Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence - June 06–10

Cyware Weekly Threat Intelligence - June 06–10 - Featured Image

Weekly Threat Briefing Jun 10, 2022

The Good

Another week, another round of major crackdowns was observed in the cyber world. The U.S. law enforcement agencies seized the operation of the SSNDOB marketplace that was used for trading the personal information of millions of Americans. In another success story, Microsoft dismantled the activities and infrastructure associated with the Bohrium and Polonium threat groups.

  • The U.S. law enforcement agencies announced the takedown of the SSNDOB marketplace that was used for trading the personal information of millions of Americans. The market had generated over $19 million in revenue by selling the personal details of approximately 24 million individuals.

  • Microsoft has successfully disrupted multiple cyber operations associated with Bohrium and Polonium threat actor groups. In the case of Bohrium, the tech giant took down 41 domains that were to establish a C2 infrastructure for deploying malicious tools. On the other hand, more than 20 malicious OneDrive apps used in Polonium's attacks were suspended.

  • Researchers have designed a new privacy framework, dubbed Peekaboo, that can help address the data-sharing concerns across IoT devices. The framework operates on the principle of data minimization, which refers to the practice of limiting the collection of data on a need basis.

The Bad

Security incidents exposing millions of sensitive data remained a top concern among security experts. Two of these incidents affected the personal data of students in India, Israel, and the U.S. The compromised data included the full names, email addresses, phone numbers, and credit card details of students. Meanwhile, NFT users and cryptocurrency investors again lost their funds to hackers following the attacks at Bored Ape Yacht Club (BAYC) and Maiar.

  • Tenafly Public Schools had to go back to paper, pencils, and overhead projectors following a ransomware attack. Additionally, this led to the cancellation of exams for all of the district’s high school students.

  • The Vice Society ransomware group has claimed responsibility for the recent cyberattack on the city of Palermo in Italy. The attack occurred last week and all internet-relying services remain unavailable.

  • MyEasyDocs, an India-based online document verification platform, exposed 30GB of data owing to a misconfigured Azure server. This included both personal and financial information of over 50,000 students from India and Israel.

  • A large-scale phishing operation tricked a million users on Facebook and Messenger into sharing their credentials and seeing advertisements. The campaign operators used these stolen accounts to send further phishing messages to their friends, generating significant revenue via online advertising commissions.

  • Avast researchers exposed a crypto stealing campaign—FakeCrack— that leveraged Google search results for pirated copies of the CCleaner Pro Windows optimization program to infect as many victims as possible.

  • Malicious hackers again managed to steal 32 NFTs (worth more than $250,000) from Bored Ape Yacht Club (BAYC) by compromising the Discord account of one of its community managers. The threat actors used this compromised account to send a phishing link, which was later used to gain access to BAYC owners’ cryptocurrency wallets. Among the NFTs compromised in the hack were 1 Bored Ape, 2 Mutant Apes, 5 Otherdeeds, and 1 Bored Kennel.

  • An unprotected Elasticsearch database had exposed 5GB of personal data belonging to over 30,000 students. The unprotected database apparently belongs to account holders of Transact Campus, which works with higher education institutions in the U.S.

  • Malwarebytes Labs identified a new malvertising campaign that leads to a fake Firefox update. The template seems to be inspired by the one propagated by the SocGhoulish threat actors.

  • A security incident at Shields Health Care Group resulted in the exposure of the data of two million patients from 60 healthcare providers. This is the largest healthcare data breach reported this year.

  • Maiar—a decentralized exchange (DEX)—went offline temporarily after hackers hacked into the platform by exploiting a flaw. This enabled them to steal an estimated $113 million from the exchange.

  • The CISA, along with the NSA and the FBI, issued a joint advisory to warn organizations about the rising cyberespionage attacks by Chinese threat actors. The attacks are going on since 2020 and are aimed primarily at the telecommunications sector.

New Threats

While enterprises are still waiting for a patch to address the recently disclosed Follina vulnerability, more malware operators have moved in to exploit it. Security experts lately observed several cyber-espionage campaigns exploiting the flaw to deliver QBot and AsyncRAT, among other malware. In other new threats, new capabilities have been added to BlackBasta ransomware and Emotet trojan to ensnare a new range of devices and users.

  • A new ransomware named WannaFriendMe is taking an unusual approach to extort its victims. It impersonates the Ryuk ransomware and offers decryptors on the Roblox gaming platform using the service's in-game Robux currency.
  • Smilodon credit skimming malware has shifted its focus from WooCommerce stores to WordPress e-commerce sites to earn more profits. The malware can pilfer credit card numbers, expiration dates, security codes, billing addresses, names, and other sensitive information from the checkout pages of targeted sites.
  • McAfee observed a spike in phishing campaigns that distribute the Ursnif trojan. The phishing emails invoke a sense of urgency or fear among the recipients to open malicious documents that cause the download of the malware.
  • A new pro-Russian hacking group dubbed Cyber Spetsnaz has been identified leveraging current geopolitical tensions between Ukraine and Russia to conduct cyberattacks. So far, the group has targeted five Italian logistic terminals—Sech, Trieste, TDT, Yilport, and VTP—along with several financial institutions.
  • A newly discovered SVCReady malware has been in action since April. It is being delivered via Microsoft Word. The malware supports anti-analysis features and is capable of exfiltrating information and taking screenshots.
  • The Black Basta ransomware group has joined hands with QBot to gain initial access to corporate environments. While QBot is usually used for initial access, however, Black Basta is leveraged to spread laterally across a victim's network.
  • In another update, a Linux version of the Black Basta is being used in the wild to target VMware ESXi servers. This variant uses the ChaCha20 algorithm for encryption and multithreading to speed up encryption.
  • The QBot was used in multiple phishing campaigns exploiting the critical Follina vulnerability. The attacks were aimed at government agencies in the U.S and Europe. According to Broadcom, the flaw was also exploited in different cyberespionage campaigns to launch AsyncRAT and other malware.
  • Sentinel One has uncovered a series of activities associated with a new threat actor group called Aoqin Dragon. Some of these activities are ongoing and a few of them are found to have begun in 2013. The group is believed to have targeted organizations in government, education, and telecommunications sectors in Southeast Asia and Australia.
  • Researchers have unwrapped the details of a new stealthy malware dubbed Symbiote. The malware is used predominantly to target the financial sector in Latin America, including banks like Banco do Brasil and Caixa.
  • Operators have updated the capabilities of Emotet to siphon credit card information stored in the Chrome web browser. This behavior change comes after increasing activity during April and a switch to 64-bit modules.
  • A new version of Cuba ransomware was found targeting two organizations in Asia. The updates are aimed at optimizing its execution, minimizing unintended system behavior, and providing technical support for victims to negotiate the ransom.
  • Russian hackers are increasingly targeting the phones of Ukrainian officials via advanced spy software, dubbed zero click hack, which requires no interaction with the victim.
  • Several botnets, such as Kinsing, Hezb, and Dark.IoT, are actively exploiting unpatched Atlassian Confluence Server and Data Center installs to deploy backdoors and cryptominers. Federal agencies have urged customers to patch the flaw to stay protected.
  • The DeadBolt ransomware has evolved its extortion scheme as it continues to target NAS devices from QNAP and Asustor. It is putting pressure on vendors to pay ransom for a master decryption key that would theoretically work for all victims.

Related Threat Briefings

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.