Cyware Weekly Threat Intelligence, November 09 - 13, 2020

Weekly Threat Briefing • November 13, 2020
Weekly Threat Briefing • November 13, 2020
The Good
As businesses struggle to thrive in the global crisis, security experts and policymakers continue to offer intangible support to protect vulnerable organizations. This week, the ENISA released new guidelines to ensure that security forms part of the entire lifespan of IoT product development. In other news, the U.S. Department of Defense (DoD) has planned to implement a new supply chain rule wherein the agency’s prime contractors and subcontractors are required to complete a cybersecurity self-assessment.
The Bad
Moreover, the week witnessed some massive data breaches. Many organizations, such as Prestige Software and Vertafore, suffered lapses in their cyber defense with their data and end up leaking sensitive information. Apart from this, threat actors were found applying double extortion strategies with their victims. UVM, Campari, and Compal—all fell victim to cyberattacks disrupting their operations.
New Threats
The evolving threat landscape has kept security teams on the toes as new variants of ransomware and trojans were discovered this week. Threat actors are venturing into new regions and expanding their target lists. For instance, Muhstik botnet has become more sophisticated with the addition of new exploits. A new banking trojan was discovered this week that has been targeting a variety of financial services and mobile devices. Moreover, the fifth hacker-for-hire group in 2020 was discovered this week.
Muhstik botnet has been enhanced to target additional vulnerabilities impacting Oracle WebLogic server (CVE-2019-2725, CVE-2017-10271) and Drupal (CVE-2018-7600). The operators monetize their efforts via XMRig, cgmining, and DDoS-for-hire services.
Researchers have observed an uptick in attacks from Pay2Key and WannaScream ransomware strains against Israeli companies. Hackers breached corporate networks, stole company data, encrypted files, and asked for huge payouts to deliver decryption keys.
Researchers have discovered a new Magecart threat group responsible for a series of attacks against e-commerce websites. Links to the unique skimmer, dubbed Ant and Cockroach, have been identified with Magecart group 12 via Svyaz, a Russian hosting provider that has hosted domains connected to the skimmer.
A new banking trojan, dubbed Ghimob, was found infecting mobile devices to target financial apps from banks, exchanges, and cryptocurrencies in Brazil, Paraguay, Peru, Portugal, Germany, Angola, and Mozambique.
A new version of CRAT trojan has been discovered to be equipped with additional malicious plugins and obfuscation techniques. One of the plugins is a ransomware known as Hansom. The trojan is linked with the Lazarus APT group.
Researchers have uncovered a malicious JavaScript library called discord.dll in the npm web portal. The package is designed to steal sensitive files from a user’s browsers and Discord application.
A new modular backdoor malware called ModPipe has been found targeting Point-of-Sale (POS) restaurant management software from Oracle in an attempt to pilfer sensitive payment information.
Reportedly, DarkSide ransomware operators are creating a distributed storage system in Iran to store and leak the stolen data. Till now, the ransomware group has deposited $320 thousand on a hacker forum.
BlackBerry has published details about CostaRicto, a new hacker-for-hire mercenary group that was discovered earlier this year. The group has launched attacks across different countries in the Americas, Europe, Australia, Asia, and Africa with victims located across South Asia, especially Singapore, India, and Bangladesh.