We use cookies to improve your experience. Do you accept?

Cyware Weekly Threat Intelligence - October 03–07

Cyware Weekly Threat Intelligence - October 03–07 - Featured Image

Weekly Threat Briefing Oct 7, 2022

The Good

The 'International Cybersecurity Awareness Month' kicked off this week, with several federal agencies and organizations taking a pledge to improve their defenses against cyberattacks. Highlighting the importance of the program, the Department of Homeland Security has encouraged private-public sector collaboration for threat-sharing and streamlining cybersecurity efforts. In other developments, the CISA has mandated that all federal agencies are to share their findings on vulnerable systems that need to be patched.

  • The CISA has issued guidance regarding the transition to TLP version 2.0. While the federal authority plans to migrate to the new protocol in November, it has urged organizations to adopt the same as soon as possible. The key updates of this version are TLP:CLEAR, TLP: AMBER+STRICT—they enable sharing of sensitive information more effectively.

  • The CISA has issued a new Binding Operation Directive that mandates all federal civilian agencies to scan their networks and discover vulnerable systems that need to be patched. Furthermore, the agencies are required to share their findings with the CISA by April 2023.

  • The Department of Homeland Security kicked off ‘Cybersecurity Awareness Month’ as it stressed its commitment to raising awareness about how to combat the ever-increasing threats from malicious cyber actors. It has also encouraged private-public sector collaboration for threat-sharing and streamlining cybersecurity efforts.

The Bad

Ransomware attacks are running rampant, wreaking havoc on businesses. This week, the Italian luxury sports car manufacturer Ferrari was allegedly hacked by the RansomEXX group that stole around 6.99GB of internal data. In another incident, the Vice Society ransomware group leaked more than 248,000 files belonging to the Los Angeles Unified School District (LAUSD) on the dark web. CommonSpirit Health is also inspecting a cybersecurity incident that is believed to be the work of ransomware attackers.

  • CommonSpirit Health disclosed a cybersecurity incident that impacted several of its healthcare facilities across the U.S. Investigations are underway to understand the scope and size of the incident.

  • Binance temporarily paused its Binance Smart Chain (BSC) blockchain bridge project after $560 million worth of Binance coins were stolen by hackers. However, the firm was quick to respond and blocked the hackers’ access to roughly 80% of the stolen funds.

  • A data breach at the Shangri-La hotel group compromised the personal information of its customers. The breach occurred between May and July after hackers gained unauthorized access to its IT network. This impacted the hotels located in Hong Kong, Singapore, Chiang Mai, Taipei, and Tokyo. The organization ascertained no indication of any guest data being misused.

  • The relatively new RansomEXX ransomware gang has leaked internal documents online after claiming to have hacked the Italian luxury sports car manufacturer Ferrari. While the firm has validated the documents leaked online, there is no evidence of cyberattacks according to Ferrari. The 6.99GB of stolen data includes internal documents, datasheets, and repair manuals, among others.

  • Russian retail chain DNS (Digital Network System) suffered a data breach that exposed the personal information of customers and employees. The attackers could gain initial access by exploiting flaws in the company’s IT systems. Meanwhile, the organization is working on fixing the flaws to strengthen information security.

  • More than 248,000 files belonging to the Los Angeles Unified School District (LAUSD) have been leaked on the dark web. The affected data belongs to students and their parents. The school was attacked by the Vice Society ransomware gang in September.

  • Scammers are impersonating security researchers to sell fake PoC exploits for the newly discovered ProxyNotShell vulnerabilities. The flaws have gained traction among cybercriminals as they are being exploited in the wild, which is enabling scammers to earn profit by selling fake exploits.

  • KFC and McDonald’s customers across Saudi Arabia, the UAE, and Singapore were targeted in a phishing attack, enabling attackers to steal their payment details. According to researchers at CloudSEK, the attackers impersonated the browser-based application of fast food restaurants to trick users into installing information-stealing payloads on their desktops.

  • Threat actors are abusing Chrome’s Application Mode feature in a new phishing attack to steal credentials from internet users. The feature is available in all Chromium-based browsers, including Google Chrome, Microsoft Edge, and Brave Browser, enabling threat actors to spoof local login forms that appear as desktop applications.

  • In a joint advisory, the NSA, the CISA, and the FBI warned that threat actors used an open-source tool named Impacket to gain an initial foothold inside the network of a U.S. Defense Industrial Base organization. The advisory also mentions the use of a custom tool called Covalent Stealer to exfiltrate data from victims’ systems.

New Threats

Active exploitation of unpatched vulnerabilities continues to explode as the CISA released a new advisory with a list of the top 20 vulnerabilities exploited by Chinese state-sponsored threat groups. New and old infostealers were also observed this week in multiple campaigns that targeted users worldwide. While LilithBot was found to be distributed via a dedicated Telegram group and a Tor link, the variants of Agent Tesla and njRAT were propagated via legitimate websites.

  • The group behind the Magniber ransomware is constantly changing its distribution method to bypass detections. After changing the extension from JSE to JS on September 16, the attackers have yet again modified the file extension from JS to WSF.
  • Zimperium researchers observed a campaign associated with a lesser-known Android spyware strain, named RatMilad. The spyware is disguised as a mobile VPN app that is promoted on a Telegram channel. It targets Middle Eastern enterprise mobile devices.
  • The NSA, CISA, and the FBI have published a joint advisory with a list of the top 20 vulnerabilities exploited by Chinese state-sponsored threat groups. Most of these flaws are related to different remote code execution flaws affecting products from Atlassian, Microsoft Exchange, F5 Big-IP, ZOHO, and Sitecore XP.
  • A new infostealer named LilithBot has been linked to a Russia-based threat actor group called Jester, which has been active since January. The malware is being distributed via a dedicated Telegram group and a Tor link.
  • Some malicious Office documents that attempt to leverage legitimate websites were discovered executing a shell script that ultimately dropped variants of Agent Tesla and njRAT. The trojans are well-known for collecting sensitive information from a victim’s device.
  • A new threat actor named Water Labbu was found abusing malicious decentralized applications, or DApps, to steal cryptocurrency from other scammers. The group leveraged different social engineering tactics used by crypto scammers to trick users to then subsequently inject malicious JavaScript code into their sites and steal their cryptocurrency loot.
  • A trojanized installer for the Comm100 Live Chat application was found distributing a JavaScript backdoor as part of a supply chain attack. The attack took place in September and infected organizations across multiple sectors, including industrial, healthcare, technology, manufacturing, insurance, and telecommunications.
  • A newly identified campaign used a popular Chinese YouTube channel to distribute spyware-laced versions of the Tor browser. The spyware campaign, named OnionPoison, collected data such as browsing history, social networking account IDs, and Wi-Fi network identifiers.
  • Attackers imitated the Raw-Tool PyPI package library to hide their malicious code using base64 encoding. This enabled the attackers to evade detection during the infection process.
  • BlackByte ransomware group is employing a new evasion tactic that involves the abuse of known vulnerabilities in over 1,000 drivers, on which security products rely to provide protection. One of these vulnerable drivers is RTCore64.sys.
  • Researchers investigated a Cheerscrypt ransomware attack that utilized Night Sky ransomware TTPs. Believed to be the work of the Emperor Dragonfly threat actor, the ransomware is capable of targeting both Windows and Linux ESXi environments.

Related Threat Briefings