Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence, July 18 - 22, 2022

Cyware Weekly Threat Intelligence - October 10–14 - Featured Image

Weekly Threat Briefing Jul 22, 2022

The Good

The DOJ announced a bit of a win this week in the ongoing battle against state-sponsored ransomware campaigns. It clawed back about half a million in cryptocurrency that was paid as ransom to Maui ransomware hackers. Meanwhile, NIST has released the first draft of revised HIPAA guidelines that aims at improving the management of security risks affecting Electronic protected health information (ePHI).

  • The DOJ seized around $500,000 from state-backed North Korean hackers who use the Maui ransomware in their attacks. The amount was returned to two healthcare providers who had paid the ransom to the gang.

  • Google has officially added support for DNS-over-HTTP/3 (DoH3) in Android to keep DNS queries private. This will effectively prevent third parties from snooping on users' browsing activities.

  • The FBI has urged the Treasury Department and U.S. Securities and Exchange Commission to make changes to the procedures and regulations surrounding ransom payments and incident reporting for the victims of cyberattacks. The regulations will primarily focus on how to engage with sanctioned ransomware groups.

  • In an effort to strengthen the security of patients’ personal health information, the National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the healthcare industry. The guidelines are currently drafted and will be regulated soon.

The Bad

Several high-profile personalities were caught in the crosshairs of spyware campaigns. While the notorious Pegasus spyware was used to infect at least 30 Thai activists, academics, lawyers, and NGO workers, the DevilsTongue spyware was used to pilfer sensitive data from journalists in the Middle East. Web skimming attacks were also reported this week after researchers discovered over 50,000 payment card details on dark web forums. These details belonged to customers who made restaurant payments through online portals of InTouchPOS, MenuDrive, and Harbortouch.

  • Citizen Lab found that at least 30 Thai activists, academics, lawyers, and NGO workers, were targeted by the Pegasus spyware. The observed infections took place between October 2020 and November 2021.

  • Over the last month, a crimeware group named 8220 has expanded its botnet to roughly 30,000 hosts. The group makes use of SSH brute force attacks and abuses Linux and cloud app vulnerabilities to grow its botnet.

  • From late 2021 through the present, the TA4563 threat actor has been targeting various European financial and investment entities with the malware known as EvilNum. It is a backdoor that can be used for data theft or to load additional payloads.

  • Ukrainians were targeted by a new version of the GoMet backdoor that was first observed in March. Believed to be an act of Russian state-sponsored threat actors, the campaign leveraged fake Windows updates to distribute the backdoor. In another instance, the Russia-based Turla APT group was found distributing Android malware masquerading as an app for pro-Ukrainian hacktivists to conduct DDoS attacks.

  • Neopets, a virtual pet website, suffered a data breach that impacted the personal data of 69 million members. Reportedly, a hacker named 'TarTarX' has begun selling the source code and database for the Neopets.com website for four bitcoins.

  • Online scammers were found leveraging Google search results to perform tech support scams. In one instance, threat actors had manipulated the search results for the keyword ‘YouTube’ to redirect users to pages pretending to be security alerts from Windows Defender.

  • Over 50,000 payment card details of customers are being sold on dark web forums. These details were stolen in two different Magecart campaigns by injecting malicious code into the online ordering portals of InTouchPOS, MenuDrive, and Harbortouch. In a similar vein, the PrestaShop website was infected with a card skimming code to pilfer shipping and billing details of users.

  • A vulnerability in the mental health app Feelyou exposed the email addresses of almost 78,000 users from 177 countries. The platform claimed that no other data has been impacted.

  • Threat actors compromised the official website of Premint NFT and stole 314 NFTs, amounting to approximately $375,000. The attack has six primary EOAs associated with it, among which two wallets contain Bored Ape Yacht Club, Otherside, Oddities, and goblintown.wtf NFTs.

  • British jeweler Graff reportedly paid a ransom of $7.5 million, following the Conti ransomware attack in September 2021. To claim the attack, the group had published 69,000 confidential files related to 11,000 of Graff's clients.

