Go to listing page

Cyware Monthly Threat Intelligence, June 2022

Cyware Monthly Threat Intelligence, June 2022

Share Blog Post

The Good

In light of the growing occurrence of cyber incidents, 37 organizations across eight countries have formed a coalition to work on cyber resilience and combat cyber threats globally. To counter the data privacy issues around IoT devices, a research group has proposed a framework based on the principle of data minimization. In another story, the CISA announced the release of CMMC 2.0, a compliance program for businesses interested in working with the U.S. Department of Defense.

  • The Coalition to Reduce Cyber Risk (CR2) along with 37 tech leaders from across eight countries have signed a pledge to improve cybersecurity standards and incorporate them into policies and controls. The adoption of these standards among companies and government agencies is expected to mitigate cyber risks and facilitate economic growth.
  • The U.S. President signed two bipartisan bills—Federal Rotational Cyber Workforce Program Act and State and Local Government Cybersecurity Act—to strengthen the government’s cybersecurity posture across the local, state, and federal levels.
  • Researchers have designed a new privacy framework, dubbed Peekaboo, that can help address the data sharing concerns across IoT devices. The framework operates on the principle of data minimization, which refers to the practice of limiting the collection of data on a need basis.
  • The House appropriations subcommittee approved a budget of $2.9 billion for CISA in Homeland Security FY2023 Budget Print. The fund will be used to support the agency’s security, infrastructure security, emergency communications, integrated operations, and risk management.
  • The Cybersecurity Maturity Model Certification (CMMC) 2.0 is in the rule-making process and will be launched in 2023, revealed CISA officials. The model aims to bring a unified security standard among contractors linked to the U.S. Department of Defense (DoD). An official said that third-party assessment organizations will perform the assessments as an ongoing process rather than a point-in-time complaint.
 

The Bad

Ransomware actors going bonkers! 50 victim organizations in a couple of months. The menace and mystery of Black Basta is beyond comprehension for many. Meanwhile, another ransomware group has been zeroing in on targets in Europe with a focus on state entities and educational institutes. Meanwhile, several large organizations, including AMD, OpenSea, and the Bank of the West, suffered leaks in the past month.

  • OpenSea confirmed experiencing a breach, owing to a security incident at its email delivery vendor, Customer[.]io. An employee downloaded email addresses belonging to OpenSea users and newsletter subscribers and shared them with an unauthorized third-party. Users have been warned against phishing attacks that may stem in the wake of the leak.
  • As per its own claims, extortion group RansomHouse penetrated the systems of processor manufacturer AMD to steal about 450GB of data. The group, however, said it did not breach the networks themselves but rather acted as a negotiator on behalf of its partner who allegedly attacked the firm. The stolen data trove may include research and financial information from the firm.
  • Sharp Boys hacker group made a claim about obtaining personal and credit card data from at least five tourism-related sites in Israel. Hackers allegedly accessed the backend interface of the targeted sites. As proof of the leak, they also released a spreadsheet containing the personal information of 120,000 people.
  • A Mexico-based production plant belonging to Foxconn fell victim to a ransomware attack. The LockBit gang claimed responsibility for the attack. Foxconn assured that the impact on its overall operations is minimal, and the recovery will unfold according to a pre-determined plan.
  • MyEasyDocs, an India-based online document verification platform, exposed 30GB of data owing to a misconfigured Azure server. This included both personal and financial information of over 50,000 students from India and Israel. 
  • BlackCat ransomware group claimed its attack against Regina Public Schools in the Canadian province of Saskatchewan. The threat actors, reportedly, stole 500GB of files containing tax reports, health information, passports, and Social Security numbers.
  • Several customers of California-headquartered Bank of the West apparently lost their debit card numbers and PINs to skimmers installed at the bank's ATMs. Cybercriminals can use this stolen data to generate fake cards and attempt cash withdrawals. Experts have been able to identify all the affected accounts.
  • The FBI warned the public again about the fraudulent schemes seeking donations or other financial assistance related to the crisis in Ukraine. Criminal actors are taking advantage of the ongoing crisis by posing as Ukrainian entities needing humanitarian aid or developing fundraising efforts. 
  • Black Basta, a RaaS syndicate, crippled as many as 50 victims in the U.S., Canada, the U.K, New Zealand, and Australia, within two months of launching. Researchers have warned of the threat it poses to various industries, such as manufacturing, transportation, cosmetics, telcos, pharmaceuticals, plumbing and heating, automobile dealers, and retail.
  • The Vice Society ransomware group targeted European organizations lately. The group claimed responsibility for the cyberattack against the Medical University of Innsbruck and the city of Palermo in Italy, which triggered a massive service outage.
  • Malicious hackers again managed to steal 32 NFTs (worth more than $250,000) from Bored Ape Yacht Club (BAYC) by compromising the Discord account of one of its community managers. The threat actors used this compromised account to send a phishing link, which was later used to gain access to BAYC owners’ cryptocurrency wallets. Among the NFTs compromised in the hack were 1 Bored Ape, 2 Mutant Apes, 5 Otherdeeds, and 1 Bored Kennel. 
  • Ukraine CERT warned that the Russian hacking group Sandworm is exploiting the Follina vulnerability in a new campaign to target various media organizations in Ukraine. The campaign is carried out via phishing email and targeted more than 500 recipients.
  • An unprotected Elasticsearch database had exposed 5GB of personal data belonging to over 30,000 students. The unprotected database apparently belongs to account holders of Transact Campus, which works with higher education institutions in the U.S.
  • Around 32GB of sensitive data stored in an unsecured database of the Uganda Securities Exchange (USE) was left exposed on the internet. The leaked data included the full name, address, date of birth, phone number, email address, and bank details of customers from across the globe.
  • A phishing email campaign spoofed MetaMask cryptocurrency wallet provider in an attempt to steal recovery phrases from Microsoft 365 users. The recovery phrases could later enable attackers to steal NFTs and cryptocurrency from compromised wallets. The phishing email used a Know Your Customer (KYC) verification request to lure recipients into sharing sensitive data.
  • Ukrainian organizations were subjected to new hacking attempts tailored to drop CredoMap malware and malicious Cobalt Strike beacons onto their networks. It is suspected to be the work of Fancy Bear and UAC-0098. The CredoMap malware is capable of stealing account credentials and cookies stored in Firefox, Edge, and Chrome web browsers.

