Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Skip to main content

Cyware Weekly Threat Intelligence - January 01–05

Cyware Weekly Threat Intelligence - March 18–22 - Featured Image

Weekly Threat Briefing Jan 5, 2024

The Good

A big relief for Black Basta victims. Researchers have unveiled the Black Basta Buster decryptor tool that decrypts files between 5000 bytes and 1GB. In another vein, the FTC is running a contest that is aimed at protecting users from AI-enabled voice cloning threats.

  • SRLabs released a decryptor to help Black Basta ransomware victims restore their files for free. The firm found a weakness in the encryption algorithm used by the ransomware to discover the ChaCha keystream used to XOR encrypt a victim’s file. The decryptor can help fully recover files between 5000 bytes and 1GB. Using the decryptor, Black Basta victims from November 2022 to December 2023 could potentially recover their files for free.

  • The Finnish Security Intelligence Service (Suojelupoliisi or Supo) reorganized its departments, from nine to eight, to enhance information gathering amidst rising cybersecurity concerns. The agency, responsible for foreign intelligence and domestic counterintelligence, anticipates a shift toward cyberespionage by Russia. The development highlights the growing importance of cybersecurity in the face of geopolitical tensions and potential cyber threats.

  • The FTC is seeking submissions for a contest that aims at encouraging the development of technologies and policies to protect consumers from the malicious use of AI-enabled cloning voice technology. The contest is part of an effort to monitor and stop scammers from exploiting voice cloning technology.

The Bad

Massive data breaches rocked the healthcare sector as Fallon Ambulance Services and HealthEC disclosed that nearly one million and 4.5 million patients were impacted in separate incidents, respectively. Cross Switch, a payment gateway platform, also found itself in the soup after 3.6 million records were exposed online. Meanwhile, Gallery Systems reported an attack impacting around 800 museums.

  • The MyEstatePoint Property Search app had left a publicly accessible MongoDB server containing the sensitive details of nearly half a million of its users. The exposed instances contained details such as names, email addresses, plain-text passwords, and mobile phone numbers of users.

  • San Francisco-based Orrick, Herrington & Sutcliffe law firm fell victim to a data leak incident that exposed the health information of more than 637,000 users. The incident occurred in February 2023 and the type of stolen data includes names, dates of birth, email addresses, and government-issued identification numbers of users.

  • Orbit Chain lost $86 million in Ether, Dai, Tether, and USD Coin in a security breach. Although the identity and origin of the attackers are yet to be determined, it is believed to be the work of state-sponsored attackers based out of North Korea. The blockchain platform is working with South Korean police authorities to track the stolen funds and has warned users to be wary of phishing sites pretending to be connected with their wallets.

  • According to a breach notification, Fallon Ambulance Services disclosed that around 911,757 individuals nationwide, including 20,486 Maine residents, were affected by a ransomware attack between February and April 2023. The exposed data includes names, driver’s license numbers, and other identification numbers. The now-defunct ambulance service was a subsidiary of Transformative Healthcare.

  • A ransomware attack on Gallery Systems, a museum software solutions provider, impacted 800 museums, including MoMA, Met, the Chrysler Museum of Art, MoPOP in Seattle, the Barnes Foundation, and the Crystal Bridges Museum of American Art. The incident has also impacted its online public viewing platform called eMuseum, commonly used by museums and colleges to create searchable online collections. The firm has notified law enforcement authorities and is conducting an internal investigation and working to restore the impacted systems.

  • A threat actor under the moniker IntelBroker reportedly stole and leaked the personal information of 3.6 million users of Cross Switch, a leading online payment gateway management platform in Africa. This included details such as full names, email addresses, phone numbers, messages, banking information, and dates of birth of users.

  • Xerox confirmed that its subsidiary XBS is dealing with a security incident that involves the theft of personal information. This comes days after a ransomware group named INC Ransom claimed responsibility for the attack. Meanwhile, the incident had no impact on XBS operations or Xerox’s corporate systems, operations, and data.

  • A hacker group, identified as ‘irleaks’, claimed to have stolen more than 3TB of data associated with Snappfood, an online food delivery service in Iran. This includes 130 million records containing details of over 20 million customers, data from 180 million devices, information of 35,000 bikers, and records of 240,000 vendors. The company has acknowledged the breach and is actively working to identify the source.

  • TuneFab converter exposed over 151 million users' private data due to a misconfiguration on MongoDB. The leaked data included sensitive information such as IP addresses, user IDs, emails, and device information. The leak was discovered and fixed within 24 hours, but the company has not yet commented on the matter.