  • The FBI issued a warning against cybercriminals distributing fake cryptocurrency investment applications to crypto enthusiasts in the U.S. They make users install fake apps and deposit funds into wallets allegedly associated with the victims' accounts. So far, cybercriminals have already pilfered roughly $42.7 million from 244 investors.

  • Belgian officials have accused Chinese state-sponsored actors of a series of cyberattacks against its interior and defense ministries. The noted Chinese groups in the report are tracked as APT27, APT30, APT31, and Gallium.

  • Cozy Bear (APT29) was seen abusing legitimate cloud services, such as Google Drive and DropBox, to target a number of Western diplomatic missions, including foreign embassies of Portugal and Brazil. The group’s phishing technique includes a malicious HTML file, called EnvyScout, which acts as a dropper for Cobalt Strike and additional payloads.

  • Building materials giant Knauf disclosed that it was hit by Black Basta ransomware. As a result, its business operations were disrupted, forcing its global IT team to shut down all IT systems to isolate the incident.

  • LockBit affiliates are widely using server machines to spread ransomware throughout enterprise networks. The attack chain starts by abusing the Remote Desktop Protocol.

  • PayPal and Norton were spoofed in a new ‘Double-Spear’ phishing campaign. This enabled the attackers to steal both money and personal information from users.

  • Candiru surveillance firm’s DevilsTongue spyware made its debut in a new attack campaign that targeted journalists in the Middle East. The attack exploited a recently fixed zero-day flaw in the Chrome browser to distribute the spyware.

New Threats

Meanwhile, Roaming Mantis has shifted its focus to France. Since February, the gang has infected over ten ten thousand Android and iOS devices via Smishing attacks. There’s also an update on new malware frameworks - Redeemer ransomware builder and Lightning Framework - that are capable of infecting a wide range of devices.

  • After hitting Germany, Taiwan, South Korea, Japan, the US, and the U.K. the Roaming Mantis has now targeted users in France. The financially motivated threat actor has compromised over ten thousand Android and iOS devices since February.
  • CloudMensis is a new macOS malware that gathers information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures. Developed in Objective-C, the spyware uses public cloud storage services to communicate back and forth with its operators.
  • A new version of the Redeemer ransomware builder is available for free on hacker forums. The new version 2.0 is written entirely in C++ and targets Windows Vista, 7, 8, 10, and 11.
  • Lightning Framework is a new malware that targets Linux systems and can be used to backdoor infected devices using SSH and deploy multiple types of rootkits. The malware masquerades as the Seahorse GNOME password and encryption key manager to evade detection on infected systems.
  • A new ransomware family dubbed Luna discovered on dark web forums is capable of targeting Windows, Linux, and ESXi systems. Attributed to Russian threat actors, ransomware is still under development.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that over 1.5 million vehicles are at risk of remote attacks owing to a handful of unpatched security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers. These vulnerabilities could impact access to a vehicle's fuel supply and controller, or allow location-based surveillance of vehicles in which the device is installed.
  • A total of 53 fake apps on the Google Play Store were spotted distributing Joker, FaceStealer, and Coper malware strains. These apps posed as SMS, photo editors, blood pressure monitor, emoji keyboards, and translation apps and were downloaded over 300,000 times.
  • A newly devised air-gap attack uses Serial Advanced Technology Attachment (SATA) cables as a communication medium (wireless antenna) to transfer radio signals at the 6Hz frequency band.
  • APT29, a group of state-backed hackers from Russia, is now leveraging cloud services, including Google Drive and DropBox, in their attacks to avoid detection. These attacks are aimed at Western diplomatic missions and foreign embassies around the world.
  • A new threat group named the Atlas Intelligence Group (A.I.G), aka Atlantis Cyber-Army, is actively selling Cybercrime-as-a-Service on Telegram and dark web forums. The services include exclusive data leaks, distributed denial-of-service (DDoS) campaigns for hire, RDP attacks, and initial access.

Related Threat Briefings

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.