Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing June 2, 2022

The Good

Online scams happen in a myriad of ways and they keep getting trickier. To protect users from scams, the Singapore government introduced a scheme for online marketplaces that rates them based on the type of anti-scam protection they deploy. Still, the worst is when hackers find that security gap in your systems before you do. To tackle that, researchers devised a tool that helped spot 134 bugs in apps, including Microsoft Word and Adobe Acrobat. It scrutinizes the way these apps process JavaScript.

  • Researchers at the Chinese Academy of Sciences devised a tool called Coopers (referenced from Cooperative mutation technique) that identifies flaws in the fashion of how apps such as Microsoft Word and Adobe Acrobat process JavaScript. They reported 134 bugs in total. Cooper has three components: object clustering, relationship inference, and relationship-guided mutation.

  • Singapore launched E-commerce Marketplace Transaction Safety Ratings, a scheme that assesses online marketplaces based on the type of anti-scam measures they take. It also set up the National Integrated Center for Evaluation (NICE) to evaluate and certify systems for cybersecurity strength.

  • The U.K government published the 2022 Civil Nuclear Cyber Security Strategy for the country’s civil nuclear sector that focuses on more testing, design-based security, enhanced resilience, and improved collaboration. The nuclear industry aims to achieve enhanced resilience by preparing better for and responding to incidents faster.

  • The U.S. announced the launch of the Joint Ransomware Task Force, which will be headed by the CISA and the FBI. The main purpose of the task force is to disrupt ransomware activities and confiscate crypto assets routed through the blockchain.

  • The U.K NIST released updated cybersecurity guidance for managing risks by identifying, assessing, and responding to threats at different stages of the software supply chain. Last month, it also released updated guidance to cater to everyone—from small businesses to large enterprises—with tools to ensure appropriate cybersecurity measures for cloud-computing users.

The Bad

Lately, VPN and network access credentials pertaining to the higher education system in the U.S. have been in high demand in underground hacker forums. Moreover, several schools and universities reported breaches in the past month. Lincoln College was shut down, for which a ransomware attack was partly responsible. Besides, we also witnessed attacks on hospital facilities, the Costa Rican government, General Motors, and more.

  • The FBI found that hackers were increasingly targeting the higher education sector and now, more credentials are being offered on multiple public and dark web marketplaces. In its warning, it also claimed that some VPN and network access credentials are being sold for thousands of dollars.

  • Pennsylvania-based Mercyhurst University was reportedly breached by the LockBit 2.0 gang. Chicago Public Schools disclosed a data breach that occurred due to a ransomware attack at a third-party vendor. An attack at Washington Local Schools rattled several of its online operations, including Google Classroom.

  • A hacker demanded a reward of $250,000 in exchange for the data stolen from a database belonging to Verizon. The stolen data includes full names, corporate ID numbers, email addresses, and phone numbers of employees.

  • U.S. automobile giant General Motors confirmed a credential stuffing attack that occurred last month. As a result, the hackers were able to access customer information and redeem gift card reward points. The firm advised victims to review their credit reports and initiate a security freeze if they see some irregularities.

  • The SafetyDetectives team discovered a misconfigured Elasticsearch server that leaked 147GB of data for millions of microloan applicants from Ukraine, Kazakhstan, and Russia. Researchers attribute the ownership of the server to a Russian entity.

  • A server at Nikkei Group Asia, an overseas subsidiary of Nikkei Inc. based in Singapore, was compromised in a ransomware attack. Unauthorized access to the server was first detected and reported on May 13. The server supposedly stored some customer data; however, the exact impact of the attack is yet to be determined.

  • The new Costa Rican President announced that the country was at war with the Conti cybercriminal group. Officials had reportedly denied paying the $20 million ransom to the group. Meanwhile, Conti threatened to topple the government with cyberattacks. However, it was reported that the group split into smaller groups and that its infrastructure no longer exists.

  • Lincoln College closed amid efforts to recover from a ransomware attack coupled with pandemic-related economic challenges. The 150-year-old college was hit by ransomware on December 19 and this affected its IT systems from recruitment, retention, and fundraising departments. The system outage lasted for one and a half months.

