman was conducted using the REvil ransomware, which pilfered around 1TB of data.

  • The South African branch of the consumer credit reporting agency, Experian, disclosed a data breach that impacted the personal details of 24 million South Africans and 793,749 local businesses. The incident occurred after the agency handed over some sensitive data to a fraudster posing as a client.

  • The U.S. chipmaker, Intel, found itself in a soup after 17GB of its data was leaked on the file-sharing site, MEGA. The exposed data consisted of files from the Intel Resource and Design Center, different Intel development and debugging tools, roadmap documents, schematics of various processors, and others.

  • An artificial intelligence company, Cense, leaked 2.5 million records that contained sensitive medical data and PII. The breached data was stored directly on the same IP address as Cense’s website.

  • Nine data leak incidents that compromised the medical data of 200,000 U.S. users came to light after researchers discovered misconfiguration issues in GitHub repositories. The affected entities included Xybion, MedPro Billing, Texas Physician House Calls, VirMedica, MaineCare, Waystar, Shields Health Care Group, and AccQData.

  • Adit, a Houston-based patient management software provider, laid bare personal and sensitive information of 3.1 million patients via an unsecured database for about 10 days. Surprisingly, the database was later, allegedly, deleted by Meow Bot, an automated bot.

  • The Maze ransomware gang published over 70GB data stolen from LG and Xerox on its leaked site following failed ransom negotiations. Summit Medical Associates also disclosed a ransomware attack that affected the personal information of patients and affiliates.

  • A report found that Russian-speaking hackers compromised the VPN authentication data of 38 large Japanese companies in the Pulse Secure VPN breach. A hacker had, reportedly, exposed plaintext usernames and passwords, session cookies, IP addresses, and other details of more than 900 Pulse Secure VPN servers in the first week of August.

New Threats

Attackers are continuously testing enterprise security systems and exploring new ways to get through. In one attack campaign, cybercriminals were seen exploiting Unicode and HTML/CSS to manipulate systems and bypass security checks. In another camp, the U.S. government warned against the BeagleBoyz group that has attempted to swindle $2 billion since 2015. Moreover, security experts red-flagged several new threats, including BLINDINGCAN and FritzFrog, challenging the cyber readiness of organizations.

  • Researchers stumbled across a hacker group using HTML/CSS and Unicode tricks to disguise malicious phishing emails and bypass malware detection tools. Instead of writing phrases such as “change your password,” attackers wrote "c-h-a-n-g-e- -y-o-u-r- -p-a-s-s-w-o-r-d-” to evade malware scanners.
  • In a joint advisory, the FBI, the U.S. Cyber Command, and the CISA warned about a prolific North Korean hacking group known as BeagleBoyz resuming its malicious operation of targeting financial institutions. According to the agencies, the group had attempted to steal $2 billion since at least 2015 and is in the process of targeting banks and other financial services in almost 40 countries.
  • Apple had inadvertently approved a malicious threat, disguised as an Adobe Flash installer, on Macs and the unreleased beta version of macOS, Big Sur. The campaign has been distributing the ubiquitous “Shlayer” adware that intercepts encrypted web traffic and replaces websites and search results with its own ads.
  • In an advisory, Autodesk warned users about hackers using a PhysPluginMfx MAXScript exploit that can corrupt 3ds Max settings, run malicious code, and propagate to other MAX files on a Windows system. These malicious codes are capable of collecting passwords from web browsers such as Firefox, Google Chrome, and Internet Explorer.
  • Researchers reported a pool of 5,000 malicious apps involved in giveaway scams infected around 65,000 devices with a novel ad fraud botnet. Among the free gifts used as lures were boots, sneakers, event tickets, coupons, and expensive dental treatments.
  • The CISA published an alert about a new North Korean malware, dubbed BLINDINGCAN, that was used in attacks on the country’s defense and aerospace sectors. The malware was distributed using fake job offers as a bait.
  • Security experts uncovered a multi-functional Peer-to-Peer (P2P) botnet, called FritzFrog, actively targeting SSH servers since January 2020. To date, the modular botnet has breached more than 500 servers, including many associated with universities in the U.S. and Europe.
  • TeamTNT became the first threat actor group to use a cryptomining malware with functionalities to steal AWS credentials from infected servers. The group’s modus operandi involves scanning the internet for misconfigured Docker systems.
  • A new info-stealing malware, Anubis, is being actively distributed in the wild. The malware draws its code from Loki malware designed to steal system information, credentials, credit card details, and cryptocurrency wallets.
  • SunCrypt ransomware joined the cartel created by the Maze ransomware gang. The cartel, which already includes LockBit and RagnarLocker, has started to share its information and techniques among each other.
  • Agent Tesla information-stealing trojan now includes modules to steal credentials from applications, including popular web browsers, VPN software, as well as FTP and email clients. The malware variant can also be used to steal victims’ clipboard content data and disable anti-malware analysis software.
  • In an extensive study, researchers found a new RedCurl cybercrime group that has targeted at least 14 private companies in 26 attacks since 2018. The attacks were aimed at stealing documents containing commercial secrets and employees’ personal information.
  • The Iranian hacking group, OilRig, became the first publicly known threat actor to incorporate the DNS-over-HTTPS (DoH) protocol in its attacks. To facilitate this, the operators are using a new utility called DNSExfiltrator as part of their intrusions into hacked networks.

Related Threat Briefings

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.