Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence, September 12 - 16, 2022

Cyware Weekly Threat Intelligence, September 12 - 16, 2022 - Featured Image

Weekly Threat Briefing Sep 16, 2022

The Good

EU and US authorities have issued friendly directives to enhance the security of software supply chains. These new moves follow the increasing attacks against government and private organizations. In another update, the CISA has rolled out its strategic roadmap for the next three years, which primarily focuses on building resilient critical infrastructure for Americans.

  • The CISA has announced the release of its 2023–2025 strategic plan that aims to focus on reducing risk and building resilience to cyber threats to the nation’s infrastructure. The plan is built on the foundation of CISA Strategic Intent, published in 2019.

  • In another good news, the CISA is considering partnering with U.S. universities to educate students about cybersecurity fundamentals to make them capable for responding to hotline emergency calls, an idea which was proposed earlier this year. The emergency hotline will be available on 311.

  • OpSec mistakes have spilled the artifacts and tactics of yet another threat actor group. Researchers have got their hands on the personas and companies associated with the Iran-based Cobalt Mirage APT group that has been prominent since 2020.

  • The Office of Management and Budget (OMB) has published a new memorandum that aims to improve the security of software supply chains. The directive calls for federal agencies to use software built with common cybersecurity practices.

  • Europe’s new Cyber Resilience Act (CRA) was presented this week to bolster the security of hardware and software products. One of the rules mandates the cybersecurity requirements for products with digital elements, throughout the development lifecycle.

The Bad

The healthcare sector needs to be on maximum alert as hackers are targeting firms left, right, and center. In two different advisories, the FBI has highlighted the points of targets, with one of them associated with healthcare payment processors. The agency said that more than $4 million was diverted to attackers’ accounts this year, so far, by targeting payment processors. Meanwhile, the infamous Operation Dream Job campaign is still underway, deploying AIRDRY.V2 backdoor on victims’ systems.

  • The legislature of Buenos Aires, Argentina, was targeted in a ransomware attack that affected its operating systems and Wi-Fi connectivity. To prevent the further spread of the attack, the authorities took down the building’s WiFi network, among other systems.

  • Popular moving truck service U-Haul is sending out breach notifications that affected the personally identifiable information of users. The company disclosed that names, driver’s license numbers, and state identification numbers were viewed and potentially stolen by hackers between November 2021 and April 2022.

  • Lorenz ransomware group exploited a flaw in MiVoice Connect’s Mitel Service Appliance component to gain access to a corporate network. The attackers waited for a month after gaining initial access and then performed lateral movement. They utilized FileZilla for data exfiltration and performed encryption through BitLocker.

  • Mandiant discovered a threat cluster, dubbed UNC4034, using trojanized versions of the PuTTY SSH client to deploy AIRDRY.V2 backdoor on targets’ devices. The activities appear to be a continuation of the Operation Dream Job campaign that has been active since 2020.

  • The Hive ransomware gang claimed responsibility for an attack on Bell Canada subsidiary Bell Technical Solutions (BTS). The company acknowledged the attack, stating that some operational and employee information was accessed in the attack.

  • Akamai mitigated a record-breaking DDoS attack that targeted a company in Eastern Europe. The attack peaked at 704.8 Mpps. It is the second time the same entity was targeted by the attackers.

  • Russia-based Gamaredon hacking group has been targeting Ukrainian entities with a new info-stealing malware that is designed to steal specific computer file types, as well as deploy additional malware. It is delivered by a PowerShell script.

  • The FBI has issued an alert about hackers targeting healthcare payment processors to route payments to their bank accounts. This year alone, threat actors have stolen more than $4.6 million from healthcare companies. In another alert, the agency warned the sector that threat actors are continuing to exploit unpatched and outdated medical devices.

  • A phishing attack took the advantage of the demise of Queen Elizabeth II to steal Microsoft credentials. The attackers also attempted to steal MFA codes to take over victims’ accounts.

  • A BEC group called Chiffon Herring targeted teachers in an impersonation attack to steal their checks. The general structure of the attack from the group is similar to many other payroll diversion attacks.

  • IPCA Laboratories, one of the biggest pharmaceutical companies in India, has been targeted in a cyberattack and the extortion group claims to have stolen 500GB of data from its systems. A portion of the company’s data was published on RansomHouse’s leak site.

New Threats

Emotet is proving too effective to be abandoned by cybercriminals. Throughout 2022, the banking trojan has infected over a million systems and the number will likely surge in the coming months. Moreover, it is also being used in attacks to deploy Quantum and BlackCat ransomware. Lately, several backdoor malware attacks caught the attention of researchers with one of them being used against government entities, aerospace firms, and IT organizations in Asia.