  • The Cactus ransomware group claimed to have hacked Coop, a major retail and grocery provider in Sweden, and threatened to release over 21,000 directories of personal information. Coop had previously been affected by a supply chain ransomware attack in July 2021, which was traced back to its software provider Visma.

  • Private freight shipper Estes Express Lines notified over 20,000 customers that their personal information, including names and SSNs, was stolen in a cyberattack. The company discovered unauthorized access to its IT network and ransomware deployment but chose not to pay the ransom. The LockBit ransomware crew later claimed responsibility and leaked stolen data.

  • Google Cloud subsidiary Mandiant had its X (Twitter) account compromised for more than six hours in a cryptocurrency scam. It’s currently unclear how the account was breached but the hacked Mandiant account was renamed as ‘@phantomsolw’ to impersonate the Phantom crypto wallet service. Scammers advertised an airdrop scam, created counterfeit websites, and urged users to click on a bogus link and earn free tokens, with a follow-up message to ‘change password please’ and ‘check bookmarks when you get account back.’

  • CloudSEK researchers revealed a surge in dark web activity targeting X’s (previously known as Twitter) Gold accounts, introduced in December 2022. Cybercriminals are actively selling compromised Gold accounts on the dark web to launch scams and disinformation campaigns. The compromise methods include brute-forcing passwords and malware.

  • Russian hackers from the Solntsepek group, believed to be linked to the Sandworm APT group, wiped 10,000 computers and thousands of servers associated with Kyivstar’s network. Following the incident, mobile and data services went down, leaving around 25 million mobile and home internet subscribers without an internet connection.

  • A data breach at HealthEC impacted close to 4.5 million individuals who received care through one of the company’s customers. The breach occurred between July 14 and 23, 2023, when attackers gained unauthorized access to some of its systems and stole sensitive data. This includes names, dates of birth, SSNs, taxpayer identification numbers, and medical record numbers.

New Threats

The new Terrapin attack posed a massive threat worldwide as new research revealed that nearly 11 million SSH servers remain unpatched. In other updates, threat actors were found expanding their evasion tactics to deploy AsyncRAT and Remcos RAT onto victims’ systems.

  • The CISA added two flaws, CVE-2023-7024 and CVE-2023-7101, affecting Google Chrome and the Spreadsheet::ParseExcel library, respectively, to its KEV catalog, indicating their active exploitation in the wild. The flaw impacting the Spreadsheet::ParselExcel library can lead to remote code execution. It affects versions before 0.65 of the library. The flaw affecting Chrome web browser is a heap buffer overflow issue that exists in web browsers using WebRTC.
  • FortiGuard identified three malicious PyPI packages that deploy a CoinMiner executable on Linux devices. These packages, named modularseven-1.0, driftme-1.0, and catme-1.0, were created by an author known as "sastra" and bear similarities to the previously discovered "culturestreak" package. The attack methodology involves concealing the payload, downloading a configuration file and CoinMiner executable from remote URLs, and executing them in the background.
  • A recent report by Shadowserver warned that nearly 11 million SSH servers on the public web are vulnerable to Terrapin attacks. A majority of vulnerable systems were found in the U.S., followed by China, Germany, Russia, Singapore, and Japan. To successfully execute the Terrapin attack, attackers must be in a position where they can intercept and modify the handshake exchange, also known as an adversary-in-the-middle position.
  • A threat actor tracked as UAC-0050, was found deploying the Remcos RAT against government agencies in Ukraine. The infection chain leveraged a rare data transfer tactic that allowed threat actors to efficiently transfer malicious data to victims’ systems while avoiding detection. While the exact initial access vector is unknown, it’s suspected to involve phishing emails pretending to advertise consultancy roles with the Israel Defense Forces. Once deployed, Remcos RAT exfiltrates system and user information.
  • AT&T Alien Labs identified a new campaign to deliver AsyncRAT onto unsuspecting victim systems. As part of the evasion tactic, the attackers used JavaScript files embedded in a phishing page and a domain generation algorithm to register new phishing domains. Some of the identified targets were in the U.S.
  • Security researchers have uncovered SpectralBlur, a new macOS backdoor linked to the North Korean malware family KandyKorn. The sample, which is believed to be the work of the Lazarus group, was uploaded to VirusTotal in August 2023 but went undetected until recently. The malware’s capabilities include file operations, shell execution, and communication with a command-and-control server using RC4-encrypted sockets.

Related Threat Briefings

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.