Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence - June 17–21

Cyware Weekly Threat Intelligence - June 17–21 - Featured Image

Weekly Threat Briefing Jun 24, 2024

The Good

In a move aimed at fortifying the intricate web of global energy supply chains, the DOE unveiled a set of robust Supply Chain Cybersecurity Principles. These guidelines, endorsed by key industry suppliers and manufacturers, aim to strengthen defenses against cyber threats targeting critical technologies in electricity, oil, and natural gas systems globally. Simultaneously, in a show of international solidarity and foresight, G7 nations have come together to forge a collective cybersecurity framework specifically tailored for operational technologies within the energy sector. This pioneering framework is meticulously crafted to mitigate the inherent vulnerabilities of energy systems to cyberattacks, with a particular emphasis on the cybersecurity of cutting-edge digital clean energy technologies.

  • The U.S. Department of Energy released Supply Chain Cybersecurity Principles, backed by prominent suppliers and manufacturers, to strengthen cybersecurity in global energy supply chains. The principles create a framework to strengthen key technologies used to manage and operate electricity, oil, and natural gas systems around the world. The principles were developed for manufacturers and end users alike to improve the cybersecurity of energy supply chains.

  • The Group of Seven (G7) countries agreed to establish a collective cybersecurity framework for operational technologies in the energy sector. This framework aims to address the vulnerability of energy systems to cyberattacks and ensure the cyber security of new digital clean energy technologies. The leaders also discussed various cybersecurity issues, including ransomware and cyberattacks by adversarial countries, and announced the creation of a G7 Cybersecurity Working Group.

  • The CISA and the Election Assistance Commission (EAC) have released a communications guide to help state and local election offices convey accurate information about election administration and security. The guide aims to help election officials develop a public communications plan to provide voters with accurate information about election processes and security measures. It emphasizes the importance of election officials being the "trusted, authoritative sources" for election information and effectively communicating during incident response.

  • The DHS released new guidance to help critical infrastructure sectors better defend against cybersecurity threats from nation-state adversaries and emerging technologies like AI and quantum computing. The agency called on Sector Risk Management Agencies to work with critical infrastructure owners and operators to develop and implement resilience measures. These measures should include response plans to quickly recover from shocks and anticipate the cascading impacts of cyberattacks. The DHS also plans to expand its Space Systems Critical Infrastructure Working Group to prioritize and mitigate space-related risks to critical infrastructure.

The Bad

In an unrelenting cyber onslaught, Chinese state-affiliated hackers zeroed in on telecom operators in an Asian nation since 2021. Employing custom malware like Coolclient, Quickheal, and Rainyday, their tactics paint a clear picture of state-sponsored meddling. Meanwhile, ANSSI sounded alarms over Midnight Blizzard that launched a sophisticated phishing campaign against France's Ministry of Foreign Affairs. On another front, a malvertising campaign enticed users to download tainted installers for popular software like Google Chrome and Microsoft Teams.

  • Chinese state-linked espionage groups have been conducting a sustained hacking campaign targeting telecommunications operators in an unnamed Asian country since at least 2021. The attackers used custom malware variants including Coolclient, Quickheal, and Rainyday, along with various tactics and procedures to compromise targets, suggesting Chinese state sponsorship. The motives behind the campaign remain uncertain, but potential objectives include intelligence gathering and developing disruptive capabilities against critical infrastructure.

  • ANSSI warned that a Russian state-sponsored hacking group, Midnight Blizzard (aka Cozy Bear and APT29), targeted the French Ministry of Foreign Affairs using compromised emails of government staffers from the Foreign Ministry of Culture and the National Agency for Territorial Cohesion. The group attempted to infiltrate the networks using phishing campaigns, but ANSSI concluded that the hackers were unable to move laterally into government systems.

  • Rapid7 observed a malvertising campaign that tricked users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams, leading to the deployment of the Oyster backdoor. The Oyster backdoor, also known as Broomstick, was delivered without the Oyster Installer and exhibited hands-on keyboard activity as well as the deployment of additional payloads. The backdoor component, CleanUpLoader, collected system information, communicated with C2 domains, and executed follow-on activities such as spawning PowerShell scripts and additional payloads.

  • A widespread malicious campaign has been targeting cryptocurrency users through a fake virtual meeting software called Vortax. Once installed, Vortax delivers three information stealers aimed at cryptocurrency theft, including a rare macOS infostealer, AMOS. The campaign is linked to a threat actor previously identified as ‘markopolo’. The researchers recommend updating detection systems for AMOS, educating users about downloading unapproved software, implementing strict security controls, and encouraging reporting of suspicious activities on social media and other platforms.

  • The Void Arachne threat group has been targeting Chinese-speaking users with malicious Windows Installer (MSI) files. These files contain legitimate software but are bundled with malicious payloads. The campaign uses SEO poisoning, social media, and messaging platforms to distribute malware. They exploit public interest in AI technologies and promote nudifiers, deepfake pornography-generating software, and AI voice and facial technologies. The malware installs a backdoor, potentially compromising entire systems.