  • The Washington University School of Medicine, Toronto-based Scarborough Health Network (SHN), and Oklahoma City Indian Clinic (OKCIC) disclosed disparate breach incidents impacting the PII and medical records of thousands of individuals in total.

  • A hacker group infiltrated the networks of the wedding planning website Zola through a credential stuffing attack to access the user accounts. They attempted to initiate fraudulent cash transfers. A Reddit user claimed that cracked Zola accounts were being resold or used to buy gift vouchers.

  • An alleged data leak exposed the information of 22.5 million Malaysians born between 1940 and 2004. The database—160GB in size—was seemingly stolen from the National Registration Department (NRD) and put up for sale on the dark web for $10,000. However, Malaysia's Home Minister claimed that NRD isn’t related to the alleged data breach.

  • Rari Capital and Fei Protocol suffered a major loss after threat actors stole more than $80 million from both platforms. The hackers exploited a reentrancy vulnerability in Rari’s Fuse lending protocol to hack the platforms. Rari Capital acknowledged the hack, adding that borrowing was paused globally and no further funds were at risk.

  • The Bank of Zambia experienced a ransomware attack by the Hive group that disrupted some of its operations. Officials have urged businesses in the financial sector to stay alert as the incident might impact them. Also, the bank reportedly refused to pay the ransom.

  • Microsoft revealed that it discovered over 35 unique ransomware families and 250 unique threat actors last year. Most of these ransomware leveraged Cobalt Strike and several legitimate enterprise tools (AnyDesk, Splashtop, and Teamviewer) to gain initial access and persistence on networks. Upon gaining access, most of the attackers create new backdoor user accounts to proceed with the infection chain process.

  • A misconfigured database laid bare around 10GB of data comprising 21 million unique records in a Telegram group. The unprotected database contained the personal data of VPN users from SuperVPN, GeckoVPN, and ChatVPN. Another unprotected ElasticSearch server exposed around 5.8GB of financial information about loans from Indian and African financial services.

New Threats

Cyber threats continue to surge in the cybersecurity space in the form of new critical bugs, new malware, or adversaries launching a new cybercrime service such as Eternity Project. Security researchers also noted a nearly invisible cyberespionage threat that deploys a previously unreported backdoor and has strong persistence techniques.

