Cyware Monthly Threat Intelligence, April 2022

The Good

• The Bureau of Cyberspace and Digital Policy was launched officially under the State Department to address the national security challenges, economic opportunities, and implications for the U.S. in the areas of cyberspace, digital technologies, and digital policy.
• The U.S. is partnering with six other countries—Canada, Japan, South Korea, Singapore, the Philippines, and Taiwan—to create privacy and cybersecurity standards for the data that cross over into each other’s borders.
• A group of cybersecurity companies that help defend industrial systems from hackers, joined forces to launch the Operational Technology Cybersecurity Coalition, which aims to strengthen the ICS and critical infrastructure in the U.S. The coalition aims to streamline how the founding members share threat information with each other and the government.
• CERT-In rolled out a new set of rules for organizations that mandate organizations to report 20 different types of infosec incidents within six hours of detection. The rules will apply to service providers, data center operators, intermediaries, government organizations, and companies.
• Google released a new Data Safety program for Android apps on the Play Store that will have the details of the type of data being collected and shared with third parties. The Data Safety section will include information such as if the developer is collecting data and for what purpose, whether the data is shared with third parties, and app security practices, among others.

The Bad 

• A compromised Trezor hardware wallet mailing list was used by hackers to send fake data breach notifications to steal cryptocurrency wallets and the assets stored within them. Attackers leveraged one of the newsletters hosted at MailChimp to launch the attack. The notifications prompted recipients to download a fake Trezor Suite software that would steal their recovery seeds.
• Cadbury UK has issued a warning to its 315,000 followers on Twitter about a scam that steals their personal information. The scam, which goes with the title ‘Free easter chocolate basket,’ is making the rounds on WhatsApp and social media sites. The recipients are asked to click on a link to claim the free gift. But, before that, the recipients are asked to answer a series of questions appearing on the screen.
• Multiple crypto platforms were targeted in April. An attack on Ethereum-based stablecoin protocol Beanstalk Farms resulted in a loss of about $182 million. More than $15 million were stolen after hackers exploited the DeFi platform Inverse Finance. In similar news, hackers bilked over $13.4 million from Deus Finance.
• Wind turbine giant Nordex was forced to shut down its IT systems after discovering a cyberattack. The incident affected multiple systems in the firm. As a part of the precautionary measure, the company took immediate actions to prevent further propagation of the attack.
• The Texas Department of Insurance (TDI) disclosed a data security incident that affected roughly 1.8 million people. It occurred due to a vulnerability in one of its web applications. The exposed information included names, phone numbers, addresses, dates of birth, and social security numbers of individuals.
• A report found that Fraudsters made nearly $1.7 million by promising cryptocurrency giveaway scams on YouTube. Over 36 YouTube channels used for the purpose were observed between February 16 and February 18, attracting at least 165,000 viewers. The videos were made using footage of tech entrepreneurs and crypto investors like Elon Musk, Brad Gralinghouse, Michael Saylor, Changpeng Zhao, and Cathie Wood to add legitimacy to scams.
• The Conti ransomware group added at least five new organizations to its list of victims. These were Snap-on Tools, Panasonic Corp, TrustFord UK, Elgin County (Ontario), BlueForce, and industrial component giant Parker Hannifin. Additionally, Security researchers found a connection between the Conti group and the recently emerged Karakurt data extortion group and Conti and Emotet, which resumed its operations after a ten-month hiatus.
• Researchers revealed that LockBit ransomware group managed to maintain its persistence on a regional U.S. government agency for at least five months. However, logs retrieved from the compromised machines showed that two threat groups were engaged in reconnaissance and remote access operations. The toolset included utilities for brute-force attacks, scanning, and command execution.
• Researchers spotted REvil ransomware’s servers being up in the Tor network after several months of inactivity. A new leak site associated with the ransomware is being promoted on a RuTOR dark web marketplace. The site includes a list of organizations targeted by ransomware, out of which two are new ones.
• The Instagram account and Discord server of Bored Ape Yacht Club were hacked by cybercriminals to steal 24 Bored Apes and 30 Mutant Apes (which are estimated to be worth $13.7 million). In another streak, Discord communities of multiple major NFT projects were hacked as part of a phishing scam to mint a fake NFT by sending ETH and in some instances an NFT to wrap into a token.
• Iranian-linked threat actor group, Rocket Kitten, has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems. Tracked as CVE-2022-22954, the remote code execution vulnerability affects VMware Workspace ONE Access and Identity Manager.
• Coca-Cola launched an investigation into a ransomware attack after hackers claimed to steal documents from the beverage giant. The Stormous ransomware group took to underground forums to claim the attack by putting 161 GB of stolen data on sale. The group is offering the stolen data for about $64,000.
• The Italian luxury fashion house Ermenegildo Zegna confirmed a ransomware attack that resulted in an extensive IT systems outage. The attack occurred in August 2021 and was the work of the RansomEXX ransomware group.

