Cyware Weekly Threat Intelligence, July 11 - 15, 2022

Weekly Threat Briefing • Jul 15, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jul 15, 2022
The U.S. Federal Trade Commission (FTC) is on the lookout for tech companies that are illegally using and sharing sensitive data of users. This is aimed at improving consumer privacy and reducing the mishandling of their personal data. Meanwhile, a variant of Hive ransomware has now less chance to make money out of your encrypted files as a decryption key is available on GitHub.
A decryption key for malware deployed by the Hive ransomware gang has been released in response to an uptick in activity from the gang in the past three months. A malware researcher developed and published a decryption tool for the Hive ransomware version 5.0 on GitHub.
The U.S. Federal Trade Commission (FTC) has issued a warning that it will take action against tech companies that are illegally using and sharing highly sensitive data of users. The agency aims at using the full scope of its legal authorities to protect consumers’ privacy.
The German government is shoring up its defense strategies in light of possible new threats from Russia. The new measures involve promoting cyber resilience among small- and medium-sized enterprises. There will also be a centralized platform for the exchange of information on cyberattacks between state and federal structures, based at the Federal Office for Information Security (BSI).
BlackCat group has raised the stakes in its extortion scheme. Now, the threat actor’s ransom demands start with $2.5 million, which puts additional pressure on victim organizations to save their stolen data. Having said that, the group added Bandai Namco to its list of victims this week. Multiple phishing attacks that are active since 2021 also made headlines for ensnaring credentials, and other sensitive data of users and employees across the globe.
About 4295 ETH (approximately $4.6 million at the time of reporting) was stolen in a phishing attack on the Uniswap cryptocurrency exchange. The attackers exploited the Uniswap V3 protocol on the ETH blockchain to launch the attack.
The head of the European Central Bank was targeted in a hacking attempt recently. While the investigation is in progress, the bank has confirmed that no information was compromised in the hack.
Microsoft researchers revealed that a large-scale phishing attack campaign has targeted more than 10,000 organizations since September 2021. The campaign used the Evilginx2 phishing toolkit to construct phishing pages, bypass MFA, and steal credentials and session cookies from Office 365 users.
Ukraine’s CERT team found a new spear-phishing campaign that was aimed at the Ukrainian government. Launched by the UAC-0056 threat actor group, the campaign infected recipients with Cobalt Strike beacon backdoors.
Anubis trojan is back with new C2 servers to control fake portals. These fake portals have been used in a large-scale phishing campaign targeting Brazil and Portugal since March.
Deakin University, Australia, suffered a data breach in which the attacker hacked a staff member’s credentials and gained unauthorized access. The breach has potentially affected the data of 46,980students. Additionally, 9,997 students were also targeted with malicious SMS messages.
Zscaler observed a major rise in QBot attacks over the past six months. The attackers used ZIP file extensions, code obfuscation, and multiple URLs among others, to evade detection during the attack process.
The game publisher behind Dark Souls and Elden Ring, Bandai Namco, was allegedly targeted by the BlackCat ransomware group. A post shared by the group claimed that it will reveal the stolen data soon.
A large-scale spear-phishing campaign that distributes AsyncRAT and LimeRAT has been active since 2021. The campaign uses geopolitical themes to target government agencies in Afghanistan, India, Italy, Poland, and the U.S. Once the trojan is installed, it establishes communication with the C2 server to exfiltrate victim data.
Transparent Tribe APT is using CrimsonRAT and ObliqueRAT to target universities and colleges in India. The campaign has been ongoing since December 2021 and uses spear-phishing emails as the primary attack vector.
A fake version of WhatsApp is tricking unsuspecting users into sharing their personal information. The victims are promised new features as a lure to install the app. The users are warned to be aware of such tricks and to download the app from legitimate stores.
Professional Finance Company recently disclosed a ransomware attack that impacted the private data of around 1.9 million people associated with hundreds of U.S. hospitals, medical clinics, and dental firms. The debt collection firm revealed that the criminals were able to access files from more than 650 healthcare providers.
The Virginia Commonwealth University Health System (VCU) has been found exposing the personal details, including SSNs, lab results, and medical records, of almost 4,500 transplant patients since at least 2006. Researchers cited the poor configuration of the website as a primary reason for the leakage of data.
The BrianLian ransomware group claimed to have hacked the Mooresville Consolidated School Corp. The incident occurred in June and affected the SSNs, phone numbers, and email records of 4,200 students.
A massive attack campaign was found scanning 1.6 million WordPress sites to find a vulnerable plugin, dubbed Kaswara Modern WPBakery Page Builder, that allows uploading of files without authentication.
BlackCat has increased its ransom demand to $2.5 million. The average time provided for payment is between five and seven days. This puts immense pressure on the victims to pay the ransom and prevent their data from being deleted or leaked.
LockBit and Karakurt gangs have adopted a new and simple strategy inspired by BlackCat to force victim companies to pay the ransom. The new tactic involves adding a search function on their leak sites that will allow victims to see the stolen details.
Threat actors are using a phishing kit to abuse the logo and general design of PayPal. With the set-up fake pages, threat actors are stealing credentials that can be later used to steal the victims’ identity and perform money laundering, open cryptocurrency accounts, make fraudulent tax return claims, and much more.
Spectre-like speculative-execution attacks continue to haunt the silicon world. Researchers have published details about the new RetBleed attack that impacts certain CPUs from Intel and AMD. A record-breaking DDoS attack was launched using over 5000 bots. The blame goes to the operators of the Mantis botnet that has been active since 2018.