Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Skip to main content

Cyware Weekly Threat Intelligence - June 19–23

Cyware Weekly Threat Intelligence - October 02–06 - Featured Image

Weekly Threat Briefing Jun 23, 2023

The Good

As more water utility companies are turning to automated control systems and sensors, it has become very important to protect these organizations from sophisticated cyberattacks to ensure a continuous supply of drinking water and wastewater treatment. Taking some constructive steps in this line, the NIST is in the process of launching its first-ever cybersecurity framework for water and wastewater systems (WWS). Furthermore, an additional amount of $7.5 million per year has been proposed under the new Cybersecurity for Rural Water Systems Act of 2023 to increase cybersecurity funding for rural water systems.

  • The U.K NCSC has updated cybersecurity guidance for the legal sector to help law firms, lawyers, and legal practices to understand and mitigate the latest cyber threats. The guidance is compiled with the help of NCSC’s in-house cybersecurity experts, the Law Society, the Bar Council, the Solicitors Regulation Authority, and the National Crime Agency.
  • The NIST is in the process of launching its first-ever cybersecurity framework to address cybersecurity challenges in water and wastewater systems (WWS). The four areas of focus include asset management, data integrity, remote access, and network segmentation. The agency has sought input from technology vendors, water sector members, and other key stakeholders on a practical reference guide. Furthermore, an additional amount of $7.5 million per year has been proposed under the new Cybersecurity for Rural Water Systems Act of 2023 to increase cybersecurity funding for rural water systems.
  • The DOJ announced a new National Security Cyber Section to increase its ability to disrupt and prosecute cyber nation-state threat actors and state-sponsored cybercriminals. The new section will also bolster intra-governmental collaboration between the Criminal Division’s Computer Crimes and Intellectual Property Section (CCIPS) and the FBI’s Cyber Division.

The Bad

The MOVEit ransomware attack remained the talk of the cybersecurity landscape as more and more victim names came forth. These include the largest public pension fund firm in the U.S., the Metro Vancouver Transit Police, the University of Missouri, and a Colorado state agency. In a separate incident, a triple extortion attack was also reported, wherein attackers are contacting the impacted individuals to put pressure on the U.K’s University of Manchester to pay a ransom.

  • Car mount and mobile accessory maker iOttie disclosed a data breach that affected the credit cards and personal information of online shoppers. Threat actors compromised the company’s site with malicious scripts and maintained persistence for almost two months, between April and June.
  • Chinese APT groups exploited a 17-year-old Microsoft Office vulnerability in May to target foreign government officials who attended the G7 summit in Hiroshima, Japan. The exploit code was sent via a phishing email that pretended to be from Indonesia’s Ministry of External Affairs and the Department of Economic Affairs. The email contained a rich text file to lure the officials.
  • The BlackCat ransomware group claimed to possess the personal information and pictures of patients, allegedly stolen from a Beverly Hills plastic surgery clinic. The group, further, mentioned that it would start to release the information if its ransom demand is not fulfilled.
  • UPS Canada warned its customers of potential phishing attacks stemming from an earlier data breach that may have affected their personal details. The notification revealed that some of its customers had received fraudulent text messages demanding payment for a package to be delivered.
  • The UK’s University of Manchester is under a triple extortion attack after an unauthorized party accessed some of its systems. The attackers are putting pressure on the university to pay a ransom by contacting the impacted students.
  • Recorded Future’s Insikt Group in partnership with CERT-UA uncovered a new spear-phishing campaign targeting high-profile entities in Ukraine. Tracked as BlueDelta, the campaign appears to be operational since November 2021. The campaign leverages news themes related to Ukraine to convince recipients into opening phishing emails.
  • The fresh produce giant Dole said that the data of almost 3,900 U.S. workers was compromised in the February ransomware attack. The attack had briefly forced the company to shut down its North American operations. The information accessed by hackers includes the names, addresses, passport numbers, dates of birth, phone numbers, and driver’s license numbers of employees.
  • The personal data of at least 2.5 million Genworth Financial policyholders and 769,000 retired California workers and beneficiaries associated with PBI Research Services was stolen by the Cl0p group in the infamous MOVEit ransomware hack. Among the other victims that came forth were the Metro Vancouver Transit Police, the University of Missouri, and a Colorado state agency.
  • Hawai'i Community College is dealing with a ransomware attack that knocked off its network. The ransomware group named N0_Esc4pe claimed responsibility for the attack and threatened to leak 65 GB of data stolen from the college.
  • A database containing 255,756 records, worth 93.93 GB, was left publicly available. Researchers claimed that the unprotected database belonged to RateForce and contained scans and images of various documents, including vehicle registrations, driver’s licenses, insurance cards, vehicle titles, and state Medicaid health coverage cards.

