Cyware Weekly Threat Intelligence, April 11 - 15, 2022

Weekly Threat Briefing • Apr 15, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Apr 15, 2022
The Good
There’s always something good to look forward to. Finally, Microsoft took control of 65 domains that the chaotic ZLoader threat actors were leveraging to control, expand, and communicate with its botnet. In parallel, the law enforcement authorities shut down the dark web marketplace RaidForums.
Microsoft dismantled 65 domains associated with the ZLoader threat actors, thereby taking down the group behind cybercrimes worth millions of dollars. The ZLoader operators employ malware-as-a-service to steal and extort money; the botnet consists of malware-infected devices belonging to global businesses, schools, hospitals, and homes.
International law enforcement ran an operation, TOURNIQUET, to successfully seize RaidForums, an infamous dark web marketplace known for offering stolen personal data. The operation was conducted by law enforcement agencies from the U.S., U.K., Portugal, Sweden, and Romania. The law enforcement agencies arrested the administrator of the dark web marketplace and two of his accomplices.
A group of cybersecurity companies that help defend industrial systems from hackers, joined forces to launch the Operational Technology Cybersecurity Coalition, which aims to strengthen the ICS and critical infrastructure in the U.S. The coalition aims to streamline how the founding members share threat information with each other and the government.
The Bad
In other updates, the Conti ransomware group is still running its business, despite the massive leak of its source codes. The group added three new organizations—Nordex, Snap-on, and Panasonic Corp.—to their list of victims. Security experts also expressed their concerns as the NB65 hacking group took advantage of Conti’s leaked source code to target organizations in Russia. The notorious Lazarus was also spotted making a comeback with fake job offer lures to ensnare individuals working in the chemical sector.
The Conti ransomware group added two new organizations to its list of victims. These were Snap-on and Panasonic Corp. While Snap-on was targeted in March, the Panasonic Corp. was compromised in February. Panasonic revealed that its Canadian operations were affected by the attack. On the other hand, Snap-on disclosed that attackers gained access to social security numbers, names, birthdates, and employee identification-related material of its franchisees and associates.
The Italian luxury fashion house Ermenegildo Zegna confirmed a ransomware attack that resulted in an extensive IT systems outage. The attack occurred in August 2021 and was the work of the RansomEXX ransomware group.
Christie Business Holdings Company revealed a data breach that affected the personal information of roughly 500,000 individuals. Threat actors gained unauthorized access to compromised email accounts between July and August 2021. According to the healthcare services provider, no electronic medical records and the firm’s patient portal were impacted in the incident.
The Anonymous collective group leaked 446GB of data after launching DDoS attacks against the Russian Ministry of Culture. The dumped data included around 600,000 new emails associated with the ministry.
California-based respiratory care provider SuperCare Health disclosed a data breach that affected more than 300,000 individuals. The exposed files included names, addresses, dates of birth, medical record numbers, patient account numbers, and health-related information of patients. In some cases, social security numbers, and driver’s license numbers were compromised.
A hacking group named NB65 used Conti’s leaked source code to create its own ransomware. This new ransomware was used in a series of cyberattacks against organizations in Russia. The attackers leveraged the ransomware to steal data and later leaked it online.
LockBit ransomware group managed to maintain its persistence on a regional U.S. government agency for at least five months. However, logs retrieved from the compromised machines showed that two threat groups were engaged in reconnaissance and remote access operations. The toolset included utilities for brute-force attacks, scanning, and command execution.
The notorious Lazarus is back with the ‘Operation Dream Job’ campaign spree, targeting organizations in the chemical sector. The campaign has previously targeted individuals in the defense, government, and engineering sectors.
The FBI linked the $600 million cryptocurrency heist that targeted the players of the popular video game Axie Infinity to the infamous North Korean cybercrime groups - Lazarus and APT 38. The attackers had exploited a network used to send cryptocurrency to carry out the heist.
New Threats
Researchers warned about a set of five new vulnerabilities that could put impact patient care. Microsoft identified a new defense evasion malware, named Tarrask, that leverages a zero-day flaw in Windows task scheduling. Besides, two new deadly botnets—called Enemybot and Fodcha— capable of launching massive DDoS attacks were also unearthed in two disparate campaigns. Additionally, a new version of RedLine Stealer is gaining popularity in cybercrime forums for its ability to pilfer credentials from web browsers, cryptocurrency platforms, and email accounts.