Cyware Weekly Threat Intelligence - June 19–23
Weekly Threat Briefing • Jun 23, 2023
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jun 23, 2023
As more water utility companies are turning to automated control systems and sensors, it has become very important to protect these organizations from sophisticated cyberattacks to ensure a continuous supply of drinking water and wastewater treatment. Taking some constructive steps in this line, the NIST is in the process of launching its first-ever cybersecurity framework for water and wastewater systems (WWS). Furthermore, an additional amount of $7.5 million per year has been proposed under the new Cybersecurity for Rural Water Systems Act of 2023 to increase cybersecurity funding for rural water systems.
The MOVEit ransomware attack remained the talk of the cybersecurity landscape as more and more victim names came forth. These include the largest public pension fund firm in the U.S., the Metro Vancouver Transit Police, the University of Missouri, and a Colorado state agency. In a separate incident, a triple extortion attack was also reported, wherein attackers are contacting the impacted individuals to put pressure on the U.K’s University of Manchester to pay a ransom.
The discovery of a variety of new info-stealers also raised concerns for security researchers. One of these tracked as Mystic Stealer is capable of targeting 40 web browsers, 70 browser extensions, and 21 cryptocurrency applications. The others are named FadeStealer and RDStealer and can allow threat actors to harvest device and user information.
Microsoft shared details about a cryptojacking campaign that has been targeting internet-exposed Linux systems and IoT devices. These devices were compromised via brute-force attacks that enabled attackers to deploy backdoors into the devices. The backdoor further allowed attackers to install Reptile and Diamorphine open-source LKM rootkits to hide malicious activity on the hacked systems.
China-linked APT15 hacking group (aka Flea) was found using a new Graphican backdoor in a long-running campaign that targeted foreign affairs ministers in the Americas. The backdoor shares similarities with Ketrican, another backdoor used by APT15 in previous attacks. Attackers leveraged a critical flaw in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) that was patched in 2020, to gain initial access.
A multi-stage phishing campaign, dubbed MULTI#STORM, involving Python-based loader malware was observed delivering Warzone and Quasar RATs onto the victims’ systems. Some of the victims were located in the U.S. and India. The functionalities of the loader malware were similar to DBatLoader.
Millions of GitHub repositories, including those of Google and Lyft, are susceptible to RepoJacking attacks. The attack can enable threat actors to rename the original repositories with their repositories, which may include malware.
A Linux version of Trigona ransomware that shares similarities with its Windows counterpart was released. The highest number of ransomware attacks were detected in Israel, Turkey, Brazil, and Italy, with targeted organizations in the technology and healthcare industries.
A new strain of JavaScript dropper, tracked as PindOS, was observed delivering next-stage payloads like Bumblebee and IcedID. The dropper, containing comments in Russian, employs a unique user-agent string that has reference to current and past anti-American sentiment in Russia.
The North Korean state-sponsored hacking group APT37, aka ScarCruft, reemerged with a new malware dubbed FadeStealer. The malware contains a wiretapping feature that allows the threat actor to eavesdrop on victims’ microphones. The malware was distributed along with a Golang-based backdoor that exploited the Ably platform.
A cyberespionage operation deploying RDStealer on systems in East Asia was observed by Bitdefender Labs. The malware was used to steal data from drives through RDP connections. The operation initially relied on commonly available malware such as AsyncRAT and hacking tools like Cobalt Strike. However, in late 2021 or early 2022, the threat actors switched to custom-made malware to avoid detection.
Cyfirma and Zscaler published two simultaneous reports on a new info-stealer, named Mystic Stealer. The malware targets a wide range of applications and platforms, including 40 web browsers, 70 browser extensions, 21 cryptocurrency applications, nine MFA and password management applications, 55 cryptocurrency browser extensions, as well as Steam and Telegram credentials.
ASEC researchers uncovered a new campaign distributing the Tsunami botnet on inadequately managed Linux SSH servers. The botnet was distributed alongside other malware such as ShellBot, XMRig miner, and Log Cleaner to carry out DDoS and cryptomining attacks.