Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Skip to main content

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Dec 1, 2022

The Good

Looking at the ongoing worldwide cyber fiascos, innovation and research are right now the need of the hour. Significant progress has been observed toward enhancing the security of mobile phones and other cloud-based services in form of a new cryptographic tool at the Crypto ‘08 conference. The healthcare sector, especially, has been continually facing a barrage of cyberattacks. The Food and Drug Administration and MITRE jointly rolled out a new response playbook against security incidents involving key medical devices.

  • A team of scientists from Johns Hopkins University and NTT Research proposed a new approach to build One-Time Programs (OTPs) using commodity hardware found in mobile phones and cloud computing services. Such programs are purported to have multiple uses, including preventing brute-force attacks and strengthening various authentication methods.

  • MITRE Engenuity’s Center for Threat-Informed Defense (CTID) released an updated version of the Attack Flow project, which would allow defenders to gain better visibility into a potential threat. The project will help security teams easily describe, display, and share sequences of adversary behavior.

  • The FDA and MITRE released an updated version of the ‘Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.’ The playbook provides healthcare organizations with actionable strategies and resources to respond to cyber incidents while ensuring the security of medical devices.

  • The CISA updated its Infrastructure Resilience Planning Framework (IRPF) with new tools and guidance to help state, local, tribal, and territorial (SLTT) entities counter evolving cyber threats. The framework was released last year and can be used by any organization to improve resilience planning.

The Bad

Network intrusions and data exposure incidents are the manifestations of insufficient cyber readiness of organizations and individuals alike. For example, customers of online sports betting firm DraftKings suffered a wave of credential stuffing attacks. In another story, the new BEC scammer group Crimson Kingsnake impersonated well-known international law firms. Researchers attributed 92 domains to the threat actor group. In another update, experts also took the wraps off the OPERA1ER threat group that milked at least $11 million in nearly 30 attacks in Africa.

  • Sports betting company DraftKings suffered a credential stuffing attack that led to a loss of up to $300,000. The firm claims that the hackers accessed their customers’ accounts by using login information that was compromised on other websites. It has urged users to enable 2FA to secure their accounts while assuring them to make up for the lost funds.

  • File-sharing and synchronization service Dropbox disclosed a phishing attack that enabled a threat actor to compromise the GitHub account of one of its employees. The attacker gained access to private repositories that stored API keys and personal information of some of its employees.

  • In an update on its data breach disclosure, Australian private health insurance provider Medibank revealed that the personal information of more than 9.7 million Australians was stolen in a ransomware attack last month. A ransomware gang known as BlogXX took credit for the attack and demanded a $10 million ransom payment. The gang also leaked the stolen sensitive details.

  • The LockBit ransomware group was found selling files stolen from German car parts giant Continental for $50 million. The hackers claim to have stolen a total of 40GB of files and screenshots. Cybercriminals further published the negotiation messages between them and the company’s representatives.

  • A cybercrime group named Crimson Kingsnake emerged in a new BEC attack campaign targeting well-known international law firms. The targeted firms include Allen & Overy, Deloitte, Dentons, Herbert Smith Freehills, and Lindsay Hart, among others. The threat actors impersonate lawyers sending invoices for overdue payment of services.

  • Ukrainian hacktivists claimed to breach the Central Bank of Russia, stealing around 2.6GB of files. The files contained details of the bank’s operations, its security policies, and the personal data of employees. Earlier this year, Anonymous published 35,000 pilfered documents from the bank.

  • A wave of spear-phishing attacks orchestrated by the Mustang Panda APT was used to target government, academic, foundations, and research sectors around the world. The infection routines led to the distribution of several malware payloads, such as TONEINS, TONESHELL, and PUBLOAD. The ultimate goal of the attackers was to steal sensitive documents and information.

  • A French-speaking cybercrime group tracked as OPERA1ER was spotted wreaking havoc worldwide for four years, between 2019 and 2021. It has been held responsible for 35 intrusions at different organizations across 15 countries, with most of the attacks targeting African banks. The group is suspected to have stolen more than $30 million.

  • Iranian state-backed actors exploited the Log4Shell vulnerability in a VMware system to compromise a federal agency. They exploited the vulnerability in an unpatched VMware Horizon server, installed XMRig crypto-mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.

  • The Russian scooter-sharing service Whoosh confirmed a data breach that affected the data of 7.2 million customers. Reportedly, the data was found being sold on hacker forums along with other sensitive information such as promotion codes and payment card details.

  • Group-IB researchers revealed a worldwide password-stealing campaign that resulted in the compromise of over 50 million passwords in the first seven months of the year. Around 34 Telegram groups were used by threat actors to infect over 890,000 devices. Each of these groups had as many as 200 active members and tricked victims by redirecting them to fake websites.

