Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence - November 13–17

Cyware Weekly Threat Intelligence - February 05–09 - Featured Image

Weekly Threat Briefing Nov 17, 2023

The Good

While AI is touted to hold immense potential to enhance national cybersecurity, it also has a flip side, which may invite complex cyber risks. To mitigate the risks, the DHS has issued a roadmap that focuses on bolstering the digital ecosystem with AI tools. In another development, the FCC has proposed a pilot program to enhance the cybersecurity of K-12 schools and libraries. The initiative has been taken following a recent spate of cyberattacks that impacted the sensitive information of students and employees.

  • The DHS and the CISA released the first Roadmap to AI to ensure the secure development and implementation of AI capabilities across public and private organizations. As part of the effort, the roadmap outlines five strategies to help organizations build a resilient digital ecosystem while leveraging AI tools. These include using AI responsibly to support CISA’s mission, assessing and assuring AI systems, protecting critical infrastructure from malicious AI use, collaborating on key AI efforts, and expanding AI expertise in the workforce.

  • The FCC proposed creating a pilot program to help K-12 schools and libraries across the U.S. defend against rising cyber threats. Titled ‘Schools and Libraries Cybersecurity Pilot Program’, the initiative will run for three years with a budget of up to $200 million, with a primary focus on using advanced firewall services and enhancing the security of broadband networks and data.

  • The FBI dismantled the IPStorm botnet proxy network and its infrastructure after the hacker behind the operation pleaded guilty. The botnet was taken down along with its 23,000 proxies from all over the world. These proxies were used to infect over 13,5000 Linux, Mac, and Android devices across the U.S., Europe, and Asia. According to the DOJ, the convict sold illegitimate access to the infected devices, making a profit of at least $550,000 from the sale.

The Bad

Vulnerable software leading to the compromise of sensitive data serves as a stark reminder to organizations of the importance of securing it. For instance, the LockBit ransomware gang exploited the Citrix Bleed vulnerability to breach the networks of large organizations and steal their data. Besides this, the group was also in the news for leaking over 43GB of data it stole from Boeing. In another incident involving the wild exploitation of vulnerabilities, the Russian GRU hacked 22 energy companies in Denmark by abusing Zyxell firewall vulnerabilities.

  • A cyberattack on international logistics firm DP World severely disrupted regular freight operations across multiple ports in Australia. In response, the company activated its emergency plans and engaged with cybersecurity experts to resolve problems caused by the incident. While investigations are ongoing, the firm fears the possibility of unauthorized access to data by perpetrators.

  • Threat actors exploited Ethereum's Create2 opcode function to bypass wallet security alerts and steal $60 million worth of cryptocurrency from 99,000 people over six months. The opcode, originally designed for contract address anticipation, was abused by scammers to create addresses with bad signatures, thus, enabling them to evade security checks. While one victim reportedly lost up to $1.6 million, 11 victims collectively suffered a loss of $3 million.

  • The LockBit ransomware group leaked over 43GB of data stolen from Boeing after the latter refused to pay the ransom. Most of the data listed on the leak site was backup data for various systems, the most recent of which dated back to October 22. The data included configuration backups, audit logs for IT management software, and logs for monitoring and auditing tools. Citrix backups were also listed in the leaked data.

  • In another update, the Lockbit ransomware attacks used publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the networks of large organizations, steal data, and encrypt files. Although Citrix issued security patches for the flaw more than a month ago, thousands of internet-exposed endpoints are still running vulnerable appliances, with many in the U.S. Adding more woes, the Citrix Bleed vulnerability was also exploited by the MedusaLocker ransomware group to target Toyota Financial Services across Europe & Africa.

  • Denmark’s Computer Security Incident Response Team (CSIRT) disclosed that Russian GRU exploited zero-day vulnerabilities in Zyxel firewalls to coordinate attacks on 22 energy companies in Denmark. The first wave of attacks was launched on May 11 and the second wave began on May 22. The flaw in question was CVE-2023-28771 and affected Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73.

  • Michigan-based McLaren Health Care experienced a major cyberattack that impacted the PII and PHI of 2.2 million patients. The compromised data included names, birth dates, SSNs, and extensive medical information of patients. The ALPHV (BlackCat) ransomware gang claimed responsibility for the breach in October, boasting access to sensitive information.

  • A SQL injection vulnerability in the WP Fastest Cache plugin could expose more than 600,000 websites to attacks. The flaw, tracked as CVE-2023-6063, could allow attackers to read the contents of the site’s database. It has a high-severity score of CVSS 8.6 and impacts all versions of the plugin before 1.2.2.

  • U.S. mail-order pharmacy provider Truepill, also known as Postmeds, confirmed that hackers accessed the sensitive data of 2.3 million patients between August 30 and September 01. The compromised data contained names, medication types, demographic information, and Social Security numbers of patients.

  • An unprotected Elasticsearch instance belonging to Strendus, a Mexican-licensed online casino, exposed 85GB of personal data of hundreds of thousands of gamblers. The open instance also contained data from another online casino, MustangMoney. The leaked information contained user names, email addresses, dates of birth, gender, KYC status, withdrawal amounts, and home addresses of gamblers.

