Cyware Weekly Threat Intelligence - July 24–28

Weekly Threat Briefing • July 28, 2023
Weekly Threat Briefing • July 28, 2023
It is very crucial for federal agencies to update security regulations frequently to accommodate organizations in the face of a rapidly changing cyber threat landscape. Keeping this in mind, the DoD has proposed new guidelines for Cybersecurity Maturity Model Certification 2.0 program that is slated to be released in September. In other news, the TSA has issued an updated cybersecurity framework to make oil and natural gas pipelines more cyber resilient.
The U.S. Securities and Exchange Commission (SEC) passed a new set of rules on cybersecurity risk management, strategy, governance, and incident disclosure for publicly traded companies. According to the new rules, companies are required to disclose all breaches related to operations, and finances within four days of the incident. The new rules will come into effect for U.S. companies 30 days after they are published in the official Federal Register.
The DoD submitted to the Office of Management and Budget (OMB) its proposal to implement the Cybersecurity Maturity Model Certification (CMMC) program that is expected to release in September. The framework aims to help defense contractors protect federal contract data and unclassified information from cyberattacks by assessing their cybersecurity compliances.
The Transportation Security Administration (TSA) updated its cybersecurity directive for oil and natural gas pipelines to ensure they are effective against sophisticated cyber threats. The new guidelines require all the cybersecurity measures implemented by operators to be tested every three years. Additionally, oil and natural gas pipeline owners must ensure the effectiveness of cyber incident response plans running in their organizations.
Meanwhile, the infamous MOVEit hack spree continues to haunt organizations as the list of victims keeps growing. This week Maximus disclosed being impacted by the MOVEit hack, leading to the compromise of the personal information of up to 11 million individuals. However, the week brought us an even more serious threat. There’s an alarming rise in the theft of corporate credentials, with a recent analysis revealing that approximately 400,000 corporate credentials are on sale on Telegram and dark web. Some of these credentials are from Salesforce, Hubspot, Quickbooks, AWS, GCP, Okta, and DocuSign. Separately, the Lazarus group was alleged of crypto heists worth tens of millions of dollars at Alphapo and CoinsPaid.
Maximus announced being affected by the recent MOVEit hack spree as it revealed that the personal information, including SSNs and PHI, of up to 11 million individuals was stolen in an attack. An investigation is underway, following which the company plans to notify the affected.
A Chinese hacker group APT31 (aka Zirconium) was linked to a cyberespionage campaign targeting industrial organizations in Eastern Europe. The attackers aimed to steal valuable intellectual property from victims, including data stored on air-gapped systems. A total of 15 implant variants with different capabilities were used in the attack.
An analysis of nearly 20 million information-stealing malware logs revealed that approximately 400,000 corporate credentials are being sold on hacker forums and Telegram channels. Some of these credentials belong to business applications such as Salesforce, Hubspot, Quickbooks, AWS, GCP, Okta, and DocuSign. Being stolen over the years by various information-stealing malware, the numbers indicate that the attackers have achieved significant infiltration into different business environments.
Yamaha’s Canadian music division confirmed dealing with a cyberattack after BlackByte and Akira ransomware groups claimed to have targeted the company. While BlackByte added the company’s name to its list of victims on June 14, Akira listed the company’s name on July 21. According to the official statement, the attack led to unauthorized access to systems and the theft of sensitive data.
The Egyptian Ministry of Health and Population suffered a data breach wherein threat actors stole approximately two million records and offered them for sale on the Popürler hacking forum. The attackers provided a sample dataset of 1,000 people, containing their names, IDs, phone numbers, addresses, diagnosis details, and treatment information.
A cyberattack on Canadian heart monitoring and medical electrocardiogram solutions provider CardioComm impacted its business operations and product server environments. According to the firm, there is no evidence of compromise of customer health information.
The North Korean Lazarus hacking group is allegedly behind the recent $60 million cryptocurrency heist at Alphapo. The theft includes over 6 million USDT, 108k USDC, 100.2 million FTN, 430k TFL, 2.5k ETH, 1,700 DAI, and $37M of TRON and BTC, all of which were stolen from hot wallets, possibly using leaked private keys. The attack was carried out on July 23.
