Go to listing page

Cyware Monthly Threat Intelligence, December 2022

Cyware Monthly Threat Intelligence, December 2022

Share Blog Post

The Good 

Quantum computing will change cryptography as we know it. The U.S. President signed a bipartisan law referring to post-quantum cybersecurity guidelines. Investments in cybersecurity are on the rise. U.S. Congress set aside $2.9 billion in funds for cybersecurity initiatives in the FY2023 spending bill. In the wake of rising cyberattacks in France, the government announced its plan to train all its employees at the most important health facilities under a new initiative by May 2023.

  • President Joe Biden signed the Quantum Computing Cybersecurity guidelines into law to motivate federal agencies to adopt technology protected from decryption by quantum computing. Called Quantum Computing Cybersecurity Preparedness Act, the bill will help organizations to protect their systems against quantum tech threats.
  • The FTC and the HHS updated their Mobile Health App Interactive Tool to improve the data security of patients. The tool is for anyone developing a mobile app to understand the implications of collecting and misusing the PHI of patients. It also helps developers navigate the patchwork of different laws that may be applicable while building mobile apps to ensure that any sensitive health information is protected accordingly.
  • About $2.9 billion has been allocated to the CISA for the fiscal year 2023. With the given budget, the CISA aims to improve emergency communications preparedness and strengthen civilian and government networks. A portion of the amount will also be used for CISA’s advanced cybersecurity operations.
  • The French government has announced a vast training program to help hospitals and medical facilities protect themselves against cyberattacks. The development comes following repeated attacks against hospitals that saw either hackers damaging their critical infrastructures or stealing patients’ sensitive data.

The Bad

Financial and healthcare institutions remained the top sectors as the hotbed of cyberattacks. The California Department of Finance and crypto platforms, such as 3Commas, BitKeep, and BTC[.]com, were added to the long list of hacks that took place last year in the crypto world. Victims in healthcare include Lake Charles Memorial Health and a hospital in Riverside County of California. Besides, security analysts laid bare an investment scam group that victimized at least 40 firms in fintech, cryptocurrency, and asset management services.

  • The Royal ransomware group claimed responsibility for a cyberattack against telecommunications company Intrado. As proof of the breach, the gang shared a 52.8MB archive containing scans of passports, business documents, and driver’s licenses of employees.
  • The California Department of Finance confirmed that it suffered a security breach, hours after the LockBit ransomware gang listed the agency as a victim on its dark web leak site. The gang has given time until Christmas eve to avoid the publishing of more than 500GB of stolen files.
  • Restaurant CRM platform SevenRooms confirmed suffering a data breach after a hacker claimed to have stolen 427GB of customer records and leaked a sample on a cybercrime forum. The leaked sample included a folder named after big restaurant chains, clients of SevenRooms, API keys, promo codes, payment reports, reservation lists, and more. 
  • A hospital in California’s Riverside County reported a data breach that impacted its patients’ sensitive information, such as Social Security numbers and medical information. According to the notice, the hackers had unauthorized access to the data between October 29 and November 10. 
  • The details of more than 70,000 Uber employees have reportedly been leaked online, marking another data breach for the company this year. The incident occurred after a threat actor targeted a third-party software provider, Teqtivity, used by Uber for IT asset management services.
  • Members of the North Korean Kimsuky cyberespionage group have been found impersonating think tank members to reach out to political and foreign affairs analysts. It was also associated with a new spear-phishing campaign that was aimed at nearly 900 foreign policy experts in South Korea.
  • Australian telecommunications giant TPG revealed that emails of 15,000 iiNet and Westnet business customers were breached as hackers looked for cryptocurrency and other financial information. Investigation into the incident is underway. However, the breach did not affect mobile or broadband services.
  • Comcast Xfinity accounts were hacked through credential stuffing attacks that bypassed the 2FA protection. This enabled the attackers to use the compromised customer accounts and reset passwords for other sites, such as Coinbase and Gemini.
  • The Play ransomware group claimed to have stolen an unconfirmed amount of data from H-Hotels. The group has recently listed the company as a victim on its Tor site. It allegedly pilfered private and personal data, including client documents, IDs, passport data, and more. While H-Hotels denied the possibility of data exfiltration last week, hackers have also failed to present any proof. 
  • Several crypto platforms, including BTC[.]com, 3Commas, and Bitkeep, lost millions to cybercriminals in different hacking incidents. BTC[.]com lost approximately $3 million worth of crypto assets. 3Commas suffered a massive API key hack impacting Kucoin, Coinbase, and Binance. Hackers exploited BitKeep wallets to steal around $8 million worth of assets.
  • Popular authentication services and IAM solutions provider Okta suffered a breach impacting its private GitHub source code repositories. The company said attackers could not access the Okta service or its customers’ data. 
  • Threat actors used Black Basta ransomware to steal sensitive data from multiple electric utilities linked to the Chicago-based engineering firm Sargent & Lundy, which is also a major U.S. government contractor. The attack occurred in October. 
  • Lake Charles Memorial Health System in Louisiana disclosed that the personal data of nearly 270,000 patients were accessed in an October ransomware attack. This included patients’ health insurance information, medical records, and Social Security numbers. 
  • A previously unknown investment scam group named CryptosLabs has reportedly stolen up to $505 million from victims in France, Belgium, and Luxembourg. The group has been active since 2018 and has targeted over 40 companies in fintech, cryptocurrency, and asset management services.