  • Samsung disclosed a cyberattack that impacted the personal details of customers who made purchases from its U.K online store, between July 1, 2019 and June 30, 2020. The attackers managed to steal the data by exploiting a vulnerability in a third-party application. The affected data included names, phone numbers, home addresses, and email addresses of customers.

  • Over 20GB of data stolen from Plume, a smart Wi-Fi service provider, was dumped by a threat actor on the Breach Forums marketplace. The stolen database contains over 15 million lines of information, including email addresses, full names, and device details of users. A majority of the leaked email addresses were associated with the @plume.com and @plumewifi.com domains.

  • Nevada-based Perry Johnson & Associates updated that the cyber incident earlier this year affected more than 8.95 million people. While the data stolen varied from patient to patient, it could include names, dates of birth, addresses, medical record numbers, and diagnosis details of patients.

  • A Kibana instance belonging to Vietnam Post Corporation had left 1.2 Terabytes of data exposed on the internet for 87 days. The database contained 226 million logged events collected by various SIEM tools, The leaked information also had employee names and emails.

New Threats

Moving to new threats, four new info stealers—BBy Stealer, Nova Sentinel, Doenerium, and Epsilon Stealer—emerged in the threat landscape as researchers reported their usage against gaming communities. Meanwhile, an advisory from the CISA revealed that the Royal ransomware group has rebranded itself to BlackSuit to sidestep the security curbs by law enforcement and cybersecurity experts. There’s also an update on Scattered Spider actors leveraging BlackCat ransomware as part of their extortion tactics.

  • Security researcher Tom Forbes from GitGuardian uncovered nearly 4,000 unique secrets inside nearly 3,000 PyPI packages, which attackers could abuse to gain unauthorized access, impersonate package maintainers, or manipulate users through social engineering tactics. Some of these secrets include AWS, Azure AD, GitHub, Dropbox, and Auth0 keys, credentials for MongoDB, MySQL, PostgreSQL, SSH, Coinbase, and Twilio Master.
  • In another incident, researchers uncovered 27 malicious packages in the PyPI repository, masquerading as popular legitimate API tools. These packages were available in the repository for nearly six months to deliver malware capable of gaining persistence, stealing sensitive data, and accessing cryptocurrency wallets. These packages attracted thousands of downloads, with victims across the U.S., China, France, Hong Kong, Germany, Russia, Ireland, and Singapore.
  • A targeted campaign against gaming communities leveraged Discord channels and fake download sites to distribute a variety of information-stealing malware such as BBy Stealer, Nova Sentinel, Doenerium, and Epsilon Stealer. The attackers compromised the accounts of French gaming influencers to send messages offering exclusive access to a seemingly genuine game. While BBy Stealer and Nova Sentinel are under ongoing analysis, researchers found that Donerium and Epsilon Stealer are available on GitHub and Telegram, respectively.
  • According to a joint advisory from the CISA and the FBI, the Royal ransomware group has rebranded itself to BlackSuit in an attempt to avoid detection and countermeasures by law enforcement and cybersecurity experts. This change is not just in name but also reflected in their modus operandi, which includes advanced encryption methods and sophisticated attack vectors. In another advisory, the CISA shared IOCs and TTPs associated with the Rhysida ransomware that was predominantly deployed against the education, healthcare, manufacturing, information technology, and government sectors since May.
  • The CISA also issued an advisory to highlight a new tactic adopted by Scattered Spider actors to expand its extortion tactic. Typically they engage in data theft for extortion using social engineering tactics, however, they have recently added BlackCat ransomware to their arsenal, encrypting victims’ files after exfiltration.
  • Proofpoint observed a phishing campaign from the TA402 APT group that delivered a new initial access downloader dubbed IronWind. The campaign targeted government organizations in the Middle East and went on from July through October. The attackers utilized three variations of the infection chain, Dropbox links, XLL file attachments, and RAR file attachments, with each variant leading to the download of a DLL containing the multifunctional malware.
  • One of the affiliates of the BlackCat group was discovered using Google ads to distribute Nitrogen malware on victims’ systems. The malware was disguised as fake installers for popular software, such as Advanced IP Scanner, Slack, WinSCP, and Cisco AnyConnect, to lure business professionals. Nitrogen is labeled as initial-access malware that leverages Python libraries for stealth.
  • Researchers encountered a new SpyAgent campaign that infected more than 200 smartphone users in South Korea. The malware was distributed via malicious Android and iOS applications delivered via phishing sites. The attackers used different themes in their phishing sites to lure victims.
  • The CISA added three new vulnerabilities to its KEV catalog based on the evidence of active exploitation in the wild. The vulnerabilities in question were a security feature bypass vulnerability (CVE-2023-36548) in Microsoft Windows MoTW, a command injection vulnerability (CVE-2023-1671) in Sophos Web Appliance, and an unspecified vulnerability (CVE-2023-2551) in Oracle Fusion Middleware.
  • Google’s TAG reported that four different threat actors exploited a zero-day flaw (CVE-2023-37580) in the Zimbra Collaboration email software in various campaigns to pilfer email data, user credentials, and authentication tokens. These campaigns were targeted against entities in Greece, Moldova, Tunisia, Vietnam, and Pakistan. Meanwhile, the firm issued security patches for the flaw on July 25, which indicates that organizations using vulnerable software must update to the latest version.

Related Threat Briefings

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.