Estonia-based cryptocurrency exchange platform, CoinsPaid, was targeted by the Lazarus group, resulting in the theft of $37.2 million worth of cryptocurrency. The company has not shared any information about the attack, however, it is working on restoring the affected services.
AI-powered cybercrime tools are unleashing a new range of menacing threats in the cyber ecosystem and the latest to be added to this basket is FraudGPT. The tool can enable threat actors to write malicious code, develop undetectable malware, create cracking tools, craft phishing emails, and find leaks and vulnerabilities. Mirai botnet was in the headlines again as one of its variants was found targeting misconfigured Apache Tomcat servers to launch cryptomining attacks. A new macOS malware, dubbed Realst, also raised concerns for security researchers as they identified 16 variants of the malware.
The BlackCat ransomware gang added an API that enabled its affiliates and security researchers to query and get information about its latest victims. This is an addition to the existing extortion strategy to put more pressure on victims to pay a ransom. This move follows after the gang failed to engage in ransom negotiation with Estée Lauder.
Metabase Q researchers identified a new threat actor named Fenix behind a wave of malspam targeting taxpayers in Mexico and Chile. The attackers posed as tax authorities and asked users to download a security tool from fake websites, claiming it would enhance their portal navigation safety. However, unbeknownst to the victims, this download resulted in the execution of malware that stole sensitive information, including credentials.
A new malware, dubbed Realst, targeting macOS systems has emerged in the threat landscape. It is distributed via websites hosting fake blockchain games such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, and SaintLegend. It is capable of emptying crypto wallets and stealing stored passwords and browser data. So far, there are 16 distinct variants of Realst that are fairly similar to each other, however, utilize different API call sets.
Ever since it was first discovered in April, Decoy Dog has undergone a major upgrade from Pupy, an open-source remote access tool, to disguise its activities and ensure long-term access to compromised devices. Researchers estimate that over 100 devices are infected with Decoy Dog, and multiple groups could be responsible, potentially unrelated to the same nation-state.
A new AI-powered cybercrime tool called FraudGPT is being promoted on numerous dark web marketplaces and Telegram channels for $200 per month, $1,000 for six months, and $1,700 for a year. The tool can be used to write malicious code, develop undetectable malware, create cracking tools, craft phishing emails, and find leaks and vulnerabilities.
Over 900,000 devices remain vulnerable to an arbitrary code execution flaw in MikroTik RouterOS. Tracked as CVE-2023-30799, the issue impacts RouterOS versions before 6.49.7 and RouterOS long-term versions through 6.48.6. An attacker can abuse the flaw to escalate privileges from admin to super-admin on the Winbox or HTTP interface. The flaw has been addressed with the release of the stable version of 6.49.7.
A new campaign leveraging Google and Bing search ads is being used to distribute a malware dubbed Nitrogen. The malware provides threat actors initial access to corporate networks, allowing them to conduct data theft and cyberespionage, and ultimately deploying BlackCat ransomware on compromised systems. The campaign primarily targets technology and non-profit organizations in North America, impersonating popular software such as AnyDesk, AnyConnect VPN, TreeSize Free, and WinSCP.
A variant of Mirai botnet has been identified in a new cryptocurrency mining campaign that targets misconfigured Apache Tomcat servers. Upon successfully gaining a foothold, the attackers deploy a malicious web shell designed to receive and execute commands on compromised servers. The first-stage malware is a Mirai variant that leverages infected hosts to orchestrate DDoS attacks.
A Russian nation-state actor, BlueBravo (aka APT29), was associated with an attack campaign that targeted diplomatic entities in Eastern Europe using a new backdoor called GraphicalProton. The campaign was active between March and May and leveraged Legitimate Internet Services (LIS) for command-and-control obfuscation.
Two related Android families, dubbed CherryBlos and FakeTrade, were found to be involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Android users. While CherryBlos was distributed via fraudulent services on popular social media platforms, FakeTrade leveraged fake money-earning apps for propagation.