Cyware Weekly Threat Intelligence - December 26–30

Weekly Threat Briefing • Dec 30, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Dec 30, 2022
As we wrap up the final week of 2022, here’s a glance at a significant development made by the U.S. government. President Joe Biden passed the expenditure bill for the fiscal year 2023, of which $2.9 billion has been allocated for cybersecurity efforts. The CISA will use the fund to strengthen civilians and federal networks, besides improving its cybersecurity operations. Meanwhile, the DoJ indicted a hacker who was accused of stealing $110 million in a fraud scheme against the Mango Markets cryptocurrency exchange.
An amount of $2.9 billion has been allocated to CISA for the fiscal year 2023. With the given budget, the CISA aims to improve emergency communications preparedness and strengthen civilian and government networks. A portion of the amount will also be used for CISA’s advanced cybersecurity operations.
The DoJ filed criminal charges against a hacker for stealing approximately $110 million in a fraud scheme targeting Mango Markets cryptocurrency exchange. The hacker manipulated the price to trap the investors and steal their funds.
The Ukraine cyber police seized a call center for duping 18,000 victims by pretending to be IT security employees at banks. The scammers contacted the victims and claimed that their bank accounts had been accessed by hackers and requested their financial information.
Moving on, ransomware attacks continue to disrupt the operations of victim organizations. This week, a Portuguese port and a city in Westchester County fell victim to attacks by the LockBit ransomware group. The Royal ransomware group also claimed responsibility for attacks against the telecommunications company Intrado. The Black Basta group was also reported to have stolen data from multiple electric utilities after targeting a major U.S. government contractor.
The Kimsuky APT group was associated with a new phishing campaign that was aimed at nearly 900 foreign policy experts in South Korea. The attack was launched via spear-phishing emails that impersonated different well-known authorities and contained a link to a fake website that resulted in the download of malware.
The Port of Lisbon was targeted in an attack by the LockBit ransomware group. The attackers claimed to have stolen all the data from the website and demanded a sum of close to $1.5 million to prevent the data leakage.
Thousands of Citrix servers still remain vulnerable to attacks due to two critical vulnerabilities that are tracked as CVE-2022-27510 and CVE-2022-27518. These flaws affect Citrix ADC and Gateway endpoints and have been patched with the release of new versions last month.
It’s been a year and around 40% of software using Apache Log4j are still vulnerable to the Log4Shell attack. A security update to fix the flaw was issued last year.
The Royal ransomware group claimed responsibility for a cyberattack against telecommunications company Intrado. As proof of the breach, the gang shared a 52.8MB archive containing scans of passports, business documents, and driver’s licenses of employees.
Operations at the police department, municipal court, and other government offices in the city of Mount Vernon were disrupted following an attack by LockBit ransomware. The breach was executed by exploiting a remote access tool used by the city’s IT provider.
Threat actors used Black Basta ransomware to steal sensitive data from multiple electric utilities linked to the Chicago-based engineering firm Sargent & Lundy, which is also a major U.S. government contractor. The attack occurred in October.
Lake Charles Memorial Health System in Louisiana disclosed that the personal data of nearly 270,000 patients were accessed in the October ransomware attack. This included patients’ health insurance information, medical records, and social security numbers.
Lazarus was associated with a massive phishing campaign that targeted NFT investors. Nearly 500 phishing domains mimicking well-known NFT marketplaces, such as OpenSea, X2Y2, and Rarible were used to dupe victims.
3Commas cryptocurrency platform admitted to a hack after a set of 10,000 API keys was published by a hacker on Twitter. The firm urged Kucoin, Coinbase, and Binance to revoke all keys connected to 3Commas.
Threat actors are always gearing up to evolve their attack techniques and some of them were noticed this week. The BlueNoroff APT adopted a new tactic to sneak past the Mark-of-the-Web (MotW) security measures. On the other hand, researchers observed threat actors delivering a variety of malware by exploiting the Google Ads platform under the MasquerAds campaign. Furthermore, a newly found CatB ransomware group emerged with new evasion techniques.