Cyware Weekly Threat Intelligence, May 30 - June 03, 2022
Weekly Threat Briefing • Jun 3, 2022
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jun 3, 2022
There’s always something good to look forward to. Finally, Europol took control of a notorious mobile malware called FluBot that has been spreading aggressively through SMS messages to infect smartphones worldwide. In parallel, the DoJ announced the seizure of three domains used to sell stolen data and DDoS services. An undercover operation to nab three Nigerian global scammers was also accomplished by Interpol. These scammers were arrested for conducting cyber fraud using Agent Tesla trojan.
In a major takedown, an international law enforcement operation involving authorities from 11 countries took action against the notorious FluBot malware that infected smartphone users across the world. Europol revealed that the malware’s infrastructure is now under the control of law enforcement, putting a stop to the destructive spiral.
The U.S Department of Justice announced that they have seized three domains—weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com—that were used by cybercriminals to trade stolen data and facilitate DDoS attacks for hire.
INTERPOL announced the arrest of three suspected global scammers in Nigeria for using RATs, such as Agent Tesla, to facilitate malware-enabled cyber fraud. The scammers used the trojans to reroute financial transactions, stealing confidential online connection details from corporate organizations, including oil and gas companies in South East Asia, the Middle East, and North Africa.
The Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS) unveiled a kill switch to prevent online scams. The latest security measure will be in effect from October 31.
Evil Corp has again managed to dodge U.S. sanctions. This time, it is propagating the LockBit ransomware to evade detection and continue with its extortion process. The defunct Cl0p ransomware group is also back in action, as per the latest report from NCC Group. By adding 21 new victims to its leak site in April, the gang was the fourth most active in the month. There is also an update about the SideWinder APT that has launched more than 1,000 attacks since April 2020. Recently, it added a new custom tool to launch phishing attacks against private and public sector entities in Pakistan.
The city of Portland, Oregon, is investigating a sophisticated cyber scam that resulted in the loss of $1.4 million in April. Preliminary evidence suggests that the attacker gained unauthorized access to a City of Portland email account to conduct this scam.
Kaspersky revealed that the SideWinder APT has launched more than 1,000 attacks since April 2020. The threat actor leveraged over 400 domains and subdomains, with additional stealth mechanisms, to launch attacks. In a different incident, the attackers had developed a custom tool—SideWinder.AntiBot.Script—to launch phishing attacks against private and public sector entities in Pakistan.
The FBI has warned the public again about the fraudulent schemes seeking donations or other financial assistance related to the crisis in Ukraine. Criminal actors are taking advantage of the ongoing crisis by posing as Ukrainian entities needing humanitarian aid or developing fundraising efforts.
A phishing attack at Spirit Super, an Australian pension provider, impacted the personal data of 50,000 individuals. However, the compromised data did not include dates of birth, bank account details, and government ID numbers.
A U.K food bank was scammed of $63,000 by scammers in two distinct attacks. While the initial attack leveraged a fake NHS test and Trace message, the second one involved a call by a fake bank.
The Mirror Protocol suffered a loss of more than $2 million after attackers exploited an issue affecting its price-setting software. The amount was drained out from the mBTC, mETH, mDOT, and mGLXY pools.
In an attempt to evade sanctions imposed by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC), Evil Corp has now shifted to deploying LockBit ransomware. Previously, the group deployed the Dridex malware.
A Mexico-based production plant belonging to Foxconn fell victim to a ransomware attack. The LockBit gang claimed responsibility for the attack. Foxconn assured that the impact on its overall operations is minimal, and the recovery will unfold according to a pre-determined plan.
Secureworks spotted a new campaign targeting vulnerable Elasticsearch databases to replace their indexes with a ransom note. The attackers asked for a ransom of $280,000 although no payment has been made yet.
After being out of commission from November 2021 to February 2022, the Cl0p ransomware group is back, as per the latest report from NCC Group. By adding 21 new victims to its leak site in April, the gang was the fourth most active in the month.
BlackCat ransomware group claimed its attack against Regina Public Schools in the Canadian province of Saskatchewan. The threat actors, reportedly, stole 500GB of files containing tax reports, health information, passports, and Social Security numbers.
The team at Zscaler unearthed a new Browser-in-the-Browser (BITB) attack that threatens victims with a sextortion demand or their sensitive information would go public. To make the scam look legitimate, attackers impersonate the Government of India and ask victims to pay up if they wish to avoid imprisonment.
The Costa Rican Social Security Fund (CCSS) was hacked in a major cyberattack. The incident forced the agency to shut its digital record-keeping system down, which impacted nearly 1,200 hospitals and clinics. Patients were advised to cooperate as there could be a delay in carrying out procedures during this situation of emergency.
R4IoT, the next-gen ransomware attack is here and critical infrastructure industries must be prepared to deal with it. As demonstrated by a group of researchers, the attack method specifically targets OT, rather than just IT, to distribute ransomware. Meanwhile, the operators behind the Clipminer botnet have raked over $1.7 million that was deposited in 4,375 cryptocurrency wallet addresses. The FBI, along with other security agencies, raised alarm about the capabilities and activities of the Karakurt threat group by highlighting the repercussions of paying a ransom.