Cyware Monthly Threat Intelligence
Monthly Threat Briefing • Dec 1, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Monthly Threat Briefing • Dec 1, 2022
Looking at the ongoing worldwide cyber fiascos, innovation and research are right now the need of the hour. Significant progress has been observed toward enhancing the security of mobile phones and other cloud-based services in form of a new cryptographic tool at the Crypto ‘08 conference. The healthcare sector, especially, has been continually facing a barrage of cyberattacks. The Food and Drug Administration and MITRE jointly rolled out a new response playbook against security incidents involving key medical devices.
A team of scientists from Johns Hopkins University and NTT Research proposed a new approach to build One-Time Programs (OTPs) using commodity hardware found in mobile phones and cloud computing services. Such programs are purported to have multiple uses, including preventing brute-force attacks and strengthening various authentication methods.
MITRE Engenuity’s Center for Threat-Informed Defense (CTID) released an updated version of the Attack Flow project, which would allow defenders to gain better visibility into a potential threat. The project will help security teams easily describe, display, and share sequences of adversary behavior.
The FDA and MITRE released an updated version of the ‘Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.’ The playbook provides healthcare organizations with actionable strategies and resources to respond to cyber incidents while ensuring the security of medical devices.
The CISA updated its Infrastructure Resilience Planning Framework (IRPF) with new tools and guidance to help state, local, tribal, and territorial (SLTT) entities counter evolving cyber threats. The framework was released last year and can be used by any organization to improve resilience planning.
Network intrusions and data exposure incidents are the manifestations of insufficient cyber readiness of organizations and individuals alike. For example, customers of online sports betting firm DraftKings suffered a wave of credential stuffing attacks. In another story, the new BEC scammer group Crimson Kingsnake impersonated well-known international law firms. Researchers attributed 92 domains to the threat actor group. In another update, experts also took the wraps off the OPERA1ER threat group that milked at least $11 million in nearly 30 attacks in Africa.
Sports betting company DraftKings suffered a credential stuffing attack that led to a loss of up to $300,000. The firm claims that the hackers accessed their customers’ accounts by using login information that was compromised on other websites. It has urged users to enable 2FA to secure their accounts while assuring them to make up for the lost funds.
File-sharing and synchronization service Dropbox disclosed a phishing attack that enabled a threat actor to compromise the GitHub account of one of its employees. The attacker gained access to private repositories that stored API keys and personal information of some of its employees.
In an update on its data breach disclosure, Australian private health insurance provider Medibank revealed that the personal information of more than 9.7 million Australians was stolen in a ransomware attack last month. A ransomware gang known as BlogXX took credit for the attack and demanded a $10 million ransom payment. The gang also leaked the stolen sensitive details.
The LockBit ransomware group was found selling files stolen from German car parts giant Continental for $50 million. The hackers claim to have stolen a total of 40GB of files and screenshots. Cybercriminals further published the negotiation messages between them and the company’s representatives.
A cybercrime group named Crimson Kingsnake emerged in a new BEC attack campaign targeting well-known international law firms. The targeted firms include Allen & Overy, Deloitte, Dentons, Herbert Smith Freehills, and Lindsay Hart, among others. The threat actors impersonate lawyers sending invoices for overdue payment of services.
Ukrainian hacktivists claimed to breach the Central Bank of Russia, stealing around 2.6GB of files. The files contained details of the bank’s operations, its security policies, and the personal data of employees. Earlier this year, Anonymous published 35,000 pilfered documents from the bank.
A wave of spear-phishing attacks orchestrated by the Mustang Panda APT was used to target government, academic, foundations, and research sectors around the world. The infection routines led to the distribution of several malware payloads, such as TONEINS, TONESHELL, and PUBLOAD. The ultimate goal of the attackers was to steal sensitive documents and information.
A French-speaking cybercrime group tracked as OPERA1ER was spotted wreaking havoc worldwide for four years, between 2019 and 2021. It has been held responsible for 35 intrusions at different organizations across 15 countries, with most of the attacks targeting African banks. The group is suspected to have stolen more than $30 million.
Iranian state-backed actors exploited the Log4Shell vulnerability in a VMware system to compromise a federal agency. They exploited the vulnerability in an unpatched VMware Horizon server, installed XMRig crypto-mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.
The Russian scooter-sharing service Whoosh confirmed a data breach that affected the data of 7.2 million customers. Reportedly, the data was found being sold on hacker forums along with other sensitive information such as promotion codes and payment card details.
Group-IB researchers revealed a worldwide password-stealing campaign that resulted in the compromise of over 50 million passwords in the first seven months of the year. Around 34 Telegram groups were used by threat actors to infect over 890,000 devices. Each of these groups had as many as 200 active members and tricked victims by redirecting them to fake websites.
Online gamers were the target of a massive phishing campaign that leveraged YouTube videos offering cracked software for popular games. This cracked software distributed info-stealing malware to steal passwords, cookies, autofill information from browsers, and cryptocurrency wallet information.
Security experts exposed a dataset that appears to contain data from nearly 500 million WhatsApp users from 84 countries. The data is being sold on cybercrime forums for prices ranging between $2000 to $7000. Threat actor claims that there are over 32 million US user records included in the dataset.
While Emotet botnet made a comeback after a hiatus of four months, other botnets RapperBot and Cloud9 also made a fresh entry into the cyber landscape. Moreover, the infamous Lazarus experimented with a new version of DTrack malware last month and used it as an important asset in its operations. Critical infrastructure in Ukraine, East Asia, and Southeast Asia also came under major threat by Chinese APT group Earth Longzhi which has been shooting spear-phishing emails.