New Threats

Crypto threats are reaching new heights. A recent report found a rather contagious cryptominer that harvested millions in cryptocurrency since the beginning of the year. Furthermore, two ransomware strains have released their news versions in an attempt to up their game. One of them has also promised huge payouts for identifying bugs in their program.

  • A new campaign involving the new information-stealing malware YTStealer is targeting YouTube content creators. It is assumed that the cybercriminal group has specially crafted it to extract credentials from one single service. One notable aspect of the malware is that it uses the open-source Chacal anti-VM framework to hide from debugging and memory analysis.
  • A new malware, dubbed ZuoRAT, is propagating through SOHO routers as part of a sophisticated campaign aimed at networks in North American and European regions. An investigation into the case divulged that the trojan can cripple routers from multiple brands, such as ASUS, DrayTek, Cisco, and NETGEAR.
  • Revive, a previously undocumented Android malware was seen targeting users of the Spanish financial services company, BBVA. Hackers lured users into downloading a fake app posing as the bank's original 2FA app. The malicious app reportedly draws inspiration from an open-source spyware called Teardroid.
  • Last month, we saw the launch of AstraLocker 2.0 and LockBit 3.0. The latter became the first ransomware to roll out a bug bounty program and a reward of up to $1 million for those reporting bugs in its malicious program.
  • Checkmarx disclosed a flaw in the Amazon Photos app for Android that has over 50 million downloads through the Play Store. A misconfigured app component exposed its manifest file to anyone without authentication. An individual could abuse this flaw to steal Amazon access tokens used for Amazon API authentication via a malicious app installed on the affected device.
  • Symantec reported that Clipminer botnet operators have made a profit of almost $1.7 million since January 2021. The malware most likely spreads via Trojanized cracks or pirated software. Clipminer scans the clipboard content for wallet addresses and replaces it with addresses of wallets controlled by the attacker.
  • Kaspersky revealed the tactics and techniques of a new APT group targeting high-profile entities in Europe and Asia. Named ToddyCat, the group has a distinct sign of using two new malware, called Samurai backdoor and Ninja trojan, in its attack campaigns. 
  • Smilodon credit skimming malware has shifted its focus from WooCommerce stores to WordPress e-commerce sites to earn more profits. The malware can pilfer credit card numbers, expiration dates, security codes, billing addresses, names, and other sensitive information from the checkout pages of targeted sites.
  • A new pro-Russian hacking group, dubbed Cyber Spetsnaz, has been identified leveraging current geopolitical tensions between Ukraine and Russia to conduct cyberattacks. So far, the group has targeted five Italian logistic terminals—Sech, Trieste, TDT, Yilport, and VTP—along with several financial institutions.
  • Sentinel One uncovered a series of activities associated with a new threat actor group called Aoqin Dragon. Some of these activities are ongoing and a few of them are found to have begun in 2013. The group is believed to have targeted organizations in government, education, and telecommunications sectors in Southeast Asia and Australia.
  • A new version of Cuba ransomware targeted two organizations in Asia. The updates are aimed at optimizing its execution, minimizing unintended system behavior, and providing technical support for victims to negotiate the ransom.
  • Operation technology devices from 10 ICS vendors were found to be vulnerable to 56 new security flaws. Collectively called OT:Icefall, these flaws stem from insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse.
  • RARlab's UnRAR utility was affected by a path traversal vulnerability in its Unix versions. Tracked as CVE-2022-30333, the bug could allow remote hackers to conduct arbitrary code execution on a vulnerable system by extracting a maliciously crafted RAR archive. Any software or program utilizing an unpatched version of UnRAR is impacted by the flaw.

 Tags

aoqin dragon
bank of the west
coalition to reduce cyber risk cr2
credomap malware
uganda securities exchange use
amd
opensea
medical university of innsbruck
foxconn
astralocker 20
oticefall
toddycat apt
follina vulnerability
zuorat
myeasydocs
city of palermo
transact campus
lockbit 30
revive
ytstealer
cmmc 20

Posted on: July 01, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.