Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Jan 2, 2023

The Good

Quantum computing will change cryptography as we know it. The U.S. President signed a bipartisan law referring to post-quantum cybersecurity guidelines. Investments in cybersecurity are on the rise. U.S. Congress set aside $2.9 billion in funds for cybersecurity initiatives in the FY2023 spending bill. In the wake of rising cyberattacks in France, the government announced its plan to train all its employees at the most important health facilities under a new initiative by May 2023.

  • President Joe Biden signed the Quantum Computing Cybersecurity guidelines into law to motivate federal agencies to adopt technology protected from decryption by quantum computing. Called Quantum Computing Cybersecurity Preparedness Act, the bill will help organizations to protect their systems against quantum tech threats.

  • The FTC and the HHS updated their Mobile Health App Interactive Tool to improve the data security of patients. The tool is for anyone developing a mobile app to understand the implications of collecting and misusing the PHI of patients. It also helps developers navigate the patchwork of different laws that may be applicable while building mobile apps to ensure that any sensitive health information is protected accordingly.

  • About $2.9 billion has been allocated to the CISA for the fiscal year 2023. With the given budget, the CISA aims to improve emergency communications preparedness and strengthen civilian and government networks. A portion of the amount will also be used for CISA’s advanced cybersecurity operations.

  • The French government has announced a vast training program to help hospitals and medical facilities protect themselves against cyberattacks. The development comes following repeated attacks against hospitals that saw either hackers damaging their critical infrastructures or stealing patients’ sensitive data.

The Bad

Financial and healthcare institutions remained the top sectors as the hotbed of cyberattacks. The California Department of Finance and crypto platforms, such as 3Commas, BitKeep, and BTC[.]com, were added to the long list of hacks that took place last year in the crypto world. Victims in healthcare include Lake Charles Memorial Health and a hospital in Riverside County of California. Besides, security analysts laid bare an investment scam group that victimized at least 40 firms in fintech, cryptocurrency, and asset management services.

  • The Royal ransomware group claimed responsibility for a cyberattack against telecommunications company Intrado. As proof of the breach, the gang shared a 52.8MB archive containing scans of passports, business documents, and driver’s licenses of employees.

  • The California Department of Finance confirmed that it suffered a security breach, hours after the LockBit ransomware gang listed the agency as a victim on its dark web leak site. The gang has given time until Christmas eve to avoid the publishing of more than 500GB of stolen files.

  • Restaurant CRM platform SevenRooms confirmed suffering a data breach after a hacker claimed to have stolen 427GB of customer records and leaked a sample on a cybercrime forum. The leaked sample included a folder named after big restaurant chains, clients of SevenRooms, API keys, promo codes, payment reports, reservation lists, and more.

  • A hospital in California’s Riverside County reported a data breach that impacted its patients’ sensitive information, such as Social Security numbers and medical information. According to the notice, the hackers had unauthorized access to the data between October 29 and November 10.

  • The details of more than 70,000 Uber employees have reportedly been leaked online, marking another data breach for the company this year. The incident occurred after a threat actor targeted a third-party software provider, Teqtivity, used by Uber for IT asset management services.

  • Members of the North Korean Kimsuky cyberespionage group have been found impersonating think tank members to reach out to political and foreign affairs analysts. It was also associated with a new spear-phishing campaign that was aimed at nearly 900 foreign policy experts in South Korea.

  • Australian telecommunications giant TPG revealed that emails of 15,000 iiNet and Westnet business customers were breached as hackers looked for cryptocurrency and other financial information. Investigation into the incident is underway. However, the breach did not affect mobile or broadband services.

  • Comcast Xfinity accounts were hacked through credential stuffing attacks that bypassed the 2FA protection. This enabled the attackers to use the compromised customer accounts and reset passwords for other sites, such as Coinbase and Gemini.

  • The Play ransomware group claimed to have stolen an unconfirmed amount of data from H-Hotels. The group has recently listed the company as a victim on its Tor site. It allegedly pilfered private and personal data, including client documents, IDs, passport data, and more. While H-Hotels denied the possibility of data exfiltration last week, hackers have also failed to present any proof.

