We use cookies to improve your experience. Do you accept?

Cyware Weekly Threat Intelligence - January 03–07

Cyware Weekly Threat Intelligence - January 03–07 - Featured Image

Weekly Threat Briefing Jan 7, 2022

The Good

Let us welcome you to the first weekly threat briefing of the year. The week started with the display of a new technique by a group of academics from UCSB to detect and mitigate inconsistencies in smart contracts. We are quite aware of the dire situation of the healthcare sector when it comes to ransomware threats. Therefore, the HSCA trade group published two guides that would help healthcare providers and manufacturers ensure patient safety.

  • The Healthcare Supply Chain Association (HSCA) rolled out two guides that discuss privacy and cybersecurity in medical devices. The guides are aimed at healthcare delivery organizations and manufacturers. They would encourage providers and manufacturers to ensure patient privacy and safety and contain recommendations for medical terms and conditions.

  • Researchers from the University of California, Santa Barbara, (UCSB) developed a scalable technique to scrutinize smart contracts and remove state-inconsistency vulnerabilities. The process assisted them in identifying 47 zero-day bugs in the Ethereum blockchain. Dubbed Sailfish, the technique audits the smart contract’s source pre-deployment and delivers a bug-free contract as smart contracts are not readily upgradable.

  • The DHS and DOT received a letter from various U.S. senators requesting details about the nation’s transportation infrastructure cybersecurity. The letter seeks information on the steps taken by the DHS and DOT to meet their six responsibilities as per the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021.

The Bad

Platforms for online collaboration and productivity have become an innate part of the lives of most professionals in recent times. Now, cybercriminals were found exploiting Google Docs to deliver malicious phishing websites to users through a quite innovative method that leverages the Comment feature. A New Mexico County government fell prey to a ransomware attack, resulting in the shutdown of public offices in three major cities. It was not very sunny in the healthcare sector as the Broward Health hospital system underwent a huge data breach incident.

  • An AWS S3 bucket leak affected the sensitive data—API keys, user data, internal messaging systems, and cloud systems—of gaming giant SEGA. in addition to this, other leaked data include multiple sets of AWS keys providing access to all of SEGA Europe’s cloud systems, MailChimp and Steam API keys, and hundreds of thousands of the Football Managers forum members’ data.

  • A ransomware attack crippled the IT network of the Bernalillo County government in New Mexico, resulting in the shutdown of government buildings and public offices across Albuquerque, Los Ranchos, and Tijeras. The name of the ransomware remains unknown and the attack has severed county employees from accessing local government databases, making it impossible to work with the public.

  • A report by New York’s OAG states that around 17 well-known online retailers, restaurant chains, and food delivery services were targeted in credential stuffing attacks over the past several months. The OAG confirmed the attacks after investigating thousands of posts containing credentials of more than 1.1 million customer accounts.

  • A wave of phishing attacks identified in December was found targeting Outlook users by exploiting a flaw in Google Docs’ Comments feature. This enabled the attackers to send malicious links to more than 500 inboxes across 30 tenants, while the attackers used over 100 different Gmail accounts.

  • Nearly 70 investors fell victim to a long-running internet-based fraud operation that tricked them with various investment opportunities. The victims were directed to 150 different fraudulent sites as a part of the scam carried out by a cybercriminal posing as FINRA broker-dealers. The scam went on for eight long years and the attackers gained over $50 million from the investors.

  • Researchers decoded the modus operandi of a malicious hacking group Elephant Beetle that has been active in several organized financial-theft operations for at least four years. The attackers targeted organizations in the retail and banking sector to steal funds by diverting transactions. The threat actor leverages an arsenal of 80 novel tools and scripts.

  • The Broward Health hospital system notified more than 1.3 million patients and staff members about a data breach that affected their personal data. The incident took place in October 2021 and the compromised data included names, addresses, phone numbers, social security numbers, and bank account information of individuals.

  • Russian embassy diplomats were targeted by a cyberespionage campaign linked to the Konni threat group, over the New Year holiday. The campaign was active since December 20, 2021, and propagated via phishing emails that used the New Year Eve 2022 festivity as a decoy theme.

  • More than 100 real estate websites belonging to Sotheby’s were infected with web skimmer malware via the Brightcove cloud video platform. The skimmer was designed to gather users’ personal information and credit card details. The threat actors appended the skimmer scripts in a video.

  • Finalsite, a U.S.-based digital marketing and communications solutions provider to schools, suffered a ransomware attack resulting in thousands of school websites going offline. Around 8,000 schools across 110 countries are claimed to use services provided by the company. However, no evidence of data theft has yet been found.

**New Threats **

It is time to pay closer attention to iPhone security as a new attack technique, dubbed NoReboot, was revealed that enables attackers to fake a restart on your iPhone, impeding the deletion of the malware from your device. New year, new scams. This week, a scam was found targeting Austin inhabitants, leveraging fake QR codes at public parking meters. A new Zloader campaign was also observed exploiting Microsoft’s Signature Verification.

  • The newly discovered Lapsus$ ransomware gang is currently extorting the Portuguese media group, Impresa. The ransomware made its first appearance in December 2021, with an attack on Brazil’s Ministry of Health. The latest attack on Impresa has affected the company’s online information technology server infrastructure, including the websites for SIC and Expresso.
  • A new email phishing campaign was found tricking users with a fake McAfee antivirus subscription. The email appeared to come from McAfee and notified recipients about an expired subscription. The lure aimed to create a sense of urgency by offering the users a huge discount on a new subscription for a limited period of time.
  • Austin citizens are being targeted in a scam that leverages fake QR codes placed at public parking meters to siphon financial information from users. The police are urging people to be cautious of such scams and look out for any tampering on the parking meter while making a payment.
  • A threat actor named MalSmoke was found exploiting Microsoft’s digital signature verification method to deploy Zloader malware. Active since November 2021, the campaign has affected thousands of victims from 111 countries and is being used to steal user credentials. The attackers used legitimate Remote Management software named Atera to gain initial access to the target machine.
  • A new, critical, JNDI-based security flaw impacting H2 database consoles has been identified. Tracked as CVE-2021-42392, it is related to remote code execution similar to the Log4Shell vulnerability. It affects h2 database versions 1.1.100 to 2.0.204 and has been patched in version 2.0.206.
  • A new ransomware, dubbed Night Sky, has been targeting corporate networks and exfiltrating data, with double extortion tactics. The attack started on December 27, 2021, and the group has already published the data of two victims.
  • Researchers demonstrated a new PoC that fakes reboot of iPhones to stop malware from being removed from the device. Named NoReboot, the PoC enables threat actors to collect sensitive information and snoop on microphones. It is a persistence tactic that interrupts the normal rebooting process to delete malicious activity from memory.

Related Threat Briefings