Cyware Weekly Threat Intelligence - June 17–21

Weekly Threat Briefing • Jun 24, 2024
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jun 24, 2024
In a move aimed at fortifying the intricate web of global energy supply chains, the DOE unveiled a set of robust Supply Chain Cybersecurity Principles. These guidelines, endorsed by key industry suppliers and manufacturers, aim to strengthen defenses against cyber threats targeting critical technologies in electricity, oil, and natural gas systems globally. Simultaneously, in a show of international solidarity and foresight, G7 nations have come together to forge a collective cybersecurity framework specifically tailored for operational technologies within the energy sector. This pioneering framework is meticulously crafted to mitigate the inherent vulnerabilities of energy systems to cyberattacks, with a particular emphasis on the cybersecurity of cutting-edge digital clean energy technologies.
The U.S. Department of Energy released Supply Chain Cybersecurity Principles, backed by prominent suppliers and manufacturers, to strengthen cybersecurity in global energy supply chains. The principles create a framework to strengthen key technologies used to manage and operate electricity, oil, and natural gas systems around the world. The principles were developed for manufacturers and end users alike to improve the cybersecurity of energy supply chains.
The Group of Seven (G7) countries agreed to establish a collective cybersecurity framework for operational technologies in the energy sector. This framework aims to address the vulnerability of energy systems to cyberattacks and ensure the cyber security of new digital clean energy technologies. The leaders also discussed various cybersecurity issues, including ransomware and cyberattacks by adversarial countries, and announced the creation of a G7 Cybersecurity Working Group.
The CISA and the Election Assistance Commission (EAC) have released a communications guide to help state and local election offices convey accurate information about election administration and security. The guide aims to help election officials develop a public communications plan to provide voters with accurate information about election processes and security measures. It emphasizes the importance of election officials being the "trusted, authoritative sources" for election information and effectively communicating during incident response.
The DHS released new guidance to help critical infrastructure sectors better defend against cybersecurity threats from nation-state adversaries and emerging technologies like AI and quantum computing. The agency called on Sector Risk Management Agencies to work with critical infrastructure owners and operators to develop and implement resilience measures. These measures should include response plans to quickly recover from shocks and anticipate the cascading impacts of cyberattacks. The DHS also plans to expand its Space Systems Critical Infrastructure Working Group to prioritize and mitigate space-related risks to critical infrastructure.
In an unrelenting cyber onslaught, Chinese state-affiliated hackers zeroed in on telecom operators in an Asian nation since 2021. Employing custom malware like Coolclient, Quickheal, and Rainyday, their tactics paint a clear picture of state-sponsored meddling. Meanwhile, ANSSI sounded alarms over Midnight Blizzard that launched a sophisticated phishing campaign against France's Ministry of Foreign Affairs. On another front, a malvertising campaign enticed users to download tainted installers for popular software like Google Chrome and Microsoft Teams.
Chinese state-linked espionage groups have been conducting a sustained hacking campaign targeting telecommunications operators in an unnamed Asian country since at least 2021. The attackers used custom malware variants including Coolclient, Quickheal, and Rainyday, along with various tactics and procedures to compromise targets, suggesting Chinese state sponsorship. The motives behind the campaign remain uncertain, but potential objectives include intelligence gathering and developing disruptive capabilities against critical infrastructure.
ANSSI warned that a Russian state-sponsored hacking group, Midnight Blizzard (aka Cozy Bear and APT29), targeted the French Ministry of Foreign Affairs using compromised emails of government staffers from the Foreign Ministry of Culture and the National Agency for Territorial Cohesion. The group attempted to infiltrate the networks using phishing campaigns, but ANSSI concluded that the hackers were unable to move laterally into government systems.
Rapid7 observed a malvertising campaign that tricked users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams, leading to the deployment of the Oyster backdoor. The Oyster backdoor, also known as Broomstick, was delivered without the Oyster Installer and exhibited hands-on keyboard activity as well as the deployment of additional payloads. The backdoor component, CleanUpLoader, collected system information, communicated with C2 domains, and executed follow-on activities such as spawning PowerShell scripts and additional payloads.
A widespread malicious campaign has been targeting cryptocurrency users through a fake virtual meeting software called Vortax. Once installed, Vortax delivers three information stealers aimed at cryptocurrency theft, including a rare macOS infostealer, AMOS. The campaign is linked to a threat actor previously identified as ‘markopolo’. The researchers recommend updating detection systems for AMOS, educating users about downloading unapproved software, implementing strict security controls, and encouraging reporting of suspicious activities on social media and other platforms.
The Void Arachne threat group has been targeting Chinese-speaking users with malicious Windows Installer (MSI) files. These files contain legitimate software but are bundled with malicious payloads. The campaign uses SEO poisoning, social media, and messaging platforms to distribute malware. They exploit public interest in AI technologies and promote nudifiers, deepfake pornography-generating software, and AI voice and facial technologies. The malware installs a backdoor, potentially compromising entire systems.
The Chinese cyberespionage group Velvet Ant used custom malware to target F5 BIG-IP appliances to breach target networks and gain persistent access for espionage purposes. The threat actor exploited vulnerabilities in the appliances, established multiple footholds within the target organization's network, and deployed malware such as PlugX RAT. The group demonstrated agility and deep understanding of the target's network infrastructure, evading detection from traditional log monitoring solutions.
Legitimate websites are being used to deliver a Windows backdoor, BadSpace, through fake browser updates. The multi-stage attack chain involves infected websites, command-and-control servers, fake browser updates, and a JScript downloader to deploy the backdoor. The BadSpace backdoor is capable of anti-sandbox checks, system information harvesting, and executing commands, highlighting the advanced capabilities of the malware.
A grave vulnerability, dubbed CosmicSting, has thrown a wrench into about 75% of Adobe Commerce and Magento e-commerce sites, exposing millions to XML external entity injection and remote code execution risks. In another alarming development, Eclypsium exposed CVE-2024-0762 in Phoenix SecureCore UEFI firmware, impacting PCs running on various Intel Core processor families. Nicknamed ‘UEFIcanhazbufferoverflow’, this flaw allows local attackers to escalate privileges and execute harmful code within the firmware. Researchers unveiled SquidLoader, a new evasive malware loader targeting Chinese organizations via phishing campaigns.