Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence - July 08–12

Cyware Weekly Threat Intelligence - July 08–12 - Featured Image

Weekly Threat Briefing Jul 13, 2019

The Good

With the weekend around the corner, let’s quickly glance through all that happened in the cyberspace over the week. Let’s first start with all the positive events, before getting into the security incidents and the new threats. Fujitsu Laboratories announced the development of a digital identity exchange technology that improves trust while validating a user. Mozilla is developing a new feature dubbed ‘Social Media Trackers’ to provide tracker protection for social sites. Meanwhile, Keysight Technologies announced a new automotive cybersecurity program that enables automotive security professionals to ensure the safety of their vehicles.

  • Fujitsu Laboratories has announced the development of a digital identity exchange technology that uses blockchain to enhance trust while validating a user. This technology enables individual users and service businesses involved in online transactions to confirm the identity of the other parties. The technology is developed based on Decentralized Identification (DID) system.

  • Mozilla is developing a new dedicated social tracking protection feature. The feature named ‘Social Media trackers’ will provide tracker protection for social sites. This feature is planned for the Firefox 70 release.

  • Keysight Technologies has announced a new automotive cybersecurity program that enables automotive security professionals at car manufacturers (OEM) and their suppliers to ensure the safety of their vehicles. This program provides proactive protection for car manufacturers against cyberattacks throughout the R&D and the production process.

  • The U.S. Navy has launched a competition dubbed the Artificial Intelligence Applications to Autonomous Cybersecurity Challenge (AI ATAC) for finding machine learning and AI solutions for real-world cybersecurity challenges. The competition awards $1.00,000 as the 1st prize and &50,000 as the 2nd prize.

The Bad

Several data breaches and security incidents were witnessed in this week. Magecart attackers grabbed the eyeballs with two different massive campaigns. First, the large-scale campaign that breached almost 962 e-commerce stores in just 24 hours. The second campaign witnessed Magecart attackers injecting card skimmer code on over 17,000 websites through misconfigured Amazon S3 buckets. Meanwhile, an unprotected MongoDB database exposed almost 188 million records of personal data sourced from Pipl and LexisNexis.

  • A large-scale Magecart campaign breached almost 962 e-commerce stores in just 24 hours, stealing customers’ payment card details including full credit card data, names, phone numbers, and addresses. The attackers inserted a customized Javascript on e-commerce sites, essentially inserting a fake credit card payment section.

  • The Maryland Department of Labor (Maryland DoL) suffered a data breach compromising the sensitive information of almost 78000 customers including their Social Security numbers. The customer information stored on the Literacy Works Information System and a legacy unemployment insurance service database were accessed by an unauthorized third party.

  • The GitHub account of Canonical, the company behind Ubuntu was compromised by hackers. In addition, they created 11 new GitHub repositories in the official Canonical account. However, the organization confirmed that there has been no evidence that any source code or sensitive information was impacted. The compromised account from Canonical in GitHub.

  • The American Land Title Association (ALTA) suffered a data breach compromising 600 company records belonging to title and non-title companies in a phishing campaign. The compromised data includes domain identification, IP addresses, usernames, and passwords. The land title association is planning to implement an information security program and response plan in order to protect the companies' data and systems from data theft and leaks.

  • The LaPorte County in Indiana suffered a malware attack that disabled the county’s computer systems and email services. The county has reported the matter to FBI and informed other law enforcement agencies about the attack. It is working with security experts to respond to such cyber attacks. The experts will also coordinate the county to repair the affected systems and improve the security to prevent such virus infection.

  • A misconfigured Elasticsearch cluster owned by the Public Security Department of Jiangsu Province, China, has leaked two databases containing over 90 million citizen and business records. The leaky databases contained almost 58,364,777 public records and 33,708,010 business records. Public information includes names, dates of birth, genders, identity card numbers, location coordinates, as well as city information. The business records included business IDs, business types, location coordinates, city_open_id, and memos designed to track the owner of the business.

  • A security researcher who came across 5,495 unprotected Jenkins instances, on Shodan found one server belonging to GE Aviation’s internal infrastructure. The exposed server contained source code, passwords, configuration details, and private keys. GE Aviation said that the exposed server was the result of a DNS misconfiguration. However, the exposed server has been secured.

