Cyware Weekly Threat Intelligence - April 04–08
Weekly Threat Briefing • Apr 8, 2022
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Apr 8, 2022
The Good
Governments are increasingly looking to upgrade their cybersecurity policies to align with the changing security landscape. Taking a step in that direction, the U.S. State Department launched its Bureau of Cyberspace and Digital Policy. The Cyclops Blink botnet was killed before it could even blink a complete blink. The FBI took down the modular botnet by disrupting its infrastructure and closing external management ports.
The FBI announced taking down the Cyclops Blink botnet, which used to target firewall appliances and SOHO networking devices. It was under the control of the Russian Sandworm group.
German police disrupted the dark web market Hydra and seized bitcoin worth $25 million. The marketplace was a hub for selling narcotics, stolen credit card data, money laundering services, fake identity documents, and protecting Tor users.
The Bureau of Cyberspace and Digital Policy was launched officially under the State Department to address the national security challenges, economic opportunities, and implications for the U.S. in the areas of cyberspace, digital technologies, and digital policy.
The Australian Department of Home Affairs started work on a new national data security action plan. It comes as a part of the federal government’s digital economy strategy, which will safeguard citizens’ data stored on digital networks and systems.
The Bad
Despite humongous data leaks of its own internal communications, Conti remains in business. The ransomware actor leaked around 5GB of files belonging to Parker Hannifin. Just when you think a particular threat has disappeared and you can breathe a little easy, it comes and hits you hard. The same goes for the recent Magecart attack against a mattress maker, which impacted customers across 12 nations. Cadbury UK took to Twitter to warn against a scam pretending to sell free chocolates. Falling victim to it can turn pretty bitter, warned the company.
A Magecart attack at Emma Sleep Company affected the credit or debit card details of its customers. The attackers injected the malicious code into the checkout page to steal personal information and credit card data.
A compromised Trezor hardware wallet mailing list was used to send fake data breach notifications to steal cryptocurrency wallets and the assets stored within them. Attackers leveraged one of the newsletters hosted at MailChimp to launch the attack. The notifications prompted recipients to download a fake Trezor Suite software that would steal their recovery seeds.
Discord communities of multiple major NFT projects were hacked as part of a phishing scam to trick users into handing over their digital JPEGs. Some of the affected projects were Bored Ape Yacht Club, Nyoki, Doodles, Kaiju Kingz, and Shamanz. The ultimate goal was to trick users into clicking a link to mint a fake NFT by sending ETH and in some instances an NFT to wrap into a token.
Cadbury UK has issued a warning to its 315,000 followers on Twitter about a scam that steals their personal information. The scam, which goes with the title ‘Free easter chocolate basket,’ is making the rounds on WhatsApp and social media sites. The recipients are asked to click on a link to claim the free gift. But, before that, the recipients are asked to answer a series of questions appearing on the screen.
More than $15 million were stolen after hackers exploited the DeFi platform Inverse Finance. According to the company, the hackers manipulated its money market, Anchor, and increased the price of INV via Sushiswap. This enabled the attackers to borrow $15.6 million in the DOLA, ETH, WBTC, and YFI cryptocurrencies.
Wind turbine giant Nordex was forced to shut down its IT systems after discovering a cyberattack. The incident affected multiple systems in the firm. As a part of the precautionary measure, the company took immediate actions to prevent further propagation of the attack.
An ongoing malware attack campaign is using ISO disk images to deliver AsyncRAT, LimeRAT, and other commodity malware to victims. The threat actors behind the campaign have been using a new version of the 3LOSH crypter to generate obfuscated code to hide the RAT payloads and facilitate the infection process.
Ukraine CERT-UA published a security advisory about spear-phishing attacks conducted by Russia-linked Armageddon APT. The attacks targeted local state organizations with malware. The phishing messages were sent from ‘vadim_melnik88@i[.]ua.’ In another instance, the CERT-UA also revealed a cyberattack that enabled attackers to get session data, a list of contacts, and the history of their Telegram session. The operators leveraged the Telegram website to send malicious links to users.
The Conti ransomware group has leaked more than 5GB of files allegedly stolen from U.S. industrial component giant Parker Hannifin. As the company continues its investigation, it confirmed that some data, including the personal information of employees, was accessed by hackers.
The Australian Competition & Consumer Commission has issued a warning about the rise in money recovery scams. It is found that scammers are impersonating a money recovery firm, law office, or a special government task force to trick users into filling out fake paperwork that could help them with the recovery of previously stolen funds. The targeted victims are approached via phone or email. The ultimate goal of scammers is to steal identification details from users. Some of these scams also enabled threat actors to gain remote access to victims’ computers or smartphones.
The Texas Department of Insurance (TDI) disclosed a data security incident that affected roughly 1.8 million people. It occurred due to a vulnerability in one of its web applications. The exposed information included names, phone numbers, addresses, dates of birth, and social security numbers of individuals.
A data theft tool used by BlackCat (aka ALPHV) ransomware is increasingly being used to target industrial organizations. It is tracked as ExMatter, a modified version of Fendr. Researchers revealed that the BlackCat group had used Fendr to exfiltrate data from oil, gas, mining, and construction firms in South America.
AridViper APT group was found targeting high-ranking Israeli officials in a cyberespionage campaign to spy and steal data by compromising their systems and mobile devices.
A phishing email pretending to be a payment notification from a trusted bank was found delivering Remcos RAT. The email asked the recipient to open the attached Excel file that is protected by a password. The file lures the victim into clicking the ‘Enable Content’ button to execute the malicious macro code.
North Carolina A&T State University became the latest victim of BlackCat ransomware. The incident occurred on March 7, forcing staff and students to operate manually. Systems taken down by the intrusion included wireless connections, Blackboard instruction, single sign-on websites, VPN, Jabber, Banner Document Management, Chrome River, and Qulatrics.
WonderHero has disabled its website and services after hackers stole $320,000 worth of Binance Coin. Threat actors took advantage of the cross-chain bridging withdrawal feature on the platform to launch the attack.
The critical Spring4Shell vulnerability has lately been exploited by the Mirai botnet. The attack was first observed on April 1. The botnet exploited one of the Spring4Shell vulnerabilities (CVE-2022-22965) to launch attacks.
Google removed several apps from its Play Store after they were found stealing sensitive data from users. The apps had over 45 million downloads and collected the data through a third-party SDK that had the ability to capture clipboard content, GPS data, email addresses, phone numbers, and even modem router MAC addresses.
Fraudsters made nearly $1.7 million by promising cryptocurrency giveaway scams on YouTube. Over 36 YouTube channels used for the purpose were observed between February 16 and February 18, attracting at least 165,000 viewers. The videos were made using footage of tech entrepreneurs and crypto investors like Elon Musk, Brad Gralinghouse, Michael Saylor, Changpeng Zhao, and Cathie Wood to add legitimacy to scams. Additionally, these videos include links to at least 29 websites with instructions on how to double cryptocurrency investments.
**New Threats **
Borat’s in town; not the movie though. It’s a new RAT that can conduct both ransomware and DDoS attacks, along with possessing several other capabilities. WhatsApp has once again become a favorite target for cybercriminals as a new phishing campaign abuses the platform’s voice messaging feature. The SharkBot banking trojan has resurfaced in a new campaign, biting victims across many countries.