Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence - January 17–21

Cyware Weekly Threat Intelligence - January 17–21 - Featured Image

Weekly Threat Briefing Jan 21, 2022

The Good

We have a bunch of good news this week to pair with your morning coffee. Governments across the world are relentlessly working on improving the cybersecurity postures of their nations. In one such development, the U.S. NSA has now gained greater authority to defend national security systems. On the same page, the U.K's NCSC issued guidance for companies to make it easier for their customers to differentiate between phishing and legitimate texts of calls.

  • In the wake of proliferating SMS-phishing scams targeting bank customers, the Singapore Police, the Monetary Authority of Singapore (MAS), and the Association of Banks in Singapore (ABS) announced measures to further secure digital banking. Banks are expected to work in tandem with MAS, the police, and the Infocomm Media Development Authority to tackle the constant barrage of scams.

  • The Nigerian Police Force, along with the INTERPOL, detained 11 members of the SilverTerrier group that has successfully pulled off more than 50,000 BEC scams worldwide.

  • The NCSC issued guidelines for organizations to follow while communicating with customers via phone calls or texts. The guidance aims to make it harder for scammers to trick the public by making it easier to distinguish between fraudulent and legitimate communications.

  • The European Union kicked off a six-week cyber exercise to test its cyber-defense responsiveness by simulating an attack on a fictitious Finnish power company.

  • Pennsylvania Senate passed two bills aimed at controlling cybersecurity breaches. While one requires the state to form a strategy to prevent and mitigate ransomware attacks, the other one mandates state agencies, local government agencies, and school districts to inform victims within seven days of identifying a breach incident.

  • Russia’s FSB claimed to have arrested 14 members belonging to the infamous REvil ransomware group. It has also seized around $5.5 million and a few premium cars.

  • NATO entered an agreement with Ukraine to bolster cyber cooperation, including providing Ukraine access to NATO’s malware information sharing platform. The agreement would also enable NATO to collaborate with Ukraine in modernizing the latter’s IT and communications services while identifying domains where personnel training is required.

  • The White House published a memo that grants the NSA greater authority to protect national security systems. The memo also enables the agency to issue emergency and binding directives to take discrete action against emerging cyber risks and threats.

The Bad

Why do threat actors decide to attack humanitarian agencies and services? We do not have a proper answer yet. The Red Cross became the victim of such an unfortunate attack that resulted in the theft of the personal information of hundreds of thousands of people. This week was rife with state-backed threat activity as the UNC1151 group defaced more than 70 Ukrainian government websites. A cyberespionage campaign was revealed targeting ICS vendors, universities, and other organizations related to renewable energy. The campaign began in 2019 and is still ongoing.

  • The International Committee of the Red Cross (ICRC) was hit by an advanced cyberattack that compromised the personal data of over 515,000 highly vulnerable people. The data came from at least 60 Red Cross and Red Crescent National Societies located across the world. ICRC stated that the data stolen has not been leaked yet; the perpetrator remains unidentified.

  • Marketing giant RR Donnelly (RRD) underwent a Conti ransomware attack that disrupted the IT systems, making its customers unable to receive printed documents required for vendor payments, disbursement checks, and motor vehicle documentation. The attackers claimed responsibility and leaked 2.5GB of the stolen data.

  • The reclusive Earth Lusca threat actor, reportedly linked to the Winti group, was found targeting organizations worldwide for financial benefits. The list of victims includes governmental and educational institutions in Hong Kong, COVID-19 research organizations, and the media, among others. It mainly conducts spear-phishing and watering hole attacks.

  • A large-scale cyberespionage campaign, active since at least 2019, is targeting renewable energy and industrial technology organizations. Threat actors behind the campaign used legitimate websites, DNS scans, and public sandbox submissions to steal login credentials of the employees. The targeted organizations include Schneider Electric, Honeywell, Huawei, Telekom Romania, University of Wisconsin, Utah State University, and Taiwan Forestry Research Institute, among others.

  • Non-profit organization Goodwill notified its users about a security breach that affected their personal information. The cybercriminals gained unauthorized access by exploiting a vulnerability in the website. The compromised information includes full names, email addresses, phone numbers, and mailing addresses.

  • Dozens of Ukrainian government websites were defaced by the APT group UNC1151. The defaced websites were displayed with messages written in Russian, Ukrainian, and Polish languages. The campaign abused compromised Content Management Systems (CMS) to disseminate fake news.