  • Online gamers were the target of a massive phishing campaign that leveraged YouTube videos offering cracked software for popular games. This cracked software distributed info-stealing malware to steal passwords, cookies, autofill information from browsers, and cryptocurrency wallet information.

  • Security experts exposed a dataset that appears to contain data from nearly 500 million WhatsApp users from 84 countries. The data is being sold on cybercrime forums for prices ranging between $2000 to $7000. Threat actor claims that there are over 32 million US user records included in the dataset.

New Threats

While Emotet botnet made a comeback after a hiatus of four months, other botnets RapperBot and Cloud9 also made a fresh entry into the cyber landscape. Moreover, the infamous Lazarus experimented with a new version of DTrack malware last month and used it as an important asset in its operations. Critical infrastructure in Ukraine, East Asia, and Southeast Asia also came under major threat by Chinese APT group Earth Longzhi which has been shooting spear-phishing emails.

  • The China-based Cicada hacking group, aka APT10, was observed using a new version of the LODEINFO backdoor to infect Japanese organizations. The malware was distributed by abusing security software. It uses the XOR algorithm as part of its evasion techniques. The targeted entities include media groups, diplomatic agencies, and think tanks in Japan.
  • A new clipboard stealer called Clipper, capable of imitating cryptocurrency wallet addresses, was sold at a price of $549 for a year. Researchers have spotted the use of the malware in the wild, with 55 attacks in a month. It is distributed via Smoke Loader and Raccon Stealer 2.0.
  • Emotet botnet is back with a new phishing campaign that uses malicious Excel and Word documents. When users open these documents and enable macros, Emotet gets loaded into the memory.
  • Zimperium researchers took a deep dive into Cloud9, a botnet that is delivered via a malicious Chrome extension spread via third-party websites. Once it infects users’ browsers, it can steal cookie files, keystrokes, and browser session data, and can also deploy other malware on the infected system.
  • An updated version of IceXLoader malware (version 3.3.3) compromised thousands of personal and enterprise Windows machines across the world. The malware variant is written in the Nim programming language and is sold for $118 on underground forums.
  • Trend Micro researchers found five banking malware families targeting customers of seven banks in India via phishing campaigns. The malware families—Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy—are being distributed via different phishing emails.
  • Previously unknown Chinese APT group Earth Longzhi was spotted targeting government, infrastructure, healthcare, defense, aviation, insurance, and urban development organizations in Ukraine, East Asia, and Southeast Asia with a custom Cobalt Strike loader called Symatic. Active since 2020, the attackers leverage spear-phishing emails to launch their attacks.
  • Fortinet researchers found that a botnet called RapperBot has been repurposed to launch DDoS attacks. The botnet was first spotted in August and was used in brute-force attacks. According to the latest data, the botnet is being used to target gaming servers and is a continuation of similar attacks observed earlier this year.
  • Several new versions of the LodaRAT malware were found to be deployed alongside RedLine and Neshta trojans in a series of attack campaigns. Significant upgrades include new functionality allowing proliferation via removable storage devices and a new string of encoding algorithms. The new implementations are likely to improve the speed of execution and evasion process.
  • Palo Alto Networks’ Unit 42 researchers uncovered a new crypto miner for hire named Typhon Stealer. Shortly after, a new version of the malware was released. Both versions of the malware have the ability to steal crypto wallets, monitor keystrokes, and evade antivirus products.
  • North Korean hacking group Lazarus was caught using a new variant of the DTrack backdoor to target organizations in Europe and South America. The new variant conceals itself within legitimate-looking executable files to evade detection. Moreover, it uses three layers of encryption algorithms to make analysis difficult.
  • A new attack method, dubbed PCspooF, affects Time-Triggered Ethernet (TTE), a networking technology used in safety-critical infrastructure. This attack is designed to break TTE's security guarantees and induce TTE devices to lose synchronization for up to a second, potentially causing the failure of time-sensitive systems powering spacecraft and aircraft.
  • Google Cloud Threat Intelligence researchers found 34 cracked versions of Cobalt Strike in the wild. These versions contained 257 unique JAR files and Beacon components, which upon execution could log keystrokes, perform code execution, escalate privileges, and conduct port scanning, among other nefarious activities.
  • Two new RaaS families called Octocrypt and Alice were observed by the researchers. While Octocrypt is being offered at a price of $400 to target all Windows versions, Alice is being sold at $600, with fast encryption capabilities and compatibility with Asian/Arabic PCs. Additionally, a new ransomware named AXLocker was seen stealing Discord tokens from victims’ systems.
  • Cybercriminals were found using fake VPN apps to distribute the Bahamut spyware in a campaign that has been active since January. The campaign is conducted by a group of the same name and the main purpose is to extract sensitive user data from devices. So far, eight versions of these malicious apps have been discovered to be distributed via a VPN website.

Related Threat Briefings

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.