Cyware Weekly Threat Intelligence - March 20–24
Weekly Threat Briefing • Mar 24, 2023
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Mar 24, 2023
A good number of cybersecurity approaches to deal with advanced and sophisticated cyber threats were disclosed this week. One of these involved a new open-source incident response tool released by the CISA. The tool is designed to detect signs of malicious activity across different Microsoft cloud environments. In another significant development, the U.K’s NCSC announced two new services—Cyber Action Plan and Check Your Cyber Security—to help small businesses effectively deal with cyber risks.
The infamous GoAnywhere MFT hacking incident continues to be in the headlines as the notorious Cl0p ransomware gang exposed a list of new victims. This includes a luxury brand retailer in the U.S., a British multinational conglomerate, and the City of Toronto. Apart from this, the LockBit gang took credit for the attack on the City of Oakland while setting a ransom demand deadline for the government to prevent the stolen files from being exposed. In other concerning news, a popular streaming platform had put the personal data of nearly 37 million subscribers at risk due to an unprotected Elasticsearch database.
Lionsgate streaming platform leaked nearly 37 million subscribers’ IP addresses and data due to an unprotected Elasticsearch database. The entries in the database were old as May 2022 and also contained other information such as the platform’s usage data, search queries entered by users, and titles of URLs.
Fresh product giant Dole Food Company revealed that the ransomware attack in February compromised the information of an undisclosed number of employees. Furthermore, the incident impacted several operations, which led to a shortage of Dole products on store shelves for over a week.
Saks Fifth Avenue has emerged as the newest victim of aggressive Cl0p ransomware attacks that compromised over 130 organizations. Other victims include the City of Toronto, the Pension Protection Fund, and Virgin Group (the U.K). These organizations were impacted by attacks that exploited vulnerable GoAnywhere MFT servers. The ransomware gang claimed the attack by sharing the name of the retail firm on its leak site.
On March 20, Ferrari revealed that its Italian subsidiary, Ferrari S.p.A, was the victim of a ransomware attack. The attacker has demanded a ransom to prevent the leak of contact details of clients. At present, the luxury sports cars company claims that there is no evidence of sensitive data being accessed and that there is no impact on its operations.
Over 2,400 phishing pages impersonating well-known companies in the logistics, food & beverage, and petroleum industries were used to target Arabic-speaking job seekers. The campaign was active from January 2022 to January 2023 and lured victims with web pages containing descriptions about fake vacancies.
The LockBit gang has threatened to leak the files and data stolen from the City of Oakland’s systems. The attackers have given a 19-day deadline after which they plan to publish the stolen data. However, the city is yet to issue a statement regarding the claims.
The Play ransomware gang took responsibility for the attack on the logistics company Royal Dirkzwager. The gang added the company’s name to its Tor leak site and announced the theft of stolen private and personal information, including employee IDs, passports, and contracts.
The personal data of nearly one million users connected with PowderRoom, a beauty content platform in South Korea, is at risk due to a leaky database. The database was publicly available for over a year and included full names, email addresses, Instagram usernames, and home addresses of users.
This week, a new wave of Magecart attacks was observed against multiple Magento and WooCommerce sites. In one of these campaigns, researchers found the emergence of a Kritec skimmer that masqueraded as Google Tag Manager. There is also an update on the FakeGPT campaign that was first discovered on March 14. The attackers have launched a new Chrome extension called ‘Chat GPT for Google’ to ensnare more Facebook user accounts.
In a joint advisory, the German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) warned that the notorious Kimsuky APT is using a malicious Chrome extension and Android apps to intercept and steal victims’ email content. The campaign is aimed at diplomats, journalists, government agencies, university professors, and politicians in South Korea, the U.S., and Europe.
A new Kritec skimming malware was used in Magecart attacks to target Magento stores. The malware masqueraded as a legitimate Google Tag Manager to evade detection. Once executed, the stolen credit card details were exfiltrated twice - one via a WebSocket skimmer and the other via a POST request. Apart from abusing Google Tag Manager, Magecart actors were also found hiding malicious code inside the ‘Authorize[.]net’ payment gate module for WooCommerce to steal credit card details.
Researchers disclosed a campaign where the North Korea-based ScarCruft APT used Microsoft Compiled HTML Help (CHM) files to deploy malware on targeted machines. The latest development illustrates the group’s continuous efforts to refine its tactic to bypass detection.
A new Android banking trojan, dubbed Nexus, is being used by several threat actors to target 450 financial applications and conduct fraud. While it is still under development, the trojan provides all the main features to perform ATO attacks against banking portals and cryptocurrency services. The trojan is advertised on various hacking forums for a monthly fee of $3,000.
The PoC for vulnerabilities in Netgear’s Orbi 750 series router and extender satellites has been released, indicating that organizations using these products must immediately apply security patches to stay safe. One of these flaws is related to a remote command execution vulnerability.
Government agencies and organizations operating in Russia-occupied territories of Ukraine are being targeted with new malware strains, named CommonMagic and PowerMagic. Active since September 2021, the malware are designed to steal data from victims’ devices. They are distributed via phishing emails with a link to a ZIP archive.
Threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the notorious RedLine information stealer. The infection chain starts with a phishing email that asks recipients to verify a report by clicking on the review and sign button. Once the victim clicks on the button, they are redirected to a site that asks them to enter a CAPTCHA that is hard coded. Consequently, the victim downloads the ZIP archive that contains the trojan.
Attackers have been found impersonating legitimate packages via typosquatting to infect .NET developers with cryptocurrency stealers. These malicious packages are delivered through the NuGet repository, with three of them being downloaded over 150,000 times within a month. The malicious packages are designed to download and execute a PowerShell-based dropper script that configures the compromised system before dropping the second-stage payload.
The threat group tracked as REF2924 has been found deploying previously unseen malware in its attacks against entities in South and Southeast Asia. The malware, dubbed NAPLISTENER, is an HTTP listener programmed in C# and is designed to evade network-based forms of detection. In addition to NAPLISTENER, the hacking group has also been associated with multiple custom malware tracked as SiestaGraph and Somnirecord, among others.
A new variant of BlackGuard stealer has been spotted with capabilities like USB propagation, persistence mechanisms, and targeting additional crypto wallets. While the developers are constantly improving the malware, researchers warn that the new variant is being widely used to launch attacks.
A new variant of the FakeGPT Chrome extension titled ‘Chat GPT for Google’ is targeting Facebook users in an attempt to hijack their accounts. The attack is an extension of the FakeGPT campaign that was discovered on March 14. This time, the malicious extension is not pushed using sponsored Facebook posts but rather is distributed by abusing Google Ads.