Cyware Weekly Threat Intelligence - July 24–28

Weekly Threat Briefing • July 28, 2023
Weekly Threat Briefing • July 28, 2023
It is very crucial for federal agencies to update security regulations frequently to accommodate organizations in the face of a rapidly changing cyber threat landscape. Keeping this in mind, the DoD has proposed new guidelines for Cybersecurity Maturity Model Certification 2.0 program that is slated to be released in September. In other news, the TSA has issued an updated cybersecurity framework to make oil and natural gas pipelines more cyber resilient.
Meanwhile, the infamous MOVEit hack spree continues to haunt organizations as the list of victims keeps growing. This week Maximus disclosed being impacted by the MOVEit hack, leading to the compromise of the personal information of up to 11 million individuals. However, the week brought us an even more serious threat. There’s an alarming rise in the theft of corporate credentials, with a recent analysis revealing that approximately 400,000 corporate credentials are on sale on Telegram and dark web. Some of these credentials are from Salesforce, Hubspot, Quickbooks, AWS, GCP, Okta, and DocuSign. Separately, the Lazarus group was alleged of crypto heists worth tens of millions of dollars at Alphapo and CoinsPaid.
AI-powered cybercrime tools are unleashing a new range of menacing threats in the cyber ecosystem and the latest to be added to this basket is FraudGPT. The tool can enable threat actors to write malicious code, develop undetectable malware, create cracking tools, craft phishing emails, and find leaks and vulnerabilities. Mirai botnet was in the headlines again as one of its variants was found targeting misconfigured Apache Tomcat servers to launch cryptomining attacks. A new macOS malware, dubbed Realst, also raised concerns for security researchers as they identified 16 variants of the malware.
The BlackCat ransomware gang added an API that enabled its affiliates and security researchers to query and get information about its latest victims. This is an addition to the existing extortion strategy to put more pressure on victims to pay a ransom. This move follows after the gang failed to engage in ransom negotiation with Estée Lauder.
Metabase Q researchers identified a new threat actor named Fenix behind a wave of malspam targeting taxpayers in Mexico and Chile. The attackers posed as tax authorities and asked users to download a security tool from fake websites, claiming it would enhance their portal navigation safety. However, unbeknownst to the victims, this download resulted in the execution of malware that stole sensitive information, including credentials.
A new malware, dubbed Realst, targeting macOS systems has emerged in the threat landscape. It is distributed via websites hosting fake blockchain games such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, and SaintLegend. It is capable of emptying crypto wallets and stealing stored passwords and browser data. So far, there are 16 distinct variants of Realst that are fairly similar to each other, however, utilize different API call sets.
Ever since it was first discovered in April, Decoy Dog has undergone a major upgrade from Pupy, an open-source remote access tool, to disguise its activities and ensure long-term access to compromised devices. Researchers estimate that over 100 devices are infected with Decoy Dog, and multiple groups could be responsible, potentially unrelated to the same nation-state.
A new AI-powered cybercrime tool called FraudGPT is being promoted on numerous dark web marketplaces and Telegram channels for $200 per month, $1,000 for six months, and $1,700 for a year. The tool can be used to write malicious code, develop undetectable malware, create cracking tools, craft phishing emails, and find leaks and vulnerabilities.
Over 900,000 devices remain vulnerable to an arbitrary code execution flaw in MikroTik RouterOS. Tracked as CVE-2023-30799, the issue impacts RouterOS versions before 6.49.7 and RouterOS long-term versions through 6.48.6. An attacker can abuse the flaw to escalate privileges from admin to super-admin on the Winbox or HTTP interface. The flaw has been addressed with the release of the stable version of 6.49.7.
A new campaign leveraging Google and Bing search ads is being used to distribute a malware dubbed Nitrogen. The malware provides threat actors initial access to corporate networks, allowing them to conduct data theft and cyberespionage, and ultimately deploying BlackCat ransomware on compromised systems. The campaign primarily targets technology and non-profit organizations in North America, impersonating popular software such as AnyDesk, AnyConnect VPN, TreeSize Free, and WinSCP.
A variant of Mirai botnet has been identified in a new cryptocurrency mining campaign that targets misconfigured Apache Tomcat servers. Upon successfully gaining a foothold, the attackers deploy a malicious web shell designed to receive and execute commands on compromised servers. The first-stage malware is a Mirai variant that leverages infected hosts to orchestrate DDoS attacks.
A Russian nation-state actor, BlueBravo (aka APT29), was associated with an attack campaign that targeted diplomatic entities in Eastern Europe using a new backdoor called GraphicalProton. The campaign was active between March and May and leveraged Legitimate Internet Services (LIS) for command-and-control obfuscation.
Two related Android families, dubbed CherryBlos and FakeTrade, were found to be involved in cryptocurrency-mining and financially-motivated scam campaigns targeting Android users. While CherryBlos was distributed via fraudulent services on popular social media platforms, FakeTrade leveraged fake money-earning apps for propagation.