Cyware Weekly Threat Intelligence - April 18–22

Weekly Threat Briefing • Apr 22, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Apr 22, 2022
The Good
Governments are realizing that multilateral collaboration, not only among private organizations, but also among different nations is the way to create a secure cyberspace. In this regard, the U.S. is partnering with six other countries to safeguard the cross-border flow of data. Cybercriminals making mistakes and leaving gaps in their malware architecture has always been a good piece of news. Due to this very reason, researchers were able to build a decryptor for the Yanluowang ransomware.
The U.S. is partnering with six other countries—Canada, Japan, South Korea, Singapore, the Philippines, and Taiwan—to create privacy and cybersecurity standards for the data that cross over into each other’s borders.
A security lapse discovered in the encryption process of the Yanluowang ransomware has enabled researchers to build a decryptor. This decryptor is available for free to the victims who are infected by the ransomware. The ransomware was first spotted in October 2021 and was used in highly targeted attacks against large organizations.
U.S Cyber Command allocated over $236 million in the command’s fiscal year 2023 spending request. The funds would augment operational support to each of the Joint Cyber Warfighting Architecture components to deliver critical cyber capabilities.
Australia’s financial intelligence and regulatory body AUSTRAC released two financial crime guides to aid organizations in detecting and preventing ransomware attacks and the exploitation of digital currencies. The guides assist businesses in identifying if a certain payment is associated with a ransomware attack or if someone is leveraging digital currencies to commit financial frauds.
The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) is organizing Locked Shields 2022, an international live-fire cyber defense exercise for the protection of national civilian and military IT systems and critical infrastructure.
The Bad
Do not speak ill of the dead for they may come alive. It’s been almost a year since Emotet was shut down and now, it’s back from its grave and quickly rising to the forefront of the threat landscape via rapidly spreading email scams. Not only Emotet, but we also have another resurrection on our hands this week. REvil’s servers are up on the Tor network and the gang has already listed two fresh victims on its new leak site. New week, new crypto hack. A cyberattack on BeanStalk Farms resulted in the loss of millions worth of cryptocurrency.
An attack on a third-party system has disrupted the operations of a Canadian airline company, Sunwing Airlines Inc. The firm disclosed that the third-party system used for check-ins and boarding was breached, leaving thousands of passengers stranded at the airport.
The FBI has shared an advisory to warn organizations about the escalating attacks by BlackCat ransomware. The note reveals that the ransomware has targeted at least 60 organizations worldwide between November 2021 and March 2022. Additionally, the operators announced nine new victims as of April 21.
Researchers have spotted REvil ransomware’s servers being up in the Tor network after several months of inactivity. A new leak site associated with the ransomware is being promoted on a RuTOR dark web marketplace. The site includes a list of organizations targeted by the ransomware, out of which two are new ones.
The FBI has issued an advisory about the potential impact of ransomware attacks on organizations in the Food and Agriculture (FA) sector in the U.S. Two such attacks disrupting the supply of seeds and fertilizers were reported in early 2022.
The Unified Government (UG) of Wyandotte County and Kansas City experienced a cyberattack at its data centers. According to the UG, it is working with the U.S. Department of Homeland Security, FBI, and Mid-America Regional Council cybersecurity task force to restore data services. It is yet to be determined if any data was compromised.
Scammers are taking advantage of the ongoing geopolitical war to deceive Ukrainians, as well as people from other nations, into sending donations to the wrong recipients. The scams are being carried out through fake donation sites, fake Red Cross portals, and social media. In one such instance, the scammer known as @Xenta777 on Twitter had asked people to make military equipment-related donations.
GitHub reported that threat actors used stolen OAuth user tokens to exfiltrate private data from several organizations. The stolen OAuth tokens were linked to two OAuth integrators, Heroku and Travis-CI. The first intrusion was detected on April 12 after the company’s security team identified unauthorized access to its npm production infrastructure using a compromised AWS API key.
BeanStalk Farms, an Ethereum-based stablecoin protocol, suffered a loss of around $182 million following a cyberattack. The attackers got away with around $80 million of crypto tokens by projecting a flash loan on the lending platform Aave, which is used to amass a large amount of Beanstalk’s native governance token, Stalk.
Researchers observed that the recent Emotet outbreak is being spread through various malicious Microsoft Office files that come attached with phishing emails. The emails include ‘Re:’ or ‘Fe:’ in the subject line. The attached Excel files and Word documents contain the ‘Enable Content’ button that, if clicked, causes the download of malicious macros.
Several instances of IRS tax scams targeting users in the U.S were reported recently. In one incident, threat actors used phishing emails that appeared to come from the IRS to warn the recipients about the last date for filing the tax and asked them to complete the tax filing by clicking on malicious attachments. In some cases, the cybercriminals also impersonated federal agencies such as DHS to warn victims about overdue payments to the IRS, which should be paid via a link that redirects them to a fake PayPal site.
New Threats
Since the Russian invasion of Ukraine started, the latter has had no respite from cyberattacks. The Russia-linked Gamaredon group is now launching targeted attacks using four new malware variants. Threat actors are back at spreading malware via fake Windows updates. They are propagating the 'Inno Stealer' malware through SEO poisoning tactics. There’s a new location in the cyber underground, named Industrial Spy, for the sale of stolen enterprise data.