Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Aug 2, 2022

The Good

Cybercriminals are quickly catching up with security protocols that come along with quantum computers. In the wake of it, the NIST has finalized the first four quantum-resistant cryptographic algorithms that researchers have been working on for nearly six years. The collection of personal sensitive data by various tech firms to cater to us better is backfiring due to the shadowy ad tech and data broker ecosystem. This has prompted the FTC to caution tech firms against sharing such sensitive data with third parties.

  • The exploitation of sensitive data, including users' browser behavior, healthcare data, and their precise whereabouts, is rising with each passing day. The U.S. Federal Trade Commission (FTC) has issued a warning that it will take action against tech companies that are illegally using and sharing highly sensitive data of users. The agency aims at using the full scope of its legal authorities to protect consumers’ privacy.

  • Google has officially added support for DNS-over-HTTP/3 (DoH3) in Android to keep DNS queries private. This will effectively prevent third parties from snooping on users' browsing activities. Phones running Android 11 and higher versions are expected to use DoH3 instead of DNS-over-TLS (DoT), which came with Android 9.0.

  • After six years, the NIST handpicked four encryption algorithms—CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+—that will withstand attacks from quantum computers. While CRYSTALS-Kyber will be used for access to websites, the other three are to protect digital signatures. These algorithms will also be helpful in safeguarding daily-in-use critical online banking and email software systems.

  • The U.S. federal credit union regulators announced a new mandate to report cyber incidents. According to the new proposed rule, federally chartered credit union organizations are required to report within 72 hours of a cyberattack and apply for third-party security breaches as well.

The Bad

The efforts to disrupt the Web3 universe are intensifying with each passing day. In the past month, security experts witnessed multiple decentralized protocols and platforms, including Uniswap, Crema Finance, Audius, and Premint, lose tens of millions of dollars altogether. Meanwhile, researchers reported European cyber mercenaries dropping Subzero surveillance malware on the networks of entities in Central America and Europe. In other news, the virtual pets website Neopets fell victim to a breach affecting millions of people worldwide.

  • The FBI issued a warning against cybercriminals distributing fake cryptocurrency investment applications to crypto enthusiasts in the U.S. They make users install fake apps and deposit funds into wallets allegedly associated with the victims' accounts. Cybercriminals defrauded at least 244 investors to pilfer roughly $42.7 million.

  • The decentralized music platform Audius was hacked, with threat actors stealing over 18 million AUDIO tokens worth approximately $6 million. The hacker exploited a bug in the contract initialization code to launch the hack.

  • Austrian hack-for-hire company DSIRF, along with the Knotweed gang, was spotted abusing multiple bugs in Windows and Adobe software products in a targeted attack campaign against European and Central American individuals. The Private-Sector Offensive Actor (PSOA) drops a surveillance tool known as Subzero. The malware can be used to hack phones, computers, and IoT devices.

  • American Marriage Ministries (AMM) disclosed a data breach incident that affected the data of about 185,000 officiants and 15,000 married couples, as well as their wedding guests. This occurred due to an unsecured Amazon bucket that contained around 630GB of data.

  • Solana-based liquidity protocol Crema Finance lost more than $8.78 million worth of cryptocurrencies after hackers attacked the platform. The attackers used the infamous flash loan trick to manipulate the prices of assets before stealing the assets.

  • Microsoft researchers revealed that a large-scale phishing attack campaign has targeted more than 10,000 organizations since September 2021. The campaign used the Evilginx2 phishing toolkit to construct phishing pages, bypass MFA, and steal credentials and session cookies from Office 365 users.

  • Professional Finance Company disclosed a ransomware attack that impacted the private data of around 1.9 million people associated with hundreds of U.S. hospitals, medical clinics, and dental firms. The debt collection firm revealed that the criminals were able to access files from more than 650 healthcare providers.

  • Threat actors compromised the official website of Premint NFT and stole 314 NFTs, amounting to approximately $375,000. The attack has six primary EOAs associated with it, among which two wallets contain Bored Ape Yacht Club, Otherside, Oddities, and goblintown.wtf NFTs.

  • Over the last month, a crimeware group named 8220 has expanded its botnet to roughly 30,000 hosts. The group makes use of SSH brute force attacks and abuses Linux and cloud app vulnerabilities to grow its botnet.

  • Neopets, a virtual pets website, suffered a data breach that impacted the personal data of 69 million members. Reportedly, a hacker named 'TarTarX' has begun selling the source code and database for the Neopets.com website for four bitcoins.

  • The Marriott hotel chain suffered another data breach incident that allowed attackers to exfiltrate around 20GB of data, including customer credit card details. Threat actors used social engineering techniques to trick an employee into providing access to their computer.