New Threats

The discovery of a variety of new info-stealers also raised concerns for security researchers. One of these tracked as Mystic Stealer is capable of targeting 40 web browsers, 70 browser extensions, and 21 cryptocurrency applications. The others are named FadeStealer and RDStealer and can allow threat actors to harvest device and user information.

  • Microsoft shared details about a cryptojacking campaign that has been targeting internet-exposed Linux systems and IoT devices. These devices were compromised via brute-force attacks that enabled attackers to deploy backdoors into the devices. The backdoor further allowed attackers to install Reptile and Diamorphine open-source LKM rootkits to hide malicious activity on the hacked systems.

  • China-linked APT15 hacking group (aka Flea) was found using a new Graphican backdoor in a long-running campaign that targeted foreign affairs ministers in the Americas. The backdoor shares similarities with Ketrican, another backdoor used by APT15 in previous attacks. Attackers leveraged a critical flaw in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) that was patched in 2020, to gain initial access.

  • A multi-stage phishing campaign, dubbed MULTI#STORM, involving Python-based loader malware was observed delivering Warzone and Quasar RATs onto the victims’ systems. Some of the victims were located in the U.S. and India. The functionalities of the loader malware were similar to DBatLoader.

  • Millions of GitHub repositories, including those of Google and Lyft, are susceptible to RepoJacking attacks. The attack can enable threat actors to rename the original repositories with their repositories, which may include malware.

  • A Linux version of Trigona ransomware that shares similarities with its Windows counterpart was released. The highest number of ransomware attacks were detected in Israel, Turkey, Brazil, and Italy, with targeted organizations in the technology and healthcare industries.

  • A new strain of JavaScript dropper, tracked as PindOS, was observed delivering next-stage payloads like Bumblebee and IcedID. The dropper, containing comments in Russian, employs a unique user-agent string that has reference to current and past anti-American sentiment in Russia.

  • The North Korean state-sponsored hacking group APT37, aka ScarCruft, reemerged with a new malware dubbed FadeStealer. The malware contains a wiretapping feature that allows the threat actor to eavesdrop on victims’ microphones. The malware was distributed along with a Golang-based backdoor that exploited the Ably platform.

  • A cyberespionage operation deploying RDStealer on systems in East Asia was observed by Bitdefender Labs. The malware was used to steal data from drives through RDP connections. The operation initially relied on commonly available malware such as AsyncRAT and hacking tools like Cobalt Strike. However, in late 2021 or early 2022, the threat actors switched to custom-made malware to avoid detection.

  • Cyfirma and Zscaler published two simultaneous reports on a new info-stealer, named Mystic Stealer. The malware targets a wide range of applications and platforms, including 40 web browsers, 70 browser extensions, 21 cryptocurrency applications, nine MFA and password management applications, 55 cryptocurrency browser extensions, as well as Steam and Telegram credentials.

  • ASEC researchers uncovered a new campaign distributing the Tsunami botnet on inadequately managed Linux SSH servers. The botnet was distributed alongside other malware such as ShellBot, XMRig miner, and Log Cleaner to carry out DDoS and cryptomining attacks.

Related Threat Briefings

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.