Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence - December 11–15

Cyware Weekly Threat Intelligence - December 11–15 - Featured Image

Weekly Threat Briefing Dec 15, 2023

The Good

As the cyber threats landscape continues to grow grim, proactive measures are being taken to mitigate potential impacts. Amidst the surge in software supply chain attacks, U.S. government agencies have issued a guideline for the safe use of SBOMs and open-source repositories. Separately, MITRE launched a new threat model framework, named EMB3D, to address threats against OT and ICS.

  • MITRE unveiled a novel threat model framework named EMB3D to help government agencies and private organizations safeguard their Operation Technology (OT) and Industrial Control Systems (ICS). It offers a knowledge base on cyber threats to embedded devices, enabling users to map these threats with vulnerabilities using frameworks like CWE, CVE, and MITRE ATT&CK. The framework suggests mitigations, emphasizing technical mechanisms for device vendors to implement against specific threats. It is set for public release in early 2024.

  • U.S. lawmakers allocated $874.2 billion for the 2024 National Defense Authorization Act, a portion of which will be used to refine the defensive and offensive cyber skill sets. These include creating a cross-functional team to defend threats against Nuclear Command, Control, and Communications (NC3), developing robust cyber support mechanisms, and creating a bureau chief data officer program to improve data fluency.

  • The NSA, the ODNI, the CISA, and industry partners released a joint advisory to bolster the security against software supply chain attacks. The guidance primarily covers how to manage and maintain SBOMs, open-source software.. Additionally, it provides details on things to consider when adopting open-source software and distribution of approved software components using an SBOM.

  • Microsoft's Digital Crimes Unit seized multiple domains operated by the Vietnam-based Storm-1152 cybercrime group, which sold over 750 million fake Microsoft accounts and tools, generating millions in illegal profits through fake websites and social media. These fake accounts were further used as a channel to conduct mass phishing attacks, identity theft, and DDoS attacks.

The Bad

Database security is back in the limelight as DonorView and Dubai Taxi Company were found leaking a trove of sensitive data from their databases. Meanwhile, several top institutions and firms, such as Kyivstar, Toyota Financial Services, and Americold, fell victim to cyberattacks.

  • Tri-City Medical Center, California, despite resuming operations 17 days ago after a ransomware attack, was observed facing ongoing extortion attempts by the INC RANSOM group. The group claimed to possess stolen records from the hospital by posting proof on the dark web. The documents included prior authorization forms, financial records, and patient information. While the extent of the data breach remains unclear, there is no confirmation of access to the hospital's EMR system.

  • A misconfigured database owned by the fundraising platform DonorView exposed nearly one million records that contained addresses, names, phone numbers, emails, and payment methods of donors. The records also contained sensitive details, such as medical information, images, and names of attending doctors, of children.

  • The Dubai Taxi Company left a MongoDB database open to the public, exposing a trove of sensitive information about 197K users and 23K drivers. The exposed details included banking details and email addresses, phone models, login credentials, driver’s license numbers, work permit numbers, and nationality of users and drivers.

  • Ukrainian telecom operator Kyivstar was the target of a cyberattack that knocked its internet access and mobile communications offline. Market analysis firm Telegeography calculated that roughly half of Ukraine's mobile subscriber base was compromised during the incident. However, the operators confirmed that the personal data of subscribers were not compromised.

  • Researchers uncovered hundreds of fake profiles on LinkedIn, targeting professionals at companies in Saudi Arabia. As part of the campaign, attackers leveraged well-connected synthetic identities to create fraudulent profiles and later sent contact requests to victims to steal their contact lists and other information.

  • A ransomware attack on cold storage giant Americold affected nearly 130,000 people, including the information of current and former employees. Investigation revealed that details like names, addresses, Social Security numbers, passport numbers, financial information, and medical information were compromised in the incident.

  • Sony initiated an investigation into an alleged ransomware attack on its subsidiary Insomniac Games after the Rhysida threat actor threatened to sell the stolen data if a ransom of $2 million was not paid within seven days. Meanwhile, the officials believe that no other Sony Interactive Entertainment (SIE) or Sony divisions were impacted by the incident.

  • Toyota Financial Services disclosed a data breach that exposed the personal and financial data of customers. The incident occurred after threat actors gained unauthorized access to Kreditbank’s systems and stole the full names, residence addresses, contact information, and lease-purchase details of customers.

  • Kentucky-based Norton Healthcare confirmed that attackers stole around 2.5 million users’ data in the May ransomware attack. The data included driver’s licenses, government ID numbers, financial information, and digital signatures of people. Health information, insurance information, and medical ID numbers belonging to former patients, employees, and employee dependents and beneficiaries were also impacted by the incident.

  • A new wave of BazarCall attacks used Google Forms to install malware on victims’ systems. The forms were sent via phishing emails and included details of fake transactions, such as the invoice number, date, and payment method, to create a sense of urgency among recipients. To cancel the subscription or raise a dispute, recipients were urged to call a toll-free number, which was a threat actor’s phone number. At the final stage, the victim was tricked into installing BazarLoader malware onto their systems.