New Threats

Besides, researchers took the wraps off an offensive marketplace, InTheBox, that has been relaying 400+ customer web injects to other hackers. New ransomware strains Cryptonite and CatB and a potential info-stealer dubbed RisePro surfaced last month. Meanwhile, Xnspy spyware app was found laced with flaws exposing the personal data of iPhones and Android users.

  • The recently discovered Cryptonite ransomware was discovered in the wild as a wiper malware used to target Microsoft Windows users. The malware implements the common functionality of ransomware but it does not offer the decryption key.
  • Resecurity researchers shared details of a darknet marketplace, called InTheBox, which offers over 400 custom web injects to launch mobile malware attacks. Web injects enable attackers to serve malicious HTML or JavaScript code in the form of an overlay screen and steal information when victims launch banking, crypto, and e-commerce apps.
  • A new Go-based botnet called Zerobot was found exploiting dozens of vulnerabilities in IoT devices to expand its network. The malware is designed to target a wide range of CPU architectures such as i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x.
  • A new obfuscation service called Zombinder was discovered in a campaign employing several trojans, including Ermac, to target both Android and Windows systems. It is used to bind malicious payloads to a legitimate application.
  • The Formbook malware made a comeback in a campaign that used trojanized OneNote documents. The malware can steal data from various web browsers and other applications. It also has keylogging capabilities.
  • FortiGuard Labs encountered a Golang-based botnet named GoTrim that utilizes a bot network to perform distributed brute-force attacks against WordPress and OpenCart sites. The botnet campaign began in September and is still ongoing.
  • A malicious stalkerware app called Xnspy was found stealing and leaking data from tens of thousands of iPhones and Android devices. Once installed, the app silently pilfered call records, browsing history, location data, text messages, and photos from victims’ phones.
  • Experts from American universities demonstrated a new attack technique that could be used to eavesdrop on smartphone users. Called EarSpy, the technique relied on motion sensor data arising from the echo of speakers in Android phones. 
  • A newly identified CatB ransomware group has been found implementing several anti-VM and DLL hijacking techniques to evade detection. The ransomware is believed to have a connection with Pandora ransomware.
  • A new info-stealer named RisePro has garnered popularity on the illicit dark web forum called Russian Market. The malware is a clone of Vidar stealer and has been designed primarily to steal credentials and exfiltrate them in the form of logs.
  • The CISA added two-year-old security flaws impacting TIBCO Software’s JasperReports products to its list of most exploited vulnerabilities catalog. The flaws, tracked as CVE-2018- 5430 and CVE-2018-18809, are related to information disclosure vulnerability and directory traversal vulnerability respectively. 
  • A new Android malware, dubbed BrasDex, was spotted targeting Brazilian users in a new campaign. Developed by threat actors behind the Casbaneiro banking trojan, the malware possesses a complicated keylogging capability that abuses Android Accessibility Services and pilfers credentials from a set of Brazilian banking apps.

 Tags

sevenrooms
royal ransomware
formbook
xnspy
inthebox
kimsuky group
lake charles memorial health system
brasdex
sargent lundy
zerobot
xfinity
zombinder
jasperreports
okta
3commas
joe biden
earspy
catb ransomware group
risepro
cryptoslabs
california department of finance
btccom
h hotels
uber employees

Posted on: January 02, 2023


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.