The Good

The world’s first hacking test bed in space is set for launch as the U.S. government aims to secure space systems. Called Moonlighter, the tool will provide opportunities for white hat hackers to perform real-time cyber exercises and test out new technologies. In other news, the Cyber Incident Reporting Council plans to submit a report that includes recommendations for developing an incident-reporting framework across key agencies and regulatory bodies.

• The Cyber Incident Reporting Council is expected to issue a report to Congress with recommendations on developing an incident-reporting framework across key agencies and regulatory bodies. The report will be submitted in the next two months and aims to achieve harmony across a complex network of federal cyber mandates.
• The U.S. government is set to launch into space a new nano-satellite named Moonlighter that will serve as a satellite hacking sandbox. Once deployed, the tool will allow cybersecurity professionals to perform cyber experiments on a satellite that is in space rather than test satellite workbenches that are set up in special laboratories.
• The Python Package Index (PyPI) announced the mandatory use of 2FA for all software publishers, by the end of the year. This will enhance the security of the platform and prevent accounts from being compromised to launch supply chain attacks.

The Bad

Ransomware attacks remained the talk of cyberspace as a biotechnology firm and a non-profit health services provider reported that the attackers stole millions of user data in two different incidents. Meanwhile, Dallas and Suffolk County in New York are struggling to restore the services and systems that were impacted by different ransomware attacks, months back. Separately, there was also a report on Salesforce ghost sites leaking personal and business data as they were left unattended by organizations.

• Salesforce ghost sites—domains that are no longer maintained but still accessible—were found exposing personal and business data. These sites were hosted on domains such as ‘partners.acme.org.00d400.live.siteforce.com’ but made accessible through a short URL such as ‘partners.acme.org’ by configuring DNS records.
• Toyota revealed that hundreds of thousands of customer records were left exposed for years due to cloud configuration issues. The data belonged to customers who subscribed to G-Book (with a G-Book mX or G-Book mX Pro compatible navigation system), and G-Link or G-Link Lite. The exposed data included personal information such as names, addresses, phone numbers, email addresses, customer IDs, VINs, and vehicle registration numbers.
• Harvard Pilgrim Health Care (HPHC) suffered a ransomware attack in April that impacted the sensitive data of over two million people. The organization informed that the attackers maintained access to its systems between March 28 and April 17. The stolen files included full names, phone numbers, dates of birth, Social Security numbers, and taxpayer identification numbers of patients who had registration dates starting from March 28, 2012.
• Experts warned of hackers exploiting a zero-day flaw in MOVEit Transfer software used by thousands of companies. The flaw could lead to privilege escalation and potential unauthorized access to companies’ environments. Progress Software announced that the patches for the flaw will be released as soon as possible.
• A potential backdoor was discovered in the UEFI firmware of hundreds of models of Gigabyte motherboards, thus raising security concerns about hardware supply chain attacks. The backdoor mechanism shares similarities with other OEM backdoor-like features and firmware implants previously used by threat actors.
• Jimbox Protocol was hacked to steal approximately $7.5 million (4000 Ether). It is the latest victim in the growing number of DeFi protocol attacks. In this case, attackers exploited a vulnerability related to the lack of slippage control of liquidity conversions to launch a flash loan attack.
• A financially motivated threat actor is actively scanning the internet for unprotected Apache NiFi instances to covertly install a Kinsing miner and facilitate lateral movement. One of these attacks was carried out via the IP address 109.207.200[.]43 against port 8080 and port 8443/TCP.
• Managed Care of North America (MCNA) Dental disclosed that the personal information of almost nine million patients across more than 100 healthcare providers was compromised in a data breach that occurred in February. Some of these patients were enrolled in Florida Health Kids Corporation (FHKC) and the Florida Agency for Health Care Administration’s Medicaid insurance programs.
• Suffolk County, New York, continues to struggle to recover from an eight-month-old ransomware attack that crippled its digital systems. So far, the incident has cost the County almost $18 million for investigation and restoration.
• Dallas is also slowly recovering from a ransomware attack that affected several of its city services. Dallas Municipal courts reopened but trials and jury duty are yet to resume. Police officers and public library workers are working manually until the system is restored.
• California-based workforce platform Prosperix leaked nearly 250,000 files containing sensitive data, such as home addresses and medical records, of job seekers. These files were stored in a misconfigured Amazon AWS bucket.
• Enzo Biochem revealed that the clinical test information of around 24.7 million individuals was impacted by a ransomware attack. The company is yet to confirm whether employee information was compromised in the attack that occurred on April 6.

