Cyware Weekly Threat Intelligence - February 28–04

Weekly Threat Briefing • March 4, 2022
Weekly Threat Briefing • March 4, 2022
The Good
There is a lot going on in the world right now, but we also have some good things to look forward to. A group of MIT researchers took a big step toward securing sensitive data. They fabricated an IC chip that protects against power side-channel attacks and is tiny enough to fit inside a smartwatch, tablet, or smartphone. Meanwhile, MITRE launched the Engage framework to help defenders conduct cyber adversary engagement, deception, and denial activities.
The Bad
Attacks against Ukrainian entities are getting worse. The week witnessed multiple attacks, notable among them is a massive attack wave against Ukrainian academic institutions and a DDoS attack using DanaBot against the Ukrainian Ministry of Defense. In other news, two ransomware gangs—Karma and Conti—targeted the same healthcare provider in back-to-back attacks.
New Threats
TeaBot is back in business and in the news. The operators came up with a newer version of it which is propagated via apps on Google Play Store, once again. Attacks against Ukrainian entities saw two new malware in disparate attacks - HermeticRansom and IsaacWiper. While we are on the topic of malware, Microsoft unveiled FoxBlade, another new malware that was used to perform DDoS attacks against Ukraine.
A new version of TeaBot is now targeting over 400 applications that include banks, crypto exchanges, and digital insurances. The attacks, driven via spam text messages, are being targeted against users in Russia, Hong Kong, and the U.S.
Researchers have demystified a newly found Golang ransomware dubbed HermeticRansom. Also known as PartyTicket, the ransomware encrypts specific files and appends them with .encryptedJB extension. It uses AES and RSA-OAEP algorithms to encrypt files and later drops an HTML ransom note on the victim’s desktop.
ESET researchers uncovered a third new data wiper malware, dubbed IssacWiper, that was used against hundreds of machines located in Ukraine. According to the researchers, the malware has been active since February 24 and includes both a wiper and a worm component to spread HermeticWiper in local networks.
Researchers detected a series of new TCP reflection/amplification attacks that leverage a new technique to knock websites offline. The amplification attack abuses vulnerable middleboxes, such as firewalls via TCP to magnify denial of service attacks. Middlebox devices from the likes of Cisco, Fortinet, SonicWall, and Palo Alto Networks are vulnerable to this new attack method.
A new stealthy backdoor named Daxin has been associated with a China-based hacking group. The malware is designed to give an attacker low-level root privileges on a compromised system. The malware was last used in November 2021 to target critical infrastructure in multiple countries.
Microsoft revealed that a new malware, dubbed FoxBlade, was used on several networks based in Eastern Europe. The malware was also used in destructive attacks against Ukraine right before the Russian invasion. It is capable of launching DDoS attacks on systems.
A new version of an info-stealing malware called Jester Stealer has been observed to be active since January. The new malware version, tracked as 1.7.1.0, is available for sale in underground cybercrime forums. Jester Stealer can pilfer data from web browsers, email clients, crypto wallets, and password managers.
Iran-linked UNC3313 threat actor group was found deploying two new custom backdoors, tracked as GRAMDOOR and STARWHALE. These backdoors were used in the attack against an unnamed government entity in the Middle East in November 2021.