We use cookies to improve your experience. Do you accept?

Cyware Weekly Threat Intelligence, July 04 - 08, 2022

Cyware Weekly Threat Intelligence,  July 04 - 08, 2022 - Featured Image

Weekly Threat Briefing Jul 8, 2022

The Good

In a new stride taken toward protecting cryptographic security protocols from quantum computing-powered cyberattacks, the NIST has reportedly added four new encryption algorithms that will be used for protecting digital signatures and access to websites. In a big relief, victims infected by AstraLocker and Yashma ransomware will now be able to decrypt files without paying any ransom.

  • NIST has selected four encryption algorithms—CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+—that will withstand attacks from quantum computers. While CRYSTALS-Kyber will be used for access to websites, the other three are to protect digital signatures.

  • Emsisoft has released a free decryption tool for victims affected by AstraLocker and Yashma ransomware. The tool will also work for those victim systems that have been compromised via Windows Remote Desktop Protocol.

  • The FBI will launch a cybersecurity awareness campaign in North Carolina. The campaign will run through the month of September and aims at educating private and public sector organizations about the growing threat of cyberattacks.

The Bad

Moving on to the bad, data breach incidents exposing users and other sensitive information have put multiple firms like Marriott International, Eye Care Leaders, and American Marriage Ministries under the scanner of federal authorities. Meanwhile, Crema Finance became the latest victim of a DeFi hack, enabling hackers to steal $8.78 million worth of cryptocurrencies.

  • American Marriage Ministries (AMM) disclosed a data breach incident that affected the data of about 185,000 officiants and 15,000 married couples as well as their wedding guests. This occurred due to an unsecured Amazon bucket that contained around 630 GB of data.

  • Military entities located in Bangladesh remain a primary target of the Bitter APT group, SECUINFRA has reported. The attacks are launched using malicious Office document files.

  • Solana-based liquidity protocol Crema Finance lost more than $8.78 million worth of cryptocurrencies after hackers attacked the platform. The attackers used the infamous flash loan trick to manipulate the prices of assets before stealing the assets.

  • The Marriott hotel chain has suffered another data breach incident that allowed attackers to exfiltrate around 20GB of data, including customer credit card details. Threat actors used social engineering to trick an employee into providing access to the computer.

  • Threat actors impersonated the Ministry of Human Resources of the UAE government to target individuals and businesses in the Middle East in a large-scale phishing attack. They had created fake domains and websites to defraud users.

  • A data breach at Eye Care Leaders affected 92,361 patients’ data belonging to Missouri-based Mattax Neu Prater Eye Center. The adversary gained unauthorized access to the system and deleted system configuration files and databases.

  • TA578 group is leveraging fake copyright infringement complaints to target website owners to disseminate IcedID, BumbleBee, and BazarLoader malware. The campaign has been active for over a year.

  • A misconfigured Amazon S3 bucket resulted in the exposure of 3TB of airport data. The exposed information included employee PII and other sensitive company data, affecting at least four airports in Colombia and Peru.

  • In a new discovery, the notorious AsyncRAT was found infecting vulnerable MySQL servers. The malware was distributed via a crack program of commercial software hosted on malicious websites.

  • Websites, phone lines, and online services of College of the Desert were knocked out following a ransomware attack. While the college continues to experience a system-wide outage, it notes that programs such as Canvas, Adobe, and Microsoft Teams are still available to students.

New Threats

Software repositories and code samples are being actively abused to automate cyberattacks and this is evidenced by two cryptomining incidents that were observed this week. The week also witnessed an explosion in ransomware attacks across the globe as federal authorities and researchers release technical details and activities of Maui, HavanaCrypt, Hive, RedAlert, and AstraLocker ransomware. In a new twist, the infamous Conti group has also brought on board the TrickBot trojan to launch stealthy attacks against Ukrainians.

  • A new report by IBM X-Force revealed that TrickBot was deployed in at least six different malspam campaigns launched against users in Ukraine. Researchers highlighted that the attacks were carried out between April and June and were launched in collaboration with Wizard Spider, DEV-0193, and Conti ransomware groups.
  • Another new malware targeting the Linux operating system has surfaced this week. Named OrBit, the malware is primarily designed to drop malicious payloads. It implements advanced evasion capabilities to gain persistence on targeted machines.
  • Trend Micro identified over a thousand malicious repositories and more than 550 code samples that abused GitHub Actions to mine cryptocurrency in an automated attack. The attack involved threat actors forking a legitimate repository that has GitHub Actions enabled. This allowed them to inject malicious code into legitimate repositories.
  • In another incident, researchers attributed a large-scale cryptocurrency mining campaign that targeted over 1,200 NPM JavaScript packages to a threat actor named CuteBoi. This was done using automation which included the ability to pass the 2FA challenge. In another incident, more than two dozen NPM packages were found harvesting sensitive data from forms embedded in mobile applications and websites
  • QNAP has warned customers about a new Checkmate ransomware attack aimed at its NAS devices. The ransomware employs dictionary attacks to break accounts with weak passwords. It appends .checkmate extension to encrypted files and drops a ransom note named !CHECKMATE_DECRYPTION_README.
  • A new ransomware family, dubbed HavanaCrypt, makes use of a fake Google Software Update application to propagate across systems. Additionally, it relies on Microsoft web hosting service IP address to circumvent detection.
  • The operators of Hive ransomware have switched from Golang to Rust language in an attempt to enhance the encryption and evasion capabilities. The malware variant uses ‘string’ encryption that can make it more stealthy.
  • RedAlert is a new ransomware that encrypts both Windows and Linux VMWare ESXi servers. When encrypting files, the ransomware utilizes the NTRUEncrypt public-key algorithm.
  • The threat actor behind the lesser-known AstraLocker ransomware is planning to switch to cryptojacking attacks as it announced shutting down its current operation. As part of the shutdown, the operators have released decryption keys.
  • North Korean cyber actors have been found using Maui ransomware to target the healthcare sector, revealed a new advisory from the CISA. The sample is active since May 2021 and uses AES, RSA, and XOR algorithms to encrypt files.
  • VSingle, a malware used by Lazarus, has been updated to retrieve C2 server information from GitHub. It uses the ‘wget’ command to communicate with its C2 servers.
  • Researchers reported a new malware attack campaign that exploited the known Follina vulnerability to distribute a backdoor malware dubbed Rozena. The malware is capable of injecting a remote shell connection linking back to the attacker’s machine.

Related Threat Briefings