New Threats

• A malware, called PIPEDREAM, capable of targeting ICS/SCADA systems was unveiled this week. The malware can target a wide range of PLCs from Schneider Electric and Omron. It can also attack other industrial technologies from the likes of CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA).
• A set of five newly discovered vulnerabilities called JekyllBot:5 were found impacting Aethon TUG autonomous mobile robots. The flaws, if exploited, could put several medical firms at risk of remote hijack. Attackers can gain access to real-time camera feeds, disrupt the timely delivery of patient medication, and interfere in operations.
• The CISA urged federal agencies to patch a WatchGuard firewall vulnerability that is being actively exploited in the wild. The vulnerability, tracked as CVE-2022-23176, affects the Fireware OS running on WatchGuard Firebox and XTM appliances.
• A newly discovered Fodcha botnet infected around 62,000 IoT devices between March 29 and April 10. The botnet is distributed via brute-force attacks and exploits. Most of its infected devices are located in China.
• Researchers discovered a new RAT named Borat that is capable of conducting DDoS and ransomware attacks. Other capabilities include recording keystrokes, capturing videos from the webcam, stealing credentials from Chromium-based web browsers, and pilfering Discord tokens from infected systems.
• The FIN7 APT group was observed with evolved malware and attack tactics. These include a new POWERPLANT backdoor and two new versions of BIRDWATCH downloader—tracked as CROWVIEW and FOWLGAZE. Researchers claim that these malware are being used by threat actors to gain initial access and deliver more payloads.
• Researchers found a new campaign distributing SharkBot malware. At least six apps with over 15,000 downloads were leveraged to spread the malware. Most of the victims were from Italy and the U.K, with some users from China, India, Romania, Russia, Ukraine, and Belarus.
• A new information stealer named FFDroider capable of stealing credentials and cookies stored in browsers has been uncovered by security researchers. The stolen credentials can be used further to hijack victims’ social media accounts. The malware is distributed via cracked software, free software for games, and other files downloaded from torrent sites.
• Operators of the LemonDuck botnet are back in a new cryptocurrency mining campaign. The attackers take advantage of misconfigured Docker API on the Linux platform to launch malicious payloads. The campaign is currently active.
• A new Traffic Direction System (TDS) called Parrot emerged in recent months to redirect victims to 16,500 malicious websites for universities, local governments, adult content platforms, and personal blogs. The newly discovered TDS shares similarities to the Prometheus TDS that appeared in 2021.
• Microsoft uncovered a new campaign associated with the Chinese-backed Hafnium hacking group. The campaign leverages an unpatched zero-day in Windows task scheduling to deploy a new malware named Tarrask. 
• Security researchers detected a new Remcos RAT campaign that targeted the African banking sector. Threat actors attempted to deliver the malware using the HTML smuggling technique. The phishing emails purported to be from a recruiter from another African bank with information about job opportunities.
• A new report reveals that the recently discovered Nokoyawa ransomware is a variant of Nemt ransomware. Researchers came to the conclusion after assessing the encryption technique, ransom note, and C2 servers used by both ransomware.