Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Jan 7, 2021

The Good

The necessity of creating a resilient cybersecurity framework for organizations of all sizes is now more crucial than ever. In this light, Google publicized Atheris—a tool to assist developers in identifying vulnerabilities—last month. The tech giant also rolled out a new feature that warns Chrome users of compromised passwords, along with other security measures. Further, cyber experts at NIST laid out security protocols for IoT devices used within the federal information systems.

  • Google security experts open-sourced a fuzzing tool, named Atheris, to help developers find security vulnerabilities and patch them before attackers abuse them. The tool supports Python 2.7, 3.3+, and native extensions created with CPython.

  • Last month, Google reportedly worked on Chrome’s Safety check feature that would alert users if their passwords were discovered in data breaches. This feature comes as a warning against weak passwords.

  • The NIST drafted a set of guidelines for federal agencies on improving security for IoT devices. The four new documents are drafted with the goal of integrating IoT devices into the security and privacy controls of federal information systems.

  • Apple, Cloudflare, and Fastly codesigned a new DNS benchmark to deal with privacy issues faced by DNS. The new standard would separate IP addresses from queries to mask requests and make it harder for attackers to track users online.

  • CISA’s Cloud Forensics team released a PowerShell-based tool, dubbed Sparrow, that is capable of detecting potentially compromised applications and accounts in Azure/Microsoft 365 environments.

The Bad

All’s well that ends well. However, it cannot be said in this case as hackers breached the Texas monitoring service company SolarWinds. The supply chain attack impacted several top federal agencies and Fortune 500 companies. Moreover, researchers uncovered a cyberespionage campaign compromising tens of iPhone devices of Al Jazeera employees allegedly by an Israel-based NSO group. In another vein, an extensive Emotet campaign crippled Lithuania’s National Center for Public Health (NVSC) and several municipalities.

  • Last month witnessed a massive supply chain attack on SolarWinds Orion platform used by several U.S. government agencies and private firms, such as Boeing, AT&T, and Ford. Microsoft stated that the ultimate purpose of the actors behind the SolarWinds supply chain attack was to access victims’ cloud assets after deploying the Solorigate backdoor on their local networks.

  • REvil (Sodinokibi) ransomware actors claimed to have pumped out about 600GB of documents from The Hospital Group and published a sample database with a threat to release before and after pictures of celebrity clients.

  • Vodafone-owned Ho mobile was caught in a data breach after an actor allegedly dumped about 2,500,000 customer records and other data on a hacker forum. Besides customers’ PII, leaked information included SIM card PUK code, ICCID number, IMSI number, and various base64-encoded hashes.

  • Fashion marketplace app 21 Buttons exposed over 50 million private files belonging to hundreds of influencers across Europe via a misconfigured AWS cloud storage bucket. Researchers discovered invoices for commissions paid by 21 Buttons to the influencers.

  • Broker business Freedom Finance allegedly leaked 12GB of confidential data of around 16,000 clients on darknet forums after an employee fell for a phishing email. The attackers were successful because an employee opened an email despite the security warning.

  • At least 36 employees of AlJazeera were targeted in a cyberespionage campaign that leveraged an invisible zero-click iOS exploit called KISMET to hack into their iPhones. The infection malware was traced back to the Israel-based cyber intelligence company NSO Group (previously criticized for selling spyware to governments).

  • ThreatNix unearthed a phishing campaign on Facebook touching 615,000 lives in Egypt, the Philippines, Pakistan, and Nepal. Criminals used ads to steal user credentials. The campaign would redirect users to GitHub where the actual phishing pages resided.

  • Cybercriminals compromised the DNS server of cryptocurrency firm Voyager Digital in a cyberattack that halted trading activities. The company tweeted that no funds or personal information were compromised.

  • More than 250,000 databases were compromised due to an ongoing ransomware attack that abused weak credentials on MySQL servers. The campaign was launched in January and, to date, 83,000 victims have been targeted.

  • The Netherlands-based staffing agency Randstad was hit by Egregor, in which its IT services were breached. The hackers published some internal corporate data, including financial reports and legal documents, in an extortion attempt.

  • A large-scale Emotet campaign infected the systems of Lithuania’s National Center for Public Health (NVSC) and several municipalities. As per reports, infected computers started sending fake emails or engaging in various types of malicious activities.

  • nTreatment inadvertently exposed thousands of medical records online after it failed to add password protection to a cloud server. The misconfigured server included medical records, doctors’ notes, insurance claims, lab test results from third-party providers, and other sensitive patient information.

New Threats

In a parallel world, healthcare continued to flounder due to external, as well as insider threats. A research group found 45 million medical images—including X-rays and CT scans—exposed on unprotected servers, while the Emotet group launched COVID-19 related phishing campaigns. Meanwhile, several threats including APTs, malware, and vulnerabilities made the final month of 2020 a bit challenging for security teams.

  • Unprotected online storage devices tied to hospitals and medical centers all over the world had left 45 million medical scans exposed to the internet. Not only these scans were available online over the past twelve months, but malicious folks had also accessed those servers and poisoned them with apparent malware.
  • Group-IB uncovered a cybercriminal gang, dubbed UltraRank, targeting more than a dozen e-commerce sites to knock off payment card data in a new campaign. Over the last five years, the cybercriminal group has targeted more than 700 e-commerce sites as well as 13 third-party suppliers in North America, Europe, Asia, and Latin America.
  • Sansec warned against a multi-platform credit card skimmer that can target online stores running on Shopify, BigCommerce, Zencart, and Woocommerce. The skimmer would show a bogus payment form that convincingly recorded customer keystrokes before they reached the actual checkout page.
  • Financial institutions in the U.S. and Canada were reported under greater risk from a new credential stealer—written in AutoHotkey (AHK) scripting language—that had various browsers such as Chrome, Opera, and Microsoft Edge on its target.
  • New variants of AgentTesla, Gitpaste-12 botnet, and SystemBC made impacts on several observed attack campaigns. These variants were designed to target more devices with additional abilities.
  • Security experts uncovered APT28, a Russia-linked cyberespionage gang, leveraging COVID-19 phishing lures to disseminate the Go version of its Zebrocy malware. The lure was spread as a part of a Virtual Hard Disk file that can be accessed only by Windows 10 users.
  • After a two-month hiatus, Emotet botnet returned in circulation around Christmas targeting unsuspecting users with Christmas and COVID-19-themed campaigns. Reports suggested that the group behind Emotet was hitting 100,000 targets per day.
  • Critical vulnerabilities discovered in D-Link routers make them susceptible to zero-day attacks. The flaws include an unauthenticated remote LAN/WAN root command injection flaw (CVE-2020-25757), authenticated root command injection vulnerability (CVE-2020-25759), and an authenticated crontab injection (CVE-2020-25758).
  • A new form of biohacking technique was reported that had the potential to disrupt operations in the biological research sector. The attack form focuses on infecting a biologist’s computer with malware and replacing substring in DNA sequencing at the same time.
  • A new strain of the RANA Android malware was spotted spying on Telegram, WhatsApp, Skype, and other instant messaging platforms. The malware has been linked to the APT39 Iranian cyberespionage group and possesses new surveillance functionalities.
  • Cisco Talos detected two RCE bugs—CVE-2020-7559 and CVE-2020-7560—in Schneider Electric EcoStruxure. These bugs could be abused by sending the target a specially designed network request or project archive.

?

Related Threat Briefings

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.