Cyware Weekly Threat Intelligence - December 20–24

Weekly Threat Briefing • December 24, 2021
Weekly Threat Briefing • December 24, 2021
The Good
As 2021 comes to an end, it is time to celebrate all the positive developments we saw this year in the cybersecurity world. Check out our compilation of the best of cybersecurity in 2021. This week, the U.S. federal agencies provided new guidance and a special tool to help counter the tide of Log4j attacks. Meanwhile, the shutdown of yet another dark web marketplace gave us a reason to cheer up.
The U.K’s National Crime Agency shared a collection of more than 585 million compromised passwords it found during an investigation with Have I Been Pwned. This move will help prevent the use of such compromised credentials so as to improve online security and avoid further attacks using those credentials.
As the saga of the Log4j bugs continues, the US government is taking positive steps to help all organizations tackle the onslaught from cybercriminals. The U.S. CISA and Five Eyes alliance partners issued guidance to help slow Log4j attacks, whereas the CISA also released a scanner for identifying web services impacted by Log4j flaws.
The operators behind ToRReZ, a dark web underground marketplace for the trade of illicit wares, announced to shut down their operation. This marks the third such marketplace to shut down on its own this year. The site, which was launched in February 2020, operated like any online marketplace, allowing users to register as buyers or sellers.
The Bad
While there are always reasons to celebrate, there were also bad incidents this week that gave us a pause. A business email compromise at a hospital system in West Virginia resulted in a data breach for thousands of patients, staff members, and contractors. In a series of unfortunate data leaks, the personal details of hundreds of thousands of citizens of Albania and Ghana were revealed online. In a shocking revelation, a massive global phishing campaign was also found raking in up to $80 million a month through fake surveys and giveaways.
Around 1.8 million customers’ credit details were stolen following a cyberattack on four popular sporting goods websites. The affected firms are Tackle Warehouse LLC, Running Warehouse LLC, Tennis Warehouse LLC, and Skate Warehouse LLC. An investigation into the incident revealed that the stolen information included full names, financial account numbers, and website account passwords of customers.
Monongalia Health System, a hospital system in West Virginia which managed three different hospitals, suffered a data breach due to a phishing attack. Due to the business email compromise, the hackers gained access to internal accounts between May and August. These emails also included the personal information of 40,000 patients, providers, employees, and contractors.
Game developer Ubisoft has announced a data breach impacting Just Dance, one of its popular video game franchises. The incident occurred due to a misconfiguration issue that exposed GamerTags, profile IDs, and device IDs, and dance videos of a limited number of users. Ubisoft did not disclose how many people were affected by the incident, however, it has sold millions of copies of the game since 2009.
The personal data, including the name and salary of over 637,000 Albanian citizens, was leaked in a data breach recently. An Excel file containing the data of 637,138 citizens was found circulating online, especially on WhatsApp. The file contained the names, ID numbers, monthly salaries, positions, and employer names for nearly all employed Albanian nationals. It is believed to have originated from the offices of the Albanian Internal Revenue Services.
A new sophisticated global phishing campaign that is estimated to have cost victims approximately $80 million per month, has been uncovered by researchers at Group-IB. The campaign offers fake giveaways and surveys from popular brands in order to steal data from victims. So far, it has targeted users in over 90 countries including the U.S., Canada, and Italy.
As part of the ongoing Log4j-related attack campaigns, hackers breached the Belgian Defense Ministry’s network by exploiting its internal systems. This affected its computer network, including the mail system used by the department. The officials roped in an external security team to mitigate the issues.
A misconfigured AWS S3 bucket exposed data of 700,000 citizens in Ghana. The unprotected storage bucket, which contained 55GB worth of data, belonged to Ghana’s National Service Secretariat. The exposed data included program membership cards, Ghana National Health Insurance scheme, and professional IDs of individuals.
New Threats
The week also saw the discovery of several new and resurgent malware strains. This included the JavaScript and C# based trojan called DarkWatchman, a surprisingly simple ransomware named TimeTime, the TellYouPass ransomware that came back from the dead, and the Dridex banking trojan that appeared in an employee termination malspam campaign and in attacks exploiting the Log4Shell vulnerability.
This week, a new malware named DarkWatchman was revealed in the cybercrime landscape. The malware, which was first spotted in early November, is being distributed via phishing emails containing malicious ZIP attachments. The malware is a highly-capable JavaScript-based remote access trojan that is paired with a C# keylogger.
Researchers at Sophos and Curated Intelligence this week confirmed that a second ransomware family after Khonsari –TellYouThePass – has been exploiting the Apache Log4j vulnerability. The ransomware, which had remained inactive since the summer of 2020, resurfaced to target both Linux and Windows systems.
Microsoft notified Azure users about source code leaks due to a serious security vulnerability in the Azure App service. The flaw affected hundreds of source code repositories belonging to Azure users who deployed applications using Local Git after files were created or modified in the content root directory. Following the disclosure, the company has taken steps to fix the issue.
Researchers from the New York University Abu Dhabi discovered security vulnerabilities in handover, a fundamental mechanism used by all modern cellular networks. These flaws could be exploited by attackers to launch denial-of-service and man-in-the-middle attacks using low-cost equipment. All generations of mobile networks since 2G (GSM) are affected by these security issues.
A new ransomware strain, dubbed TimeTime, was discovered recently. Curiously enough, the TimeTime ransomware is written in C#, does not use any obfuscation techniques, and contains well documented code with meaningful function names. It encrypts victims’ files with a simple algorithm and asks them to pay 100 Euro via PaysafeCard in ransom.
In a new phishing campaign, attackers send fake termination letters to employees via emails to scare them into opening a malicious Excel attachment. The Excel file trolls the victim with a season's greeting message and infects them with Dridex banking trojan. Dridex also made an appearance in another campaign exploiting the Log4j vulnerability to distribute the malware on Windows and Linux systems with Meterpreter. The malware has the capability to install additional payloads and take screenshots, among other malicious actions.
In a recent phishing campaign, attackers were found bypassing the patch for a flaw in MSHTML to deliver the Formbook malware to Windows systems. The vulnerability in question, tracked as CVE-2021-40444, relates to a remote code execution flaw in MSHTML that could be exploited using specially crafted Microsoft Office documents.
Two severe vulnerabilities affecting the ‘All in One SEO’ plugin put more than three million WordPress websites at risk of cyberattacks. The two flaws, described as a privilege escalation bug (CVE-2021-25036) and an SQL injection bug (CVE-2021-25037), were addressed with the release of a new version 4.1.5.3 of the plugin.
A relatively new AvosLocker ransomware was found actively targeting its victims using a bunch of new evasion techniques. It now uses the AnyDesk remote IT administrator tool in Windows Safe Mode. One of the other clever techniques used by it is the targeting of VMware ESXi servers by killing the virtual machines and then encrypting the files.
Microsoft released an alert on two Active Directory vulnerabilities and urged customers to install the available patches as soon as possible, to prevent potential compromise. Tracked as CVE-2021-42287 and CVE-2021-42278, the two security flaws can be used in an attack chain to impersonate domain controllers and gain administrative privileges on Active Directory.