  • Trend Micro reported multiple deployments of a new ransomware family, dubbed Cheerscrypt. It was found targeting one of its customer’s ESXi servers that manage VMware files. The malware family employs the double extortion scheme to extort victims. Previously, other ransomware actors, including LockBit, Hive, and RansomEXX, have targeted a similar environment.
  • Red Canary researchers noted a surge in the ChromeLoader malware that uses a malicious ISO archive file to infect its victims. It comes packaged as cracked executables for games or commercial software. In fact, researchers also witnessed instances wherein hackers promoted cracked Android games and offered QR codes on Twitter, which lead to the malware-hosting sites.
  • A new password-stealing malware builder is being sold on the Discord platform by a user named ‘Portu’. Security experts observed the first Portu-inspired malware sample, dubbed KurayStealer, in the wild. It is being used to target Discord users. Besides, it makes use of webhooks to steal passwords, tokens, and IP addresses from 18 other apps.
  • A researcher from Microsoft Security Response Center and an independent researcher warned that cybercriminals are abusing vulnerabilities that were already fixed for platforms like Instagram, LinkedIn, Zoom, WordPress, and Dropbox. These bugs can be exploited to hijack the online accounts of users even before they create or register them.
  • A security researcher uncovered a method to exploit a recently patched deserialization flaw in Microsoft SharePoint to conduct Remote Code Execution (RCE) attacks. Microsoft patched the flaw, identified as CVE-2022-29108, in May’s Patch Tuesday updates. The researcher found that another bug in Microsoft SharePoint Server, tracked as CVE-2022-22005, could be used to trigger the same attack.
  • Google's TAG reported that a threat actor is developing exploits for five zero-days; four in Chrome and one in Android, to infect Android users. The adversary, as believed to be the case, is packaging and selling the exploits to different government-backed criminal groups across multiple countries. Those groups were spotted weaponizing the bugs in at least three different campaigns.
  • VMware alerted organizations about two critical bugs, tracked as CVE-2022-22954 (an RCE flaw) and CVE-2022-22960 (a privilege escalation flaw), that are allegedly under active exploitation by APT actors. They affect VMware Workspace ONE Access, vRealize Automation, and Identity Manager. The CISA also urged federal agencies to patch the flaws.
  • ShadowServer Foundation identified 381,645 Kubernetes API servers with “unnecessarily exposed attack surface” located across the U.S., Southeast Asia, Western Europe, and Australia. A vast majority of the exposed instances are running versions 1.17 through 1.22 on Linux/amd64 accounts.
  • A new Linux malware, dubbed BPFdoor, was identified targeting Linux and Solaris systems. The malware can bypass firewalls, making it an ideal tool for corporate espionage and persistent attacks. It uses a Berkeley Packet Filter sniffer to parse ICMP, UDP, and TCP packets. Researchers have detected BPFdoor activity on networks of organizations in the U.S., South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar.
  • A new cybercrime service, named Eternity Project, emerged on Telegram and dark web marketplaces. The malware toolkit offers a variety of malware such as an info-stealer, a coinminer, a clipper, ransomware, a worm, and a DDoS-based bot. According to researchers, low-skilled threat actors can leverage the service to build their own malware.
  • New research reveals that the Bitter APT group added a new malware to target government organizations in Bangladesh. The campaign has been active since August 2021 and leverages spoofed email addresses to trick victims. The phishing emails appear to come from government organizations in Pakistan.
  • A new credit card stealing service, called Caramel, was spotted growing in popularity. Operated by a Russian cybercrime organization named ‘CaramelCorp,’ the skimmer-as-a-service can allow any low-skilled threat actor to get started with financial fraud. The skimmer service is capable of stealing credit card details and sending them back to remote servers to be collected by threat actors.
  • Researchers released details of an Apple Silicon vulnerability called Augury. It exists in Apple’s implementation of the Data-Memory Dependent Prefetcher (DMP). The microarchitectural flaw affects the M1, M1 Max, and A14 Bionic chips from Apple.
  • A new APT group, tracked as UNC3524, was found using IP cameras to deploy backdoors and steal Microsoft Exchange emails. The APT group primarily targets employees that focus on corporate development, mergers, and acquisitions, and large corporate transactions. It also uses a backdoor, tracked as QUIETEXIT, that borrows code from the open-source Dropbear SSH client-server software to maintain persistence on infected networks.

Related Threat Briefings

Mar 4, 2025

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024

Cyware Monthly Threat Intelligence

The Good The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and t

Sep 2, 2024

Cyware Monthly Threat Intelligence

The Good In a series of proactive measures aimed at bolstering global cybersecurity resilience, significant strides were made in the education and law enforcement sectors to safeguard critical systems against evolving threats. The NASA Katherine Jo

Aug 1, 2024

Cyware Monthly Threat Intelligence

The Good The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disin

Jul 1, 2024

Cyware Monthly Threat Intelligence

The Good Recent developments showcase a proactive stance in bolstering cybersecurity across critical sectors. The collaboration between the U.K’s National Crime Agency (NCA) and the FBI to dismantle the Qilin ransomware gang highlights internationa

Jun 3, 2024

Cyware Monthly Threat Intelligence

The Good In recent AI developments, NIST, OpenAI, and government bodies are taking significant steps to ensure the responsible use of AI technologies. NIST's new ARIA program aims to ensure AI technologies are valid, reliable, safe, secure, private

May 3, 2024

Cyware Monthly Threat Intelligence

The Good In a major stride towards security with AI, the Five Eyes agencies released a cybersecurity guide to help organizations secure AI system deployments. Separately, heightened attacks on mobile networks made the GSM Association unveil the MoT

Apr 11, 2024

Cyware Monthly Threat Intelligence

The Good Revolutionizing cybersecurity with innovative and adaptive measures, the Pentagon unveiled the first-ever strategy to protect the defense industrial base from cyber threats, emphasizing resilience and cooperation to defend critical infrast

Mar 4, 2024

Cyware Monthly Threat Intelligence

The Good In a move towards enhancing quantum computing security, the Linux Foundation revealed an initiative in collaboration with major global technology corporations. The past month marks a step forward in file-type detection tooling as Google op