  • Nemadji Research Corporation, a contractor of the Los Angeles County Department of Health Services fell victim to a phishing attack compromising the personal data of almost 14,591 patients. The exposed data includes patient names, addresses, dates of birth, medical record numbers and Medi-Cal identification numbers. Two patients’ also had their Social Security numbers exposed. However, County officials confirmed that there is no evidence that the patients were the target of any attacks or that any patient information had been misused.

  • Attackers breached the Internet Domain Registry of ICS-Forth impacting several .gr and .el domain owners whose domain names were stored in the compromised registry. Researchers determined that Sea Turtle hackers were responsible for the attack against ICS-Forth.

  • Magecart attackers have injected card skimming code on over 17000 domains with malicious JavaScript files through misconfigured Amazon S3 buckets. Some of the affected websites are also listed in Alexa’s top 2000 rankings. Researchers suggest that threat actors behind this campaign scanned for misconfigured Amazon S3 buckets and JavaScript files. Upon encountering these files, they downloaded them and appended the card-skimming code.

  • A Chinese recruitment firm named Zhilian Zhaopin reported that almost 160,000 resumes uploaded on its site have been stolen and traded on Taobao e-commerce website for 5 yuan (70 US cents) per resume. Two Zhilian staff were arrested for allegedly helping a person named Zheng to obtain corporate member accounts of Zhilian and gain access to user data.

  • An unprotected MongoDB database exposed almost 188 million records of personal data sourced from Pipl and LexisNexis. Almost 800,000 records originated from LexisNexis which included names, addresses, gender, parental status, a short biography, family members, redacted emails, and information about the individual’s neighbors including full names, dates of birth, reputation scores, and addresses.

  • Online education platform K12.com has exposed over seven million student records due to an outdated MongoDB database. The compromised data includes email addresses, names, gender, birth dates, school names, authentication keys for accessing ALS accounts and presentations, and other internal data.

**New Threats **

This week also witnessed the occurrence of several new malware strains and vulnerabilities. Trickbot trojan added a custom proxy module from IcedID. Researchers have uncovered a new malspam campaign that delivers Dridex trojan and RMS RAT. Another malspam campaign that delivers Astaroth malware through fileless execution was spotted in the wild. Meanwhile, Agent Smith malware infected almost 25 million Android devices.

  • Researchers uncovered a new ransomware strain dubbed ‘eCh0raix’ that targets QNAP Network Attached Storage (NAS) devices used for backups and file storage. This ransomware is written in Go language and is used to infect and encrypt documents on QNAP NAS devices. The QNAP NAP devices are compromised by brute-forcing weak credentials and exploiting known vulnerabilities. The impacted devices include QNAP TS-251, QNAP TS-451, QNAP TS-459 Pro II, and QNAP TS 253B.
  • Trickbot trojan deploys a custom proxy module from Bokbot, also known as IcedID. This module is derived from IcedID’s code for web injection attacks. This new Trickbot module is dropped separately as “shadnewDll” and comes with its own configuration file. This module acts as a local proxy server between the client and the online banking service and can include a fake template for the bank requested by the user to steal financial information.
  • Researchers uncovered a vulnerability in the firmware of some anesthesia machines from GE Healthcare that could allow an attacker to alter the level of anesthesia gas mixture. The vulnerability impacts GE Aestiva and GE Aespire anesthesia systems versions 7100 and 7900. The vulnerability allows adjusting the composition of the anesthetic gas mixture, suppressing alarms, changing the time and date on the system, and changing the barometric pressure.
  • A new campaign that delivers Astaroth malware through fileless execution has been spotted by Microsoft Defender ATP team. It was found that the campaign ran Astaroth directly in memory. The attackers relied on spear-phishing in order to spread this information-stealing malware. Furthermore, they leveraged the Windows Management Instrumentation Command-line (WMIC) tool to run scripts for fileless execution.
  • Anubis banking trojan which targets Android mobile users is back in a new campaign. Researchers have detected two servers containing 17,490 samples of Anubis trojans. These samples of Anubis are called AndroidOS_AnubisDropper. The two samples of Anubis trojan are labeled as ‘Operatör Güncellemesi’ and ‘Google Services.
  • Four new vulnerabilities have been detected in the Logitech wireless USB dongles that could allow an attacker to take over a computer with which the dongle is connected. The vulnerabilities impact all Logitech USB dongles that use the company’s “Unifying” 2.4 GHz radio technology to communicate with wireless devices such as keyboards, mice, presentation clickers, trackballs, and more.
  • A new variant of Win64/GoBot2 backdoor malware dubbed ‘GobotKR’ has found to be distributed via torrent sites. This malware targets Korean movies and TV show fans. GoBotKR is capable of collecting system information. This includes system configuration, OS version, CPU and GPU version, and a list of installed antivirus software. All the collected information is then sent to a C2 server handled by the attackers.
  • Researchers have uncovered a new malspam campaign that delivers Dridex banking trojan and RMS RAT via malicious Microsoft Word document attachments. The phishing emails include malicious ZIP archives containing XLS (Microsoft Excel) documents disguised as fake eFax messages. The malicious documents are embedded with a macro which is designed to download and launch the Dridex trojan and RMS RAT. Upon execution, the Dridex trojan collects credentials from the web browsers and the RMS RAT manages the infected systems
  • A new version of FinSpy spyware has been discovered by security researchers recently. The malicious surveillance tool has evolved to work on both iOS and Android devices. This spyware is capable of eavesdropping on calls and messages sent via secure messaging services like Signal, Telegram, Threema, WhatsApp, Facebook Messenger, Viber and more.
  • A new ransomware that spreads via the RIG Exploit kit has been uncovered. Dubbed ERIS, the ransomware encrypts victims’ files and appends them with .ERIS extension. Each encrypted file contains a file marker FLAG_ENCRYPTED at the end of the file as proof that it has been encrypted.
  • Almost 25 million Android phones have been infected with a malware named ‘Agent Smith’. Most of the victims are from India, followed by other countries in South Asia. The malware conceals itself through malicious apps that are distributed via the third-party 9Apps store.