  • About 4295 ETH (approximately $4.6 million at the time of reporting) was stolen in a phishing attack on the Uniswap cryptocurrency exchange. The attackers exploited the Uniswap V3 protocol on the ETH blockchain to launch the attack.

  • Cozy Bear (APT29) was seen abusing legitimate cloud services, such as Google Drive and DropBox, to target a number of Western diplomatic missions, including foreign embassies of Portugal and Brazil. The group’s phishing technique involves the use of a malicious HTML file, called EnvyScout, which acts as a dropper for Cobalt Strike and additional payloads.

New Threats

Phishers and scammers are following the ebbs and flow of the threat landscape. A highly-successful phishing campaign was observed stealing banking data from the likes of Bank of America, Capital One, Citibank, Wells Fargo, and others. Linux systems continue to gain the attention of cybercriminals as Orbit and Lightning Framework join as fresh threats against the open-source, community-developed operating system. That’s not all. The introduction of new malware strains, such as Autolycos, Havanacrypt and, Checkmate, has stirred anxiety among researchers.

  • Phishers and scammers are following the ebbs and flow of the threat landscape. A highly-successful phishing campaign was observed stealing banking data from the likes of Bank of America, Capital One, Citibank, Wells Fargo, and others. Linux systems continue to gain the attention of cybercriminals as Orbit and Lightning Framework join as fresh threats against the open-source, community-developed operating system. That’s not all. The introduction of new malware strains, such as Autolycos, Havanacrypt and Checkmate, has stirred anxiety among researchers.
  • A new malware, masquerading as cleaner apps, infected over 1 million users across the globe. These apps are distributed via the Google Play Store. Once executed, the malware displays unwanted advertisements and runs malicious payloads without the knowledge of the users.
  • Multiple DHL phishing pages were found exfiltrating users’ personal data via a Telegram bot. The fake pages use design elements like colors, fonts, and styles found on a typical DHL tracking page to convince victims that it’s legitimate in nature.
  • A new macOS malware, CloudMensis, was observed gathering information from the victims’ systems by exfiltrating documents, keystrokes, and screen captures. Developed in Objective-C, the spyware uses public cloud storage services to communicate back and forth with its operators.
  • Lightning Framework emerged as a new threat that targets Linux systems and can be used to backdoor infected devices using SSH and deploy multiple types of rootkits. The malware masquerades as the Seahorse GNOME password and encryption key manager to evade detection on infected systems.
  • QNAP warned customers about a new Checkmate ransomware attack aimed at its NAS devices. The ransomware employs dictionary attacks to break accounts with weak passwords. It appends .checkmate extension to encrypted files and drops a ransom note named !CHECKMATE_DECRYPTION_README.
  • A total of 53 fake apps on the Google Play Store were spotted distributing Joker, FaceStealer, and Coper malware strains. These apps posed as SMS, photo editors, blood pressure monitor, emoji keyboards, and translation apps were downloaded over 300,000 times.
  • A new threat group named the Atlas Intelligence Group (A.I.G), aka Atlantis Cyber-Army, is actively selling Cybercrime-as-a-Service on Telegram and dark web forums. The services include exclusive data leaks, distributed denial-of-service (DDoS) campaigns for hire, RDP attacks, and initial access.
  • Trend Micro identified over a thousand malicious repositories and more than 550 code samples that abused GitHub Actions to mine cryptocurrency in an automated attack. The attack involved threat actors forking a legitimate repository that has GitHub Actions enabled. This allowed them to inject malicious code into legitimate repositories.
  • A new phishing-as-a-service (PhaaS) platform is being sold to cybercriminals aiming to gain access to the financial information of individuals residing in the U.S., the U.K, Canada, and Australia. The toolkit is tracked as Robin Banks and was utilized in a large-scale phishing campaign observed in June.
  • Another new malware targeting the Linux operating system named OrBit is primarily designed to drop malicious payloads. It implements advanced evasion capabilities to gain persistence on targeted machines. The main goal of the backdoor is to steal information by hooking the read and write functions.
  • A new ransomware family, dubbed HavanaCrypt, makes use of a fake Google Software Update application to propagate across systems. Additionally, it relies on Microsoft web hosting service IP address to circumvent detection.
  • A new Android malware family named Autolycos was discovered in at least eight Android applications, two of which are still available on the Google Play Store. By the time of reporting, the malware had infected over 3 million users and is capable of harvesting data from mobile devices.
  • Researchers reported a new malware attack campaign that exploited the known Follina vulnerability to distribute a backdoor malware dubbed Rozena. The malware is capable of injecting a remote shell connection linking back to the attacker’s machine.

Related Threat Briefings

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.