  • A new cybercrime forum, called Breached, has replaced the now defunct RaidForums marketplace. The dark web forum includes old dumps from RaidForums and data related to software cracking, leaks, tutorials, and tech.
  • OriginLogger, also known as Agent Tesla v3, is a new variant of Agent Tesla keylogger malware. It is distributed via a Microsoft Word document containing a passport-size photo, along with a credit card.
  • Researchers observed over 1 million computers infected by Emotet in 2022. There has also been a notable shift in the usage of the banking trojan as it turns out to be the new dropper for Quantum and BlackCat ransomware.
  • Fishpig extensions for Magento 2 were hacked to install the Rekoobe backdoor malware. The Fishpig distribution server was compromised on or before August 19. Any Magento store that installed or updated paid Fishpig extensions since then is now likely running the Rekoobe malware.
  • A new cyberespionage activity focusing on government entities, aerospace firms, and IT organizations in Asia was found to have been active since 2021. The attack begins with a malicious DLL that executes the ShadowPad RAT.
  • StrongPity threat actors abused Notepad++ plugins to circumvent security mechanisms and deploy a backdoor by achieving persistence on victims’ systems. The backdoor was used to install a keylogger that stole information from the compromised systems.
  • A new self-spreading malware bundle has been promoted in the form of fake cheat codes and cracks for popular games like FIFA, Final Fantasy, Forza Horizon, Lego Star Wars, and Spider-Man. These cheat codes and cracks are advertised via YouTube videos.
  • The SparklingGoblin threat group is attributed to developing a Linux variant of SideWalk backdoor that targets the Windows sector in the education sector. The variant was deployed against only one victim in February 2021, a university in Hong Kong.
  • The Webworm cyberespionage group is experimenting with customized old malware strains to target IT service providers in Asia. One of the malware being used is Trochilus RAT.
  • A significant change in the distribution tactics used by the operators of Magniber ransomware has been observed. The attackers have replaced MSI installers with JavaScript executable files to deploy ransomware.
  • Malicious actors were found exploiting both old and new Oracle WebLogic Server vulnerabilities to deliver different malware families, with Kinsing being one of them. One of these vulnerabilities is tracked as CVE-2020-14882.

Related Threat Briefings

Feb 7, 2025

Cyware Weekly Threat Intelligence, February 03–07, 2025

PyPI is taking a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. The U.K is bringing earthquake-style metrics to cybersecurity with its new Cyber Monitoring Centre, designed to track digital disasters as precisely as natural ones. Inspired by the Richter scale, the CMC will quantify cyber incidents based on financial impact and affected users, offering clearer insights for national security planning. Kimsuky is back with another phishing trick, this time using fake Office and PDF files to sneak forceCopy malware onto victims' systems. Its latest campaign delivers PEBBLEDASH and RDP Wrapper by disguising malware as harmless shortcuts, ultimately hijacking browser credentials and sensitive data. Hackers have found a new way to skim credit card data - by hiding malware inside Google Tag Manager scripts. CISA is flagging major security holes in Microsoft Outlook and Sophos XG Firewall, urging agencies to patch them before February 27. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. Bitcoin scammers are switching tactics, swapping static images for video attachments in MMS to make their schemes more convincing. A recent case involved a tiny .3gp video luring victims into WhatsApp groups where scammers apply pressure to extract money or personal data. XE Group has shifted from credit card skimming to zero-day exploitation, now targeting manufacturing and distribution companies. A new version of ValleyRAT is making the rounds, using stealthy techniques to infiltrate systems. Morphisec found the malware being spread through fake Chrome downloads from a fraudulent Chinese telecom site.

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.

Nov 15, 2024

Cyware Weekly Threat Intelligence - November 11–15

As cyber threats to critical infrastructure surge, the TSA has proposed formal rules for pipeline and railroad operators, while the World Economic Forum introduced a new framework to enhance public-private collaboration against cybercrime. These efforts highlight the urgency of uniting resources and governance to fortify cybersecurity resilience on all fronts. This week, several emerging threats highlighted the diversity of attack tactics. The new Glove Stealer exploits browser encryption to pilfer cookies and crypto wallets, whereas the Lazarus group’s RustyAttr trojan targets macOS users using the Tauri framework. A Chinese threat actor, SilkSpecter, was found scamming online shoppers via 4,695 fake domains, impersonating popular brands to steal credit card details during Black Friday hunts. This week, several emerging threats highlighted the diversity of attack tactics. The new Glove Stealer exploits browser encryption to pilfer cookies and crypto wallets, whereas the Lazarus group’s RustyAttr trojan targets macOS users using the Tauri framework. A Chinese threat actor, SilkSpecter, was found scamming online shoppers via 4,695 fake domains, impersonating popular brands to steal credit card details during Black Friday hunts.

Sep 20, 2024

Cyware Weekly Threat Intelligence - September 16–20

The Good German law enforcement has dealt a double blow to cybercriminals, first by dismantling infrastructure used by the Vanir Locker ransomware group. In a separate operation, they took down 47 cryptocurrency exchanges used for illegal money

Sep 13, 2024

Cyware Weekly Threat Intelligence - September 09–13

The Good The U.K government has elevated data centers to a new level of importance, officially designating them as critical national infrastructure - ensuring these digital fortresses get the protection and support they need during crises. Choo

Sep 6, 2024

Cyware Weekly Threat Intelligence - September 02–06

The Good As cyber threats loom larger than ever, the White House released a comprehensive roadmap to secure the Border Gateway Protocol (BGP), a key component of internet routing. The initiative focuses on implementing Resource Public Key Infra

Aug 30, 2024

Cyware Weekly Threat Intelligence - August 26–30

The Good In response to the rising tide of cyber threats, organizations and governments are stepping up their efforts to protect critical infrastructure and personal data. NASA's Katherine Johnson IV&V Facility expanded its mission to include c

Aug 23, 2024

Cyware Weekly Threat Intelligence - August 19–23

The Good With global cyber threats on the rise, over a dozen cyber authorities have endorsed new guidance to set baseline standards for logging and threat detection. This guidance aims to enhance cybersecurity monitoring, helping to prevent inc

Aug 16, 2024

Cyware Weekly Threat Intelligence - August 12–16

The Good In a landmark move, the UN has unanimously passed its first-ever cybercrime treaty, laying the groundwork for a unified global response to cyber threats. This historic treaty, now headed to the General Assembly for final approval, empo