  • In an update, the Idaho National Laboratory revealed that the sensitive information of 45,047 current and former employees and their spouses and dependents was affected in the cyberattack that occurred on November 20. The exposed information includes names, SSNs, salary information, and banking details of individuals.

  • Healthcare device manufacturer LivaNova PLC fell victim to the LockBit ransomware group. The attack, detected on December 9 allegedly exposed a substantial 2.2TB of sensitive data, including product specifications, employee information, financial documents, and more. The threat actor has uploaded the stolen data on its leak site and set a deadline for its potential public release.

  • Food and beverage company, Kraft Heinz, started an investigation into a cyber incident after the Snatch ransomware group added the organization’s name to its victims’ list. However, the company did not verify the attackers’ claim and stated that criminals appeared to have targeted a decommissioned marketing site hosted on an external platform.

  • Ledger revealed that attackers pushed a malicious version of its Ledger dApp Connect Kit library to steal $600,000 in crypto and NFTs.The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet. It’s not immediately clear how many people fell victim to the hack.

New Threats

This week, Lazarus and Fancy Bear expanded their malware arsenal to target more organizations. While Lazarus introduced three DLang-based malware, Fancy Bear was linked to the use of the custom HeadLace backdoor. Besides, SOHO routers came under attack by the operators of KV-Botnet and NKAbuse registered itself as the first-ever malware to abuse the NKN blockchain.

  • ESET Research discovered 116 malicious packages on the PyPI repository. These packages infected both Windows and Linux systems and were used to deliver either a W4SP stealer variant or a clipboard monitor designed to steal cryptocurrency. In some cases, a backdoor was delivered in the final stage to execute arbitrary commands, exfiltrate data, and take screenshots. These packages were downloaded over 10,000 times.
  • The North Korea-linked threat group Lazarus was attributed to a new global campaign that exploits the infamous Log4j flaw to deploy three previously undocumented DLang-based malware - NineRAT, DLRAT, and BottomLoader. The campaign, dubbed Operation Blacksmith, is believed to have been active since March and targeted organizations in the manufacturing, agriculture, and physical security sectors.
  • An attack campaign, associated with the Fancy Bear, was observed using lures related to the ongoing Israel-Hamas war to deliver a custom backdoor called HeadLace. The campaign targeted critical infrastructure organizations across Hungary, Turkey, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania. The infection chain exploited a WinRAR flaw called CVE-2023-38831 to propagate the backdoor.
  • A series of SQL injection attacks targeting companies in the Asia-Pacific was attributed to a previously unknown threat actor called GambleForce. The attack relied on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell, with the ultimate goal of exfiltrating sensitive information from compromised networks.
  • Researchers linked a sophisticated botnet, tracked as KV-Botnet, to the China-linked Volt Typhoon threat actor. The botnet is designed to target SOHO devices and VPN devices, some of which have reached End of Life. The botnet has been active since at least 2022 and, based on its target scope, it is believed that attackers are using it for espionage and information gathering.
  • A new Go-based malware named NKAbuse becomes the first strain to abuse New Kind of Network (NKN) technology for stealthy communications. The multi-platform malware was observed targeting Linux desktops in Mexico, Colombia, and Vietnam. During an attack, aimed at a financial company, the malware was propagated by exploiting an old flaw (CVE-2017-5638) in Apache Struts. The malware acts as a remote access trojan and also includes DDoS capabilities.
  • ESET researchers discovered a new campaign by the Oilrig group that used three new malware downloaders, ODAgent, OilCheck, and OilBooster, to infect victims and organizations in Israel. The attackers also released an updated version of SampleCheck5000 downloader that was used as part of attacks against Israel. The targeted organizations belonged to healthcare, manufacturing, and government sectors.
  • The Gaza Cyber Gang deployed an updated version of the Pierogi backdoor to target Palestinian entities. , The malware, tracked as Pierogi++, is written in C++ and is equipped with capabilities to take screenshots, execute commands, and download malicious files. It is distributed via decoy document written in Arabic and English.
  • Proofpoint warned recruiters about a campaign that targeted them with emails designed to deploy the More_Eggs backdoor. The campaign was launched by financially motivated TA4557 threat actors throughout 2022 and 2023 and relied on third-party job boards to target recruiters. Alternatively, the actor was observed replying with a PDF or Word attachment containing instructions to redirect victims to fake resume websites.
  • A month after the patches were made available by Netgate, around 1,459 pfSense instances were found vulnerable to command injection and cross-site scripting flaws, allowing attackers to perform remote code execution on the appliance. The flaws were tracked as CVE-2023-42325 (XSS), CVE-2023-42327 (XSS), and CVE-2023-42326 (command injection).

Related Threat Briefings

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.