Cyware Weekly Threat Intelligence - March 21–25

Weekly Threat Briefing • March 25, 2022
Weekly Threat Briefing • March 25, 2022
The Good
By now, we are already aware of the despicable Lapsus$ gang and its long list of high-profile victims. However, the gang forgot to guard itself, leading to the arrest of seven of its members. Here’s to hoping that the Lapsus$ chapter will be over soon. Emsisoft introduced a free decryptor for Diavol ransomware. Victims can now rejoice as they don’t need to give in to the exorbitant demands of the threat actors by paying a ransom.
Emsisoft released a free decryptor for the victims of Diavol ransomware. The FBI, in January, had linked Diavol operations to the infamous TrickBot gang. However, the cybersecurity firm cannot guarantee that the decrypted data would be identical to the one previously encrypted since the ransomware doesn’t save any information about unencrypted files.
Japan stepped up its cyber defenses by launching a reorganized cyber defense unit that combines previously separate cyber departments. It shall protect the Japan Self Defense-Forces’ networks against perceived threats from China, North Korea, and Russia.
The Western Australian government announced to invest around $20 million to broaden the state’s cybersecurity capabilities. The improved services will promote secure data exchanges between agencies and identification and response toward cyber threats.
The City of London Police claimed to have arrested seven teenage suspects related to the Lapsus$ gang. Two of the suspects are a 16-year-old living in Oxford and a 17-year-old residing in Brazil. The suspects have not been charged yet.
The U.S. indicted four Russian government employees for their participation in hacking companies from the global energy sector between 2012 and 2018. The campaigns targeted thousands of systems at hundreds of organizations in approximately 135 nations.
The Bad
Attacks against healthcare entities don’t seem to cease. A healthcare provider with 72 offices across Texas suffered a breach impacting a million Texans. Steam scams have once again gained popularity in the threat landscape. One unique Esports voting scam is currently making rounds targeting users of a video game digital distribution platform. The Anonymous collective group has become very active and claimed Transneft, Central Bank of Russia, and Nestlè as its victims.
CRM tool Hubspot has been hacked, which has led to data breaches at Swan Bitcoin, BlockFi, Circle, and NYDIG. A total of 30 clients have been affected. However, treasuries and operations remain unaffected, stated the companies. The attack was caused by a threat actor gaining access to an employee account and targeting stakeholders in the cryptocurrency sector.
Omega Company—the R&D unit of Russian oil pipeline company Transneft—was hacked by the Anonymous collective. The hacktivists have exfiltrated 79GB of emails and published them on the Distributed Denial of Secrets, a non-profit whistleblower leak site. The hackers, in another incident, announced hacking Nestlè and stealing 10 GB of sensitive data, including company emails, passwords, and data related to business customers.
Texas-based Jefferson Dental and Orthodontics suffered a data breach that may have affected more than a million Texans. The attack occurred on August 9, 2021, and led to the exposure of SSNs, financial information, health insurance information, and drivers’ licenses.
The FBI, in coordination with the Treasury Department and FinCEN, issued a joint cybersecurity advisory warning of AvosLocker ransomware targeting several critical infrastructures in the U.S. The RaaS affiliate-based actor has also targeted industries in the financial services, government facilities, and critical manufacturing sectors. The threat actor’s leak site boasts of targeting victims in the U.S., the UAE, the U.K, China, Germany, Syria, Spain, Saudi Arabia, Turkey, and Belgium.
Scammers are sending phishing emails to Facebook users, with the subject line - Someone tried to log into your account, user ID. The message contains two buttons, “Report the User” and “Yes, Me.” Upon clicking any of the buttons, a pre-formatted mail is opened and additional details are requested from the targets.
The U.S. National Rifle Association confirmed falling victim to a ransomware attack that occurred last October. The attack affected the networks, preventing individuals from accessing email or network files.
Fake Esports voting sites are being used against Steam users through Steam-themed Discord channels. The scammers lured the users with attractive offers and tied them to fictional rewards if the message recipient takes part. The messages are sent in a different language to attract more users.
The attackers behind RansomEXX ransomware published 12 GB of data stolen from the Scottish Association for Mental Health (SAMH). This included individuals’ driving licenses, passports, home addresses, and phone numbers. In some cases, passwords and credit card details were also affected.
Researchers discovered that over 5,000 QNAP NAS devices have been affected by the DeadBolt ransomware since January 26. The ransomware asked 0.03 Bitcoin in ransom to release the decryption key.
An unknown Chinese threat actor has been targeting betting companies in Taiwan, Hong Kong, and the Philippines. Dubbed Operation Dragon Castling, the attack exploits a vulnerability in WPS Office to plant the MulCom backdoor on targeted systems. Phishing emails are used as an initial infection vector.
Hundreds of malicious npm packages were used in a large-scale attack to target Microsoft Azure developers. Some of the impacted packages include @azure npm scope, @azure-rest, @azure-tests, @azure-tools, and @cadl-lang. Researchers claim that typosquatting was used to dupe developers into downloading malicious packages.
Threat actors are hiding Vidar malware in Microsoft Compiled HTML files to avoid detection in email spam campaigns. The campaign uses a phishing email with a generic subject line and an attachment named ‘request.doc, which is actually an ISO disk image. The ISO image contains two files- a Microsoft Compiled HTML Help file and an executable file.
North Korean hackers exploited a zero-day RCE vulnerability (CVE-2022-0609) in the Chrome web browser to launch attacks against organizations in the U.S. These attack campaigns were named Operation Dream Job and Operation AppleJeus. While Operation Dream Job targeted over 250 individuals working in 10 different news media, domain registrars, web hosting providers, and software vendors, Operation AppleJeus affected over 85 users in cryptocurrency and fintech industries.
Accounts of some customers associated with the wealth and asset management division of Morgan Stanley have been compromised following a vishing attack. The scammers impersonated the banking firm and convinced the users into sharing their banking and login credentials. After successfully breaching the accounts, the scammers electronically transferred money to their own bank accounts via the Zella payment service.
The IT infrastructure of the 200-year-old Edinburgh's Heriot-Watt University was severely hit by a cyberattack. It’s been over a week and staff and student directories remain unavailable. The university stated that no data has been stolen.
Hackers knocked the website of the U.K Ministry of Defense offline. The Army, which is resorted to using paper systems, has declared a cyber emergency and enacted Op Rhodes. The number of affected candidates is somewhere between 125 and 150 and some recruits’ data was for sale for 1 Bitcoin on the dark web.
New Threats
The South Korean DarkHotel gang resurfaced in a new campaign targeting luxury resorts in China. It pretended to be the Macau Government Tourism Office. A new backdoor, dubbed Serpent, was found slithering into the systems of French entities via the Chocolatey package installer. There’s a new phishing technique in town, named browser-in-the-browser, which can mimic a legitimate domain to pilfer credentials.