Cyware Monthly Threat Intelligence

Monthly Threat Briefing • September 4, 2023
Monthly Threat Briefing • September 4, 2023
In response to escalating cybersecurity threats, and also a breakthrough for computer security, a team of cyber experts has introduced a new and highly efficient cipher designed to combat cache side-channel attacks. Along the same lines, the CISA released the Remote Monitoring and Management (RMM) Cyber Defense Plan to aid government organizations and SMBs in mitigating risks associated with RMM software. What more? The White House has decided to work on a plan to modernize outdated IT systems in federal agencies.
Significant recent cybersecurity incidents have rocked the digital realm, especially in the cryptocurrency space. While Exactly and Harbor suffered substantial losses, FTX, BlockFi, and Genesis fell victim to a SIM-swapping attack pulled off at their common risk and financial advisory firm. A French national employment agency compromised the sensitive data of up to 10 million individuals in the MOVEit hack. Moving on, an alarming discovery showed that more than 60% of Kubernetes clusters from over 350 organizations were targeted in an active cryptomining campaign.
Recent cybersecurity events are alarming, with evolving threats and notable developments. Microsoft's identification of BlackCat ransomware 2.0, incorporating Impacket and Remcom tools, amplifies detection challenges. Simultaneously, the Lazarus group's campaign against healthcare entities exploits ManageEngine vulnerabilities, distributing QuiteRAT malware akin to MagicRAT. Additionally, the TZW variant of Adhubllka ransomware has been targeting small entities, displaying similarities to multiple ransomware families.
A new mobile malware called Infamous Chisel infected the Android devices of the Ukrainian military in a campaign launched by the Russian Sandworm APT group. The malware consists of components that provide the attackers with backdoor access to infected devices for network monitoring and file transfer operations.
Microsoft discovered a new version of the BlackCat ransomware (version 2.0) that includes the Impacket networking framework and the Remcom hacking tool to facilitate lateral movement for attackers in target environments. Adding these tools only makes it harder for defenders to detect the ransomware.
After a two-year hiatus, the DreamBus botnet resurfaced in a new campaign to deliver Monero mining malware. The campaign exploited a recently patched vulnerability (CVE-2023-33246) in Apache RocketMQ that allowed attackers to perform remote code execution attacks.
The Lazarus group was found to be associated with a new campaign against healthcare entities in Europe and the U.S. In this campaign, the attackers are exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to distribute the QuiteRAT malware. The malware has many capabilities similar to MagicRAT, another malware from the Lazarus group.
A new version of Adhubllka ransomware, dubbed TZW, has been launching attacks since 2019 with lower ransom demands from small businesses and individuals. Studies conducted by researchers reveal that the ransomware shares similarities with LOLKEK, BIT, OBZ, and U2K ransomware families.
According to researchers at Aquasec, the Meow attack campaign has been revamped to target misconfigured Jupyter notebooks. Interestingly, the attackers use Python scripts to target databases, maintaining an unusual modus operandi. While the infrastructure of the attackers is still under investigation, a total of 1,283 distinct IP addresses have been targeted by them.
A new version of Rilide info-stealer is targeting Chromium-based web browsers to steal sensitive information and cryptocurrency from users. The updated version overlaps with a malware strain tracked as CookieGenesis, and includes modules for infecting Chrome Extension Manifest V3 and code obfuscation.
A newly discovered QwixxRAT (aka TelegramRAT) was found being advertised on Telegram and Discord platforms, boasting the ability to collect and exfiltrate a wide range of sensitive information. This includes data from browser histories, credit card details, FTP credentials, screenshots, and keystrokes. Written in C#, it includes a clipper code to capture cryptocurrency wallet information.
Sophos revealed that a threat actor linked to the FIN8 hacking group is exploiting a critical vulnerability in Citrix NetScaler systems to launch domain-wide attacks. The vulnerability under abuse, in Citrix NetScaler ADC and NetScaler Gateway, is tracked as CVE-2023-3519 and can allow attackers to launch remote code execution attacks.
Cybercriminals behind Smoke Loader malware have been found dropping a new Wi-Fi scanning malware called Whiffy Recon. The malicious code locates the position of infected devices using nearby Wi-Fi access points, thus helping attackers carry out further attacks.
ESET Researchers observed a new phishing campaign, aimed at collecting Zimbra account users’ credentials. Active since April, the campaign was carried out via phishing emails notifying recipients about an email server update and deceiving them by redirecting them to a fake Zimbra web login page that steals their credentials.