Related Threat Briefings

Feb 14, 2025

Cyware Weekly Threat Intelligence, February 10–14, 2025

Cyber defenders are sharpening their tools, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. India is taking digital banking security up a notch. The RBI is launching a dedicated domain to curb financial fraud and enhance trust in online banking. Starting April 2025, financial institutions will register under this domain. China’s RedMike hackers are dialing into telecom networks - literally. Between December 2024 and January 2025, they targeted over 1,000 unpatched Cisco devices. Their primary focus? Global telecoms and university networks in Argentina, Bangladesh, and the U.S. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. Love is in the air, but so are phishing scams. In late January, cybercriminals launched a Valentine’s-themed phishing campaign, offering fake gift baskets in exchange for stolen credentials. Cybercriminals are upping their game with Astaroth, a phishing kit that doesn’t just steal credentials but also hijacks entire sessions. By using a reverse proxy, Astaroth intercepts logins and 2FA tokens in real time, allowing attackers to bypass security measures undetected. South America’s foreign ministry was caught in the crosshairs of an advanced cyber-espionage campaign. In November 2024, attackers linked to REF7707 deployed the PATHLOADER and FINALDRAFT malware to infiltrate diplomatic networks. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script.

Feb 7, 2025

Cyware Weekly Threat Intelligence, February 03–07, 2025

PyPI is taking a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. The U.K is bringing earthquake-style metrics to cybersecurity with its new Cyber Monitoring Centre, designed to track digital disasters as precisely as natural ones. Inspired by the Richter scale, the CMC will quantify cyber incidents based on financial impact and affected users, offering clearer insights for national security planning. Kimsuky is back with another phishing trick, this time using fake Office and PDF files to sneak forceCopy malware onto victims' systems. Its latest campaign delivers PEBBLEDASH and RDP Wrapper by disguising malware as harmless shortcuts, ultimately hijacking browser credentials and sensitive data. Hackers have found a new way to skim credit card data - by hiding malware inside Google Tag Manager scripts. CISA is flagging major security holes in Microsoft Outlook and Sophos XG Firewall, urging agencies to patch them before February 27. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. Bitcoin scammers are switching tactics, swapping static images for video attachments in MMS to make their schemes more convincing. A recent case involved a tiny .3gp video luring victims into WhatsApp groups where scammers apply pressure to extract money or personal data. XE Group has shifted from credit card skimming to zero-day exploitation, now targeting manufacturing and distribution companies. A new version of ValleyRAT is making the rounds, using stealthy techniques to infiltrate systems. Morphisec found the malware being spread through fake Chrome downloads from a fraudulent Chinese telecom site.

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.