Cyware Monthly Threat Intelligence, April 2023

The Good

• Google collaborated with several other companies to form a new group, called the Hacking Policy Council, that will advocate better regulations and policies for vulnerability management and disclosure. The council is an initiative of the Center for Cybersecurity Policy and Law. It will also be putting aside an undisclosed legal defense fund for researchers that are sued or prosecuted for pursuing “good faith research in cases that would advance cybersecurity for the public interest.”
• The NIST released a new post-quantum cryptography guidance draft that is open for public comments until June 8. The document is meant to help organizations understand the security architecture in their networks and implement post-quantum security measures where it is necessary. The new draft follows NIST’s ongoing effort to finalize quantum-resistant algorithms in 2024 after identifying other encryption algorithms in 2022. 
• The DOD launched a new website, www.hackthepentagon[.]mil, to enhance and support the Hack the Pentagon program that was launched in 2016. The website includes educational materials that can be used as a foundation step for launching a bug bounty program. The platform will also enable the engagement and recruitment of technical talent.
• New guidance to enhance the security of software and technology products was issued by the CISA in collaboration with the FBI, the NSA, and security agencies from the Five Eyes Intelligence Alliance. The authorities urged manufacturers to ship only those products to customers that follow secure-by-design and secure-by-default approaches.

The Bad

• Hackers broke into South Korea-based GDAC and stole nearly $13 million worth of Bitcoin, Ethereum, and Wemix tokens from the firm. Moreover, crypto exchange Bitrue’s hot wallet was accessed by cybercriminals, which resulted in the theft of $23 million worth of ETH, GALA, QNT, SHIB, MATIC, and HOT. The firm temporarily suspended its operations, including withdrawals.
• Hackers dumped the private data of around 400,000 Kodi users on several hacking forums. The media player maker suffered a data breach on February 16 and 21 after threat actors compromised the account of an inactive administrator and accessed the web-based MyBB admin console.
• Taiwanese PC parts maker MSI was struck with a $4 million ransomware attack by a newly-formed ransomware group called Money Message. The threat actors threatened to publish 1.5 TB of data they allegedly stole from the firm. To claim the attack, the group posted screenshots of the hardware vendor’s CTMS and ERP databases containing software source code, private keys, and BIOS firmware.
• Around 250 million software artifacts and over 65,000 container images were found to be exposed via thousands of internet-facing registries and repositories. Some 1400 hosts also allowed access to secret keys, passwords, and other sensitive information that could enable attackers to mount a supply chain attack or poison a software development environment. These hosts were linked to addresses of several Fortune 500 companies such as Siemens, Cisco, Alibaba, and IBM. 
• A misconfigured database exposed more than 1.2 million police records on the internet. The database also included 800 GB of information on people who applied for employment in law enforcement in the Philippines, along with documents on tax identification numbers of officers. It is believed that the database had been left exposed for at least six weeks.
• London-based Capita admitted to a ransomware attack that compromised nearly 4% of its server infrastructure to steal data of its staff, potential customers, and vendors. Black Basta claimed responsibility for the attack and put up for sale sensitive data stolen from the firm. This includes bank account information, addresses, and passport photos.
• Payment processing giant NCR disclosed that it was a victim of a ransomware attack that occurred last weekend. This caused a PoS outage and affected multiple companies using the service. One of the affected systems was Aloha, the payments service which is used by multiple restaurants.
• Sensitive details of several banks, including QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, Reed, HSBC, and Westpac, were leaked due to a misconfiguration issue in a digital identification tool provided by OCR Labs. The leaked data included access credentials to AWS, application tokens, and various API keys.
• The Medusa ransomware group added the Open University of Cyprus to its data leak site, giving the institute 14 days time to respond. The hackers demanded $100,000 in ransom to prevent the further leak of data that includes the PII of students, and the financial details of research contractors.
• An online marketplace Z2U was found exposing 600,000 customer support attachments due to an unprotected database. The attachments included images of individuals holding credit cards, passports, and other ID documents. Other exposed information were email addresses, passwords, and IBAN numbers of users.

New Threats

• Threat actors devised a new attack method to abuse Kubernetes role-based access control (RBAC) to deploy backdoors for persistence. Dubbed RBAC Buster, the attack method can also enable attackers to launch cryptojacking attacks on targeted Kubernetes clusters by exploiting misconfigured API servers linked to the clusters. 
• ViperSoftX, a cryptocurrency and info-stealer malware, was updated to include more sophisticated encryption and data-stealing methods. So far, the variant has infected a significant number of victims in consumer and enterprise sectors across Australia, Japan, the U.S., India, Taiwan, Malaysia, France, and Italy.
• Charming Kitten APT was observed using a previously unseen custom dropper malware, BellaCiao, to target users located in the U.S., Turkey, India, Europe, and the Middle East. The attackers possibly exploited known vulnerabilities in internet-exposed applications such as Zoho ManageEngine or Microsoft Exchange Server to drop the malware.
• An ongoing attack campaign, tracked as OCX#HARVESTER, was found distributing More-eggs backdoor, along with other malicious payloads. The More-eggs backdoor was observed in the wild from December 2022 through March 2023. The attack chain leveraged specially crafted phishing emails to lure victims in the financial sector, especially those organizations involved with cryptocurrencies. 
• Researchers observed a new variant of LockBit ransomware that focuses on disrupting macOS systems. While the variant is in active development, it is revealed that the malware enables threat actors to encrypt files stored on ARM-powered Macs. 
• Threat actors were abusing Eval PHP, an abandoned WordPress plugin, to take over and backdoor websites. The plugin allowed attackers to insert malicious PHP code into pages and posts on WordPress sites. These malicious codes are executed every time the posts or the pages are opened in a browser.  
• A new commercial spyware, dubbed KingsPawn, was used to compromise the iPhones of high-profile individuals. The spyware was distributed using