Cyware Weekly Threat Intelligence - November 21–25

Weekly Threat Briefing • November 25, 2022
Weekly Threat Briefing • November 25, 2022
Law enforcement agencies made a great stride this week by dismantling illegal services and cybercrime infrastructure that caused millions of dollars in losses. One such successful crackdown was codenamed Operation HAECHI III and resulted in the seizure of $130 million worth of virtual assets stolen in different scams, including BEC and voice phishing. Meanwhile, the CISA updated the Infrastructure Resilience Planning Framework (IRPF) to better help SLTT planners protect their critical infrastructures.
The CISA updated its Infrastructure Resilience Planning Framework (IRPF) with new tools and guidance to help state, local, tribal, and territorial (SLTT) entities counter evolving cyber threats. The framework was released last year and can be used by any organization to improve resilience planning.
INTERPOL announced the seizure of cybercrime assets under Operation HAECHI III, a codename given to an effort to tackle a widespread campaign that caused the loss of $130 million worth of money and virtual assets. The operation was carried out over a span of five months and targeted cybercriminals involved in voice phishing, romance scams, BEC scams, and investment frauds.
In another successful investigation, Europol took down an online spoofing service, iSpoof, that was used by crooks to conduct social engineering, phishing, and bank helpdesk scams. The services on the website also allowed threat actors to steal money, banking account credentials, and one-time passcodes. This caused a loss of approximately $120 million in the last 16 months.
The U.S. government took down seven domains linked to pig butchering scams. These scams involved fraudsters duping victims into fake relationships before asking them to make investments in cryptocurrency on fake platforms. Around $10 million was lost due to these scams between May and August.
Information-stealing campaigns, growing larger in size and scale, impacted users and organizations alike. Group-IB researchers reported that over 50 million passwords stolen in the first half of the year are being sold on underground forums along with compromised credit card details. The data was stolen in an organized campaign by 34 Russian hacker groups via Telegram. Furthermore, Coinbase, MetaMask, Crypto.com, and KuCoin are being impersonated in an ongoing campaign to ensnare more victims. The campaign has been going on since 2021. Facebook ads and business platforms are also being targeted in an active Ducktail information-stealer campaign that is designed to steal browser cookies and victims’ personal details.
A data breach at the County of Tehama, California, affected the personal information of employees, service recipients, and other affiliated individuals. The incident was identified on April 9, but the investigation stretched to August 19, when it was determined that PII was compromised.
Amidst the rising popularity of Mastodon, security researchers are finding several vulnerabilities and other security issues. One of these issues was associated with the Infosec-exchange instance that could be exploited to steal users’ credentials. The issues arose due to an HTML attribute only allowed by a Mastodon fork named Glitch.
Over 50 websites impersonating the official MSI Afterburner site were used in the last three months to push XMRig miner and RedLine information-stealer. The primary targets of the campaign were Windows gamers and power users.
Group-IB researchers revealed a worldwide password-stealing campaign that resulted in the compromise of over 50 million passwords in the first seven months of the year. Around 34 Telegram groups were used by threat actors to infect over 890,000 devices. Each of these groups had as many as 200 active members and tricked victims by redirecting them to fake websites on the pretext of lucky draws, lotteries, and reviewing popular games on YouTube.
HC3 published an advisory to warn healthcare organizations about Lorenz ransomware. The advisory provided technical details, including reconnaissance and lateral movement activities by the ransomware, and urged organizations to stay vigilant.
The newly found Donut (aka Donut Leaks) extortion group was linked with several double-extortion campaigns targeting multiple organizations. This time, the gang used its own customized ransomware and erected a site to leak stolen data.
A callback phishing campaign associated with the LunaMoth threat actor is expanding worldwide. The campaign specifically targets organizations in the legal and retail sectors and has already cost victims thousands of dollars. The threat actors have significantly invested in call centers and infrastructure that is unique to each victim.
Sports betting company DraftKings suffered a credential stuffing attack that led to a loss of up to $300,000. The firm claims that the hackers accessed their customers’ accounts by using login information that was compromised on other websites. It has urged users to enable 2FA to secure their accounts, while assuring them to make up for the lost funds.
A crypto-stealing phishing campaign is underway, impersonating different cryptocurrency exchanges and wallets. The campaign has been active since 2021 and abuses the Microsoft Azure Web Apps service to host phishing sites. Victims are targeted via phishing messages that pretend to be from Coinbase, MetaMask, Crypto.com, and KuCoin, informing them about suspicious activity detected in their accounts.
An ongoing Ducktail information-stealer campaign that targets Facebook ads and business platforms was disclosed by researchers. The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim’s Facebook account. The ultimate purpose of this campaign is to run ads on hijacked Facebook accounts for monetary gain.
Affiliates of the Black Basta ransomware group were found piggybacking on QBot to target organizations in the U.S. Researchers found that attackers disabled DNS services to lock victims out of their networks. In the last two weeks, more than 10 organizations were impacted by these attacks.
Security experts are investigating a dataset that appears to contain data from nearly 500 million WhatsApp users from 84 countries. The data is being sold on cybercrime forums for prices ranging from $2000 to $7000. Threat actor claims that there are over 32 million US user records included in the dataset.
?An uptick in attacks leveraging malicious Chrome browser extensions was observed this week. While VenomSoftX was used in one campaign to steal crypto assets, SearchBlox was observed in another campaign meant to harvest Roblox player credentials. In another threat update, the notorious RansomExx has become the latest ransomware to switch to the Rust language. This new change has been made to make the analysis of the ransomware difficult during the infection process. Additionally, cybercriminals are increasingly adopting the Aurora info-stealer to steal sensitive information from browsers and cryptocurrency apps.