Cyware Weekly Threat Intelligence, July 18 - 22, 2022

Weekly Threat Briefing • Jul 22, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jul 22, 2022
The DOJ announced a bit of a win this week in the ongoing battle against state-sponsored ransomware campaigns. It clawed back about half a million in cryptocurrency that was paid as ransom to Maui ransomware hackers. Meanwhile, NIST has released the first draft of revised HIPAA guidelines that aims at improving the management of security risks affecting Electronic protected health information (ePHI).
The DOJ seized around $500,000 from state-backed North Korean hackers who use the Maui ransomware in their attacks. The amount was returned to two healthcare providers who had paid the ransom to the gang.
Google has officially added support for DNS-over-HTTP/3 (DoH3) in Android to keep DNS queries private. This will effectively prevent third parties from snooping on users' browsing activities.
The FBI has urged the Treasury Department and U.S. Securities and Exchange Commission to make changes to the procedures and regulations surrounding ransom payments and incident reporting for the victims of cyberattacks. The regulations will primarily focus on how to engage with sanctioned ransomware groups.
In an effort to strengthen the security of patients’ personal health information, the National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the healthcare industry. The guidelines are currently drafted and will be regulated soon.
Several high-profile personalities were caught in the crosshairs of spyware campaigns. While the notorious Pegasus spyware was used to infect at least 30 Thai activists, academics, lawyers, and NGO workers, the DevilsTongue spyware was used to pilfer sensitive data from journalists in the Middle East. Web skimming attacks were also reported this week after researchers discovered over 50,000 payment card details on dark web forums. These details belonged to customers who made restaurant payments through online portals of InTouchPOS, MenuDrive, and Harbortouch.
Citizen Lab found that at least 30 Thai activists, academics, lawyers, and NGO workers, were targeted by the Pegasus spyware. The observed infections took place between October 2020 and November 2021.
Over the last month, a crimeware group named 8220 has expanded its botnet to roughly 30,000 hosts. The group makes use of SSH brute force attacks and abuses Linux and cloud app vulnerabilities to grow its botnet.
From late 2021 through the present, the TA4563 threat actor has been targeting various European financial and investment entities with the malware known as EvilNum. It is a backdoor that can be used for data theft or to load additional payloads.
Ukrainians were targeted by a new version of the GoMet backdoor that was first observed in March. Believed to be an act of Russian state-sponsored threat actors, the campaign leveraged fake Windows updates to distribute the backdoor. In another instance, the Russia-based Turla APT group was found distributing Android malware masquerading as an app for pro-Ukrainian hacktivists to conduct DDoS attacks.
Neopets, a virtual pet website, suffered a data breach that impacted the personal data of 69 million members. Reportedly, a hacker named 'TarTarX' has begun selling the source code and database for the Neopets.com website for four bitcoins.
Online scammers were found leveraging Google search results to perform tech support scams. In one instance, threat actors had manipulated the search results for the keyword ‘YouTube’ to redirect users to pages pretending to be security alerts from Windows Defender.
Over 50,000 payment card details of customers are being sold on dark web forums. These details were stolen in two different Magecart campaigns by injecting malicious code into the online ordering portals of InTouchPOS, MenuDrive, and Harbortouch. In a similar vein, the PrestaShop website was infected with a card skimming code to pilfer shipping and billing details of users.
A vulnerability in the mental health app Feelyou exposed the email addresses of almost 78,000 users from 177 countries. The platform claimed that no other data has been impacted.
Threat actors compromised the official website of Premint NFT and stole 314 NFTs, amounting to approximately $375,000. The attack has six primary EOAs associated with it, among which two wallets contain Bored Ape Yacht Club, Otherside, Oddities, and goblintown.wtf NFTs.
British jeweler Graff reportedly paid a ransom of $7.5 million, following the Conti ransomware attack in September 2021. To claim the attack, the group had published 69,000 confidential files related to 11,000 of Graff's clients.
The FBI issued a warning against cybercriminals distributing fake cryptocurrency investment applications to crypto enthusiasts in the U.S. They make users install fake apps and deposit funds into wallets allegedly associated with the victims' accounts. So far, cybercriminals have already pilfered roughly $42.7 million from 244 investors.
Belgian officials have accused Chinese state-sponsored actors of a series of cyberattacks against its interior and defense ministries. The noted Chinese groups in the report are tracked as APT27, APT30, APT31, and Gallium.
Cozy Bear (APT29) was seen abusing legitimate cloud services, such as Google Drive and DropBox, to target a number of Western diplomatic missions, including foreign embassies of Portugal and Brazil. The group’s phishing technique includes a malicious HTML file, called EnvyScout, which acts as a dropper for Cobalt Strike and additional payloads.
Building materials giant Knauf disclosed that it was hit by Black Basta ransomware. As a result, its business operations were disrupted, forcing its global IT team to shut down all IT systems to isolate the incident.
LockBit affiliates are widely using server machines to spread ransomware throughout enterprise networks. The attack chain starts by abusing the Remote Desktop Protocol.
PayPal and Norton were spoofed in a new ‘Double-Spear’ phishing campaign. This enabled the attackers to steal both money and personal information from users.
Candiru surveillance firm’s DevilsTongue spyware made its debut in a new attack campaign that targeted journalists in the Middle East. The attack exploited a recently fixed zero-day flaw in the Chrome browser to distribute the spyware.
Meanwhile, Roaming Mantis has shifted its focus to France. Since February, the gang has infected over ten ten thousand Android and iOS devices via Smishing attacks. There’s also an update on new malware frameworks - Redeemer ransomware builder and Lightning Framework - that are capable of infecting a wide range of devices.