New Threats

This week, two new Golang-based malware threats have been spotted by researchers. One of them tracked as GobRAT, was used to infect Linux routers in Japan. The other, called TinyNote, was observed gathering intelligence from Southeast and East Asian embassies. Furthermore, researchers warned of the new version of BlackCat ransomware dubbed Sphynx, which was announced in February 2023 and boasts advanced evasion and encryption techniques.

• Researchers shed light on evolving objectives of the Void Rabisu hacking group as they uncovered a campaign that used a fake version of the Ukrainian army’s Delta situational awareness website to lure targets into installing the RomCom backdoor. While their previous operations were centered on data exfiltration and intelligence collection, the latest campaign suggests their interest in sabotage, disruption, or even financial gain.
• A previously identified botnet, dubbed Horabot, has been tied to a campaign that has been ongoing since November 2020. The campaign targets Spanish-speaking users in America and Brazil. The botnet enables threat actors to control the victim’s Outlook mailbox, collect login credentials from various online accounts, and record keystrokes, and steal operating system information. It also steals one-time security codes or soft tokens from the victim’s online banking applications.
• Security experts uncovered a campaign that delivered a modified version of the AsyncRAT on victims’ systems. Dubbed Operation Red Deer, the phishing campaign impersonated Israel’s postal service and prompted victims to check the status of a missing delivery by clicking on an HTML link.
• JPCERT/CC confirmed that attackers used a new Golang malware, dubbed GobRAT, to infect Linux routers. The attack leveraged known vulnerabilities for propagation and targeted users across Japan. GobRAT is packed with UPX v4 series and uses TLS to communicate with its server.
• A stealthy RAT, named SeroXen, is being sold under the guise of a legitimate remote access tool for Windows 11 and 10 at a monthly fee of $15 or a single lifetime license payment of $60. The trojan is used to target people in the gaming community.
• A new version of the BlackCat ransomware, dubbed Sphynx, packs a number of updated capabilities that strengthen the group’s efforts to evade detection. The ransomware has added a set of more complex command-line arguments to make analysis harder. Additionally, the configuration data of Sphynx comprises raw structures instead of a JSON format.
• The relatively new CryptoClippy trojan has evolved to target a broader range of payment services commonly used in Brazil, researchers at Intezer reported. The malware operators use NSIS installers to deploy the first stage of the attack.
• Researchers shed light on the similarities between BlackSuit and Royal ransomware strains as they both employ intermittent encryption techniques to accelerate the encryption process on victims’ systems. It is believed that BlackSuit emerged from a splinter group within the original Royal ransomware group.
• Group-IB found that the Chinese Dark Pink threat group has amassed five new victims as it expanded its attack scope to target government, education, and military organizations in Belgium, Thailand, and Brunei.
• Android apps infected by a new spyware named SpinOk were collectively installed over 400 million times from the Google Play Store. It can steal account passwords, credit card data, and cryptocurrency wallet addresses.
• Camaro Dragon APT was found using the Go-based TinyNote malware against Southeast and East Asian embassies. The operations of the threat actor overlap with Mustang Panda, a state-sponsored group from China that is known to be active since 2012. The backdoor is designed to meet intelligence-gathering goals and is distributed using names related to foreign affairs.