  • The Chinese cyberespionage group Velvet Ant used custom malware to target F5 BIG-IP appliances to breach target networks and gain persistent access for espionage purposes. The threat actor exploited vulnerabilities in the appliances, established multiple footholds within the target organization's network, and deployed malware such as PlugX RAT. The group demonstrated agility and deep understanding of the target's network infrastructure, evading detection from traditional log monitoring solutions.

  • Legitimate websites are being used to deliver a Windows backdoor, BadSpace, through fake browser updates. The multi-stage attack chain involves infected websites, command-and-control servers, fake browser updates, and a JScript downloader to deploy the backdoor. The BadSpace backdoor is capable of anti-sandbox checks, system information harvesting, and executing commands, highlighting the advanced capabilities of the malware.

New Threats

A grave vulnerability, dubbed CosmicSting, has thrown a wrench into about 75% of Adobe Commerce and Magento e-commerce sites, exposing millions to XML external entity injection and remote code execution risks. In another alarming development, Eclypsium exposed CVE-2024-0762 in Phoenix SecureCore UEFI firmware, impacting PCs running on various Intel Core processor families. Nicknamed ‘UEFIcanhazbufferoverflow’, this flaw allows local attackers to escalate privileges and execute harmful code within the firmware. Researchers unveiled SquidLoader, a new evasive malware loader targeting Chinese organizations via phishing campaigns.

  • A critical vulnerability called CosmicSting is impacting around 75% of Adobe Commerce and Magento e-commerce sites, leaving millions of websites vulnerable to XML external entity injection and remote code execution. The bug is tracked as CVE-2024-34102 and has a CVSS score of 9.8. Adobe has released fixes for the vulnerability in versions: Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9; Adobe Commerce Extended Support 2.4.3-ext-8 and earlier; Magento Open Source 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9; and Adobe Commerce Webhooks Plugin version 1.5.0.
  • Eclypsium detailed a security flaw, tracked as CVE-2024-0762, in Phoenix SecureCore UEFI firmware that affects various Intel Core processor families. The vulnerability, known as ‘UEFIcanhazbufferoverflow’, could allow local attackers to escalate privileges and execute malicious code within the firmware. This type of exploitation is characteristic of firmware backdoors and poses a significant supply chain risk.
  • AT&T LevelBlue Labs discovered a new evasive malware loader named SquidLoader that spreads via phishing campaigns targeting Chinese organizations. It uses various techniques to avoid detection and analysis while fetching second-stage shellcode payloads. Techniques include encrypted code segments, pointless unused code, Control Flow Graph obfuscation, debugger detection, and direct syscalls instead of Windows NT APIs.
  • Fortinet spotted a new Rust-based malware called Fickle Stealer, targeting Microsoft Windows users. The attack chain consists of three stages: Delivery, Preparatory Work, and Packer and Stealer Payload. The delivery is done through a VBA dropper, VBA downloader, link downloader, and executable downloader. The preparatory work involves scripts that bypass User Account Control, create new tasks, and send messages to a Telegram bot. The Packer disguises Fickle Stealer as a legal executable to avoid static analysis.
  • A new malware distribution campaign has been observed using fake Google Chrome, Word, and OneDrive errors to trick users into running malicious PowerShell "fixes" that install malware. Threat actors behind ClearFake, ClickFix, and TA571 are involved. The attacks involve compromised websites, fake browser updates, and email-based infection chains. The malware payloads include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.
  • VMware by Broadcom disclosed critical-rated flaws, CVE-2024-37079 and CVE-2024-37080, in vCenter Server, which could allow remote code execution by malicious actors. The flaws are related to the DCE/RPC protocol and impact the management of virtual machines. A patched version of vCenter Server and Cloud Foundation is available, but older versions of vSphere may be affected and remain unfixed. Additionally, a local privilege escalation vulnerability, CVE-2024-37081, has been identified.

Related Threat Briefings

Feb 7, 2025

Cyware Weekly Threat Intelligence, February 03–07, 2025

PyPI is taking a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. The U.K is bringing earthquake-style metrics to cybersecurity with its new Cyber Monitoring Centre, designed to track digital disasters as precisely as natural ones. Inspired by the Richter scale, the CMC will quantify cyber incidents based on financial impact and affected users, offering clearer insights for national security planning. Kimsuky is back with another phishing trick, this time using fake Office and PDF files to sneak forceCopy malware onto victims' systems. Its latest campaign delivers PEBBLEDASH and RDP Wrapper by disguising malware as harmless shortcuts, ultimately hijacking browser credentials and sensitive data. Hackers have found a new way to skim credit card data - by hiding malware inside Google Tag Manager scripts. CISA is flagging major security holes in Microsoft Outlook and Sophos XG Firewall, urging agencies to patch them before February 27. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. Bitcoin scammers are switching tactics, swapping static images for video attachments in MMS to make their schemes more convincing. A recent case involved a tiny .3gp video luring victims into WhatsApp groups where scammers apply pressure to extract money or personal data. XE Group has shifted from credit card skimming to zero-day exploitation, now targeting manufacturing and distribution companies. A new version of ValleyRAT is making the rounds, using stealthy techniques to infiltrate systems. Morphisec found the malware being spread through fake Chrome downloads from a fraudulent Chinese telecom site.

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.