Cyware Weekly Threat Intelligence - November 15–19

Weekly Threat Briefing • Nov 19, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Nov 19, 2021
The Good
Bringing in a bit of positive news for victims of cyber fraud, the U.S. Justice Department seized tens of millions of dollars worth of cryptocurrency from the now-defunct BitConnect. It is planning on selling those to compensate the victims. In other news, the U.S. Treasury Department and Israel announced to form a task force that would deal with the burgeoning ransomware threats.
The U.S. Department of Justice enforcement will start the liquidation of the $57 million worth of cryptocurrency seized from BitConnect as a means of restitution to the victims of the fraud committed by the platform. This liquidation is the largest single cryptocurrency recovery ever made by the U.S. to date. While the FBI and IRS-Criminal Investigation are examining the case, the Postal Inspection Service is assisting with the liquidation.
Facebook dismantled the activity of a Pakistan-based threat group—SideCopy—that used the social media platform to target individuals who were former members of the Afghan government and other individuals located in the country. The platform also blocked three hacking groups linked to the Syrian government.
The CISA released a set of playbooks that contain standardized response procedures for U.S. federal agencies to mitigate cybersecurity incidents and vulnerabilities. The playbooks include how agencies should manage cybersecurity incidents and vulnerabilities and manage related processes such as preparation, investigation, containment, reporting, and remediation.
The DHS launched a new portal to hire and retain cybersecurity professionals, with an aim to recruit 150 employees into priority roles over 2022. The DHS Cyber Talent Management System redefines the way the agency recruits, develops, and retains top-notch and diverse talents.
The U.S. Treasury Department announced to partner with Israel and launch a joint task force to better deal with ransomware attacks. The task force aims to design a memorandum of understanding that would support information sharing related to the financial sector.
The Bad
Coming to the bad parts, the week saw quite a lot of malicious cyber activity. Let’s start with Candiru, the Israeli spyware vendor, that reportedly conducted watering hole attacks in the U.K and the Middle East. More details on the Robinhood breach came forth as the data of 7 million customers was put up for sale on a hacking forum. The worst of it all comes in the form of Emotet, which is supported by TrickBot in its apparent comeback after an extensive takedown by global law enforcement authorities. Seems like malware attacks are about to rise.
Ransomware gangs are showing interest in purchasing zero-day exploits that are available on dark forums. They are ready to offer up to $10 million to compete with state-backed actors, who are the traditional buyers of zero-day exploits. Moreover, instead of selling the vulnerability, the attacker can lease it out to less sophisticated attackers - bringing exploit-as-a-service to the cybercriminal ecosystem.
A malicious campaign is leveraging a legitimate domain owned by the Myanmar government in a technique, dubbed domain fronting, used to evade detection by routing communications to a server controlled by the attacker. First observed in September, the threat executed Cobalt Strike payloads to launch further attacks.
The Israeli spyware vendor Candiru, who was put on an economic blocklist by the U.S. government, was allegedly involved in watering hole attacks against targets in the Middle East and the U.K. Some victimized websites also belong to Hezbollah, the Iranian Ministry of Foreign Affairs, the Syrian Ministry of Electricity, Yemeni Ministries of Interior and Finance, and aerospace and defense companies in South Africa and Italy.
The data of almost 7 million Robinhood customers are being sold on a popular hacking forum. The data includes email addresses of 5 million customers; full names of the remaining 2 million; name, zip code, and dates of birth of 300 people; and extensive account details of 10 customers. In a post, the adversary posted that the data is selling for at least five figures.
StripChat, an adult cam site, underwent a breach in which the personal data of millions of adult models and users was leaked. The breach was caused due to a passwordless Elasticsearch database left exposed between November 4 and 7. Data of 65 million registered users, 421,000 models broadcasting on the site, 134 million transactions, and 719,000 chat messages were leaked.
Researchers from various firms revealed that TrickBot is aiding Emotet to get back into the swing of things by installing the latter into compromised systems. The campaign has been dubbed Operation Reacharound to reconstruct Emotet by using TrickBot’s infrastructure. Moreover, the new Emotet comes with an updated command buffer and can execute binaries in multiple ways.
A phishing campaign targeted more than 125 large TikTok accounts across the world. Besides individual account holders, the campaign targeted talent agencies, social media production studios, brand-consultant agencies, and influencer management companies. The accounts had tens of millions of followers and the perpetrators remain unknown.
Retail giant Costco confirmed a card skimming attack that affected less than 500 users. Around five skimmers were planted on payment card devices across four Chicago-based warehouses. This enabled attackers to capture information such as names, card numbers, CVV, and expiration dates. While the company believes that the attack was conducted in August, it has not yet made clear how long the card skimmers were active.
A hacker—claiming to be from a made-up Cyber Threat Detection and Analysis Group at a U.S. federal executive department—was found sending spam emails to at least 100,000 people from an FBI email server. The emails were sent to website admins listed on the American Registry for Internet Numbers. Nevertheless, the hacker wasn’t able to access FBI files.
New Threats
“Baby shark doo, doo, doo, doo.” There’s a baby Shark(Bot) in the threat landscape. The Android banking trojan has already ensnared victims associated with 27 financial organizations across the U.K, the U.S., and Italy. While we are on the topic of trojans, we must tell you that GravityRAT is back in a new malware campaign that is targeting high-profile Indian officials. Attacks on WordPress seem to be ceaseless as another 300 sites were hacked and threatened with a fake ransomware notice.