  • Several crypto platforms, including BTC[.]com, 3Commas, and Bitkeep, lost millions to cybercriminals in different hacking incidents. BTC[.]com lost approximately $3 million worth of crypto assets. 3Commas suffered a massive API key hack impacting Kucoin, Coinbase, and Binance. Hackers exploited BitKeep wallets to steal around $8 million worth of assets.

  • Popular authentication services and IAM solutions provider Okta suffered a breach impacting its private GitHub source code repositories. The company said attackers could not access the Okta service or its customers’ data.

  • Threat actors used Black Basta ransomware to steal sensitive data from multiple electric utilities linked to the Chicago-based engineering firm Sargent & Lundy, which is also a major U.S. government contractor. The attack occurred in October.

  • Lake Charles Memorial Health System in Louisiana disclosed that the personal data of nearly 270,000 patients were accessed in an October ransomware attack. This included patients’ health insurance information, medical records, and Social Security numbers.

  • A previously unknown investment scam group named CryptosLabs has reportedly stolen up to $505 million from victims in France, Belgium, and Luxembourg. The group has been active since 2018 and has targeted over 40 companies in fintech, cryptocurrency, and asset management services.

New Threats

Besides, researchers took the wraps off an offensive marketplace, InTheBox, that has been relaying 400+ customer web injects to other hackers. New ransomware strains Cryptonite and CatB and a potential info-stealer dubbed RisePro surfaced last month. Meanwhile, Xnspy spyware app was found laced with flaws exposing the personal data of iPhones and Android users.

  • The recently discovered Cryptonite ransomware was discovered in the wild as a wiper malware used to target Microsoft Windows users. The malware implements the common functionality of ransomware but it does not offer the decryption key.
  • Resecurity researchers shared details of a darknet marketplace, called InTheBox, which offers over 400 custom web injects to launch mobile malware attacks. Web injects enable attackers to serve malicious HTML or JavaScript code in the form of an overlay screen and steal information when victims launch banking, crypto, and e-commerce apps.
  • A new Go-based botnet called Zerobot was found exploiting dozens of vulnerabilities in IoT devices to expand its network. The malware is designed to target a wide range of CPU architectures such as i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x.
  • A new obfuscation service called Zombinder was discovered in a campaign employing several trojans, including Ermac, to target both Android and Windows systems. It is used to bind malicious payloads to a legitimate application.
  • The Formbook malware made a comeback in a campaign that used trojanized OneNote documents. The malware can steal data from various web browsers and other applications. It also has keylogging capabilities.
  • FortiGuard Labs encountered a Golang-based botnet named GoTrim that utilizes a bot network to perform distributed brute-force attacks against WordPress and OpenCart sites. The botnet campaign began in September and is still ongoing.
  • A malicious stalkerware app called Xnspy was found stealing and leaking data from tens of thousands of iPhones and Android devices. Once installed, the app silently pilfered call records, browsing history, location data, text messages, and photos from victims’ phones.
  • Experts from American universities demonstrated a new attack technique that could be used to eavesdrop on smartphone users. Called EarSpy, the technique relied on motion sensor data arising from the echo of speakers in Android phones.
  • A newly identified CatB ransomware group has been found implementing several anti-VM and DLL hijacking techniques to evade detection. The ransomware is believed to have a connection with Pandora ransomware.
  • A new info-stealer named RisePro has garnered popularity on the illicit dark web forum called Russian Market. The malware is a clone of Vidar stealer and has been designed primarily to steal credentials and exfiltrate them in the form of logs.
  • The CISA added two-year-old security flaws impacting TIBCO Software’s JasperReports products to its list of most exploited vulnerabilities catalog. The flaws, tracked as CVE-2018- 5430 and CVE-2018-18809, are related to information disclosure vulnerability and directory traversal vulnerability respectively.
  • A new Android malware, dubbed BrasDex, was spotted targeting Brazilian users in a new campaign. Developed by threat actors behind the Casbaneiro banking trojan, the malware possesses a complicated keylogging capability that abuses Android Accessibility Services and pilfers credentials from a set of Brazilian banking apps.

Related Threat Briefings

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.