Cyware Weekly Threat Intelligence - February 07–11

Weekly Threat Briefing • Feb 11, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Feb 11, 2022
The Good
It rained ransomware decryptors this week. A former operator and self-proclaimed developer for Maze, Egregor, and Sekhmet released decryptors for the victims. They claimed that this was a planned course of action and has nothing to do with recent takedown efforts by law enforcement. Russia took down three prolific online shops for stolen payment card data and stated that similar domains will be targeted in the near future.
Decryptors for three infamous ransomware families—Maze, Egregor, and Sekhmet—have been recently released by an operator named ‘Topleak.’ Meanwhile, there is also a free Emsisoft decryptor for the above-mentioned ransomware.
Avast has released a decryption utility to recover files encrypted by TargetCompany ransomware for free. The decryptor works by cracking the password that has been appended to the encrypted files.
In the light of rising sophisticated cyberattacks targeting critical infrastructure throughout 2021, cybersecurity agencies from Australia, the U.K, and the U.S. released a joint advisory that offers trends, behaviors of criminals while also underlining recommendations for mitigation.
The crackdown on cybercrime in Russia continues with authorities seizing three carding marketplaces, namely Ferum Shop, Sky-Fraud, and Trump’s Dumps. The Russian Federation, furthermore, detained six people who were allegedly members of a group involved in trading stolen credit cards.
The U.S. Department of Justice seized almost $4.5 billion worth of cryptocurrency, stolen during the 2016 Bitfinex crypto exchange hack. A Manhattan couple has been arrested for stealing 119,756 Bitcoins in the attack.
From April, Microsoft will disable macros in Office files downloaded from the internet. Documents downloaded from untrusted sources will have a Mark of the Web (MOTW) attribute to block macros. The changes will be implemented in the current version of Office, with patches for Office LTSC and Office versions 2013, 2016, 2019, and 2021.
The Bad
Once again, a government agency was the target of a major cyberattack. Unidentified adversaries attacked the U.K Foreign Office, in what is suspected to be a cyberespionage campaign. In a new revelation, the BlackCat ransomware group claimed to be former members of the now-defunct DarkSide gang. However, the elephant in the room is this APT group that remained hidden for a decade. Named ModifiedElephant, researchers have finally shed light on its operations.
More than 500 online stores running the outdated Magento 1 platform were compromised in a large-scale digital skimming attack. Researchers indicate that nearly 19 backdoors were deployed on compromised systems. All of these websites were compromised by exploiting a known vulnerability in the Quickview plugin.
Threat actors are using a Windows living-off-the-land binary (LOLBin) known as Regsvr32 to drop trojans like Lokibot and Qbot. The tactic allows attackers to bypass application whitelisting during the execution phase of the attack.
The U.K Foreign Office was the target of a serious cybersecurity incident. According to media reports, attackers infiltrated Foreign Commonwealth and Development Office (FCDO) systems. Nevertheless, not many details were available about the attack, and BAE Systems Applied Intelligence was called for urgent remediation.
Threat actors are using fake Windows 11 upgrade installers to trick users into downloading the RedLine stealer malware. The malware is currently being used to pilfer passwords, browser cookies, credit card details, and cryptocurrency wallet information. According to researchers, the attackers are using a seemingly legitimate ‘windows-upgraded.com’ domain for the malware distribution as part of their campaign.
Data of over 6,000 Puma employees was stolen following a ransomware attack in December 2021 that hit HR management platform Ultimate Kronos Group (UKG). The theft of the data was confirmed by Kronos on January 7. In its notification, Kronos informed that the attackers had accessed its cloud-based environment before deploying the ransomware.
The blockchain infrastructures of Meter and Moonriver networks were hacked, allowing attackers to steal $4.4 million in ETH and BTC. The attackers had exploited a feature that automatically wrapped and unwrapped gas tokens to pilfer the fund.
The BlackCat ransomware gang has confirmed that they are former members of the notorious BlackMatter/DarkSide ransomware. Discovered in November 2021, the ransomware is written in Rust language. It uses different encryption methods to encrypt files across a wide range of corporate environments.
CyberNews researchers uncovered five clones of The Pirate Bay, erected by scammers to serve malicious ads. The malvertising campaigns were impacting more than 7 million online users per month.
The Memorial Hermann Health System is notifying patients about a cyberattack that impacted their PHI. According to the health system, the incident has affected the information of 6,260 patients. The affected information includes first names, last names, dates of birth, driver’s license numbers, and health insurance information of individuals.
A cyberattack disrupted the operations of Pop TV, Slovenia’s most popular TV channel. The attack took place on February 09, following which the employees were prevented from adding new content to the platform.
Data belonging to Ohlone Community College District (OCDD) network in Fremont, California, has been compromised in a sophisticated cyberattack. This includes Social Security Numbers, dates of birth, driver’s license number, medical information, and bank account details of individuals.
Data stolen from accounting conglomerate Optionis Group by the Vice Society ransomware group has surfaced on the dark web. Report suggests that the exposed data include spreadsheets for management accounts, timesheets for contractors, as well as letters associated with HM Revenue and Customs.
Detailing about the tactics of ModifiedElephant APT, researchers revealed that the attackers relied on spear-phishing emails with malicious attachments for over a decade now to launch cyberespionage campaigns. On multiple occasions, the attached documents included exploits for CVE-2012-0158, CVE-2013-3906, CVE-2014-1761, and CVE-2015-1641. The emails were used to push keyloggers, remote access trojans like NetWire and DarkComet, and even Android malware.
New Threats
Coming to other new developments in the threat landscape this week, Medusa and Flubot have joined hands and their infection rates are drastically rising. The Out to Sea campaign, conducted by OilRig APT, has been going on for quite some time now. It shows no signs of drowning as a new backdoor—Marlin—has been introduced. Molerats has been slithering around with a new campaign and a previously undocumented implant, NimbleMamba. It has already dug its fangs into Middle Eastern entities.