Cyware Weekly Threat Intelligence - April 03–07
Weekly Threat Briefing • Apr 7, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Apr 7, 2023
This week, law enforcement agencies made some significant advancements in combating the malicious activities of cybercriminals. One such action was taken against a massive pig butchering scam that swindled over $112 million in cryptocurrency. The operations of the infamous Genesis Market were also disrupted in a coordinated effort, saving millions of computers from being further used by attackers. These computers were compromised using DanaBot and other malware.
While Genesis is no longer active, a new dark web market called Styx has emerged to fill the void, offering cybercriminals a wide range of illegal services for identity theft, DDoS attacks, and financial fraud. In the latest update on the recent 3CX supply chain attack, a small number of cryptocurrency firms were affected in the incident that was pulled off by North Korea’s Lazarus group. In separate news, a new ransomware group has demanded $4 million in ransom to prevent the leak of over 1.5TB of sensitive data it allegedly stole from a Taiwan PC hardware vendor.
Taiwanese PC parts maker MSI has five days' time to pay a hefty ransom of $4 million demanded by a newly-formed ransomware group called Money Message. If payment is not received, the threat actors have threatened to publish 1.5 TB of data stolen from the firm. To claim the attack, the group has posted screenshots of the hardware vendor’s CTMS and ERP databases containing software source code, private keys, and BIOS firmware.
YouTube warned users of a new phishing scam that tricked users into sharing their login credentials. Scammers impersonated the video-sharing platform to send out a phishing email that asked recipients to provide their details owing to the changes in YouTube rules and policies.
A hacker group that goes by the name of TACTICAL#OCTOPUS used tax-related themes to lure U.S. taxpayers into downloading a malicious zip file that installed malware onto their systems. The malware enabled hackers to gain access to victims’ systems and capture clipboard data and track keystrokes.
New updates on the 3CX supply chain attack reveal that a small number of cryptocurrency companies were also impacted by the attack conducted by the Lazarus threat group. A majority of the attack attempts have been registered in Australia, the U.S., and the U.K, with healthcare, pharma, IT, and finance emerging as the top targeted sectors.
Sensitive details of several banks, including QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, Reed, HSBC, and Westpac, were leaked due to a misconfiguration issue in a digital identification tool provided by OCR Labs. The leaked data included access credentials to AWS, application tokens, and various API keys.
A new dark web marketplace identified as Styx is gaining popularity among cybercriminals for providing access to a wide range of illegal services such as DDoS attacks, banking trojans, stolen IDs, and 2FA/MFA bypass solutions. These services can be used to launch identity theft, financial fraud, and malware attacks. The marketplace is also being used to sell the PII of victims based in the U.S., the U.K, Canada, and the Netherlands.
A massive WordPress infection campaign, that leverages well-known vulnerabilities in plugins and themes, was found to be active since 2017. The attackers could manage to stay under the radar by using different domain names that hosted sites for tech support scams, push notification scams, and fraudulent lottery wins. It is estimated that over one million WordPress websites have been infected by this campaign.
The Medusa ransomware group added the Open University of Cyprus to its data leak site, giving the institute 14 days time to respond to its ransom demands. The hackers have asked for $100,000 in ransom to prevent the further leak of data that includes the PII of students, and the financial details of research contractors.
The U.K’s Criminal Records Office (ACRO) confirmed that its website was disrupted in a cybersecurity incident on January 17. The announcement comes after the applicants were unable to download their police certificates from the website.
An online marketplace Z2U was found exposing 600,000 customer support attachments due to an unprotected database. The attachments included images of individuals holding credit cards, passports, and other ID documents. Other exposed information were email addresses, passwords, and IBAN numbers of users.
Moving on, cryptocurrency investors are at more risk of cyberattacks as threat actors added two new cryptocurrency-stealing malware to their arsenal. Named Rilide and CryptoClippy, the malware are distributed via SEO poisoning attacks and can withdraw digital assets from victims’ wallets without their knowledge. Several new ransomware families were also spotted this week, with Rorschach being detected as the fastest ransomware to encrypt files in just over four minutes.