  • Citizen Labs unearthed critical flaws in MY2022, the official app for Beijing 2022 Winter Olympics. The flaw can allow attackers to sidestep encryption for users’ audio and file transfers. In addition to that, health custom forms containing users’ passport details, travel and medical history, and demographic details are at risk.

  • The central bank of the Republic of Indonesia confirmed sustaining a ransomware attack that disrupted its operations. Experts suspect that the attack was conducted by Conti although Bank Indonesia did not confirm it. The bank claimed that the attack did not compromise any sensitive data and public services.

New Threats

QNAP NAS devices are once again under attack by the QLocker ransomware in a new campaign. More Ukrainian organizations are under attack by a new malware, dubbed WhisperGate, that pretends to be a ransomware but is a data wiper in reality. The week also brought us a new cryptocurrency scam that abuses the Amazon brand to trick potential investors into giving up their money.

  • MoonBounce, a new firmware bootkit, is found quite active in the wild. The bootkit is being used by the APT41 threat actor group in targeted attacks. It hides in a computer’s Unified Extensible Firmware Interface (UEFI) firmware, making it hard for proprietary security products to spot.
  • Researchers tracked a new ransomware family, named White Rabbit, that targeted a local U.S. bank in December 2021. The new malware borrows some of its features from Egregor ransomware and researchers suspect a connection to the FIN8 APT gang. The ransomware uses a double extortion strategy to threaten its victims.
  • A new variant of SFile ransomware was spotted targeting Linux systems worldwide. The ransomware variant uses RSA and AES algorithms to encrypt files. One of the strains had targeted the FreeBSD platform in an attack against a partially owned state-owned company in China.
  • A new wave of Qlocker ransomware campaigns has been found targeting QNAP NAS devices worldwide since January 6. After encrypting files, it drops ransom notes titled !!!READ_ME.txt on infected devices. The victims are prompted to visit a Tor site for more information on how to make the payment to regain access to their files.
  • Microsoft shared details about new destructive malware attacks targeting multiple organizations in Ukraine. Researchers identified a new malware dubbed WhisperGate that destroys victims’ information by first overwriting the MBR disk and then displaying a fake ransom note.
  • Bitdefender found a new crypto-malware, dubbed BHUNT, that can steal from multiple cryptocurrency wallets, while also extracting passwords saved in browsers and data from the clipboard. It uses encrypted configuration scripts downloaded from open Pastebin pages and is also capable of stealing cookies and other sensitive data stored in Firefox and Chrome browsers.
  • The INKY team spotted a new phishing campaign aimed at stealing credentials of aspiring vendors by inviting them to bid on multiple fake projects with the U.S. Department of Labor (DoL). The phishing emails claimed to be from a senior DoL employee inviting victims to submit bids for ongoing government projects.
  • A new crypto scam is exploiting the Amazon brand to lure potential investors into handing over Bitcoins. The campaign posted fake social media news in cryptocurrency-related groups. Clicking on the post redirected victims to a fake CNBC Decoded website that had an article about soon-to-be-released Amazon crypto token. Another lure includes a fake referral program that offers rewards if users refer others. The majority of the victims are located in the Americas and Asia.

Related Threat Briefings

Feb 7, 2025

Cyware Weekly Threat Intelligence, February 03–07, 2025

PyPI is taking a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. The U.K is bringing earthquake-style metrics to cybersecurity with its new Cyber Monitoring Centre, designed to track digital disasters as precisely as natural ones. Inspired by the Richter scale, the CMC will quantify cyber incidents based on financial impact and affected users, offering clearer insights for national security planning. Kimsuky is back with another phishing trick, this time using fake Office and PDF files to sneak forceCopy malware onto victims' systems. Its latest campaign delivers PEBBLEDASH and RDP Wrapper by disguising malware as harmless shortcuts, ultimately hijacking browser credentials and sensitive data. Hackers have found a new way to skim credit card data - by hiding malware inside Google Tag Manager scripts. CISA is flagging major security holes in Microsoft Outlook and Sophos XG Firewall, urging agencies to patch them before February 27. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. Bitcoin scammers are switching tactics, swapping static images for video attachments in MMS to make their schemes more convincing. A recent case involved a tiny .3gp video luring victims into WhatsApp groups where scammers apply pressure to extract money or personal data. XE Group has shifted from credit card skimming to zero-day exploitation, now targeting manufacturing and distribution companies. A new version of ValleyRAT is making the rounds, using stealthy techniques to infiltrate systems. Morphisec found the malware being spread through fake Chrome downloads from a fraudulent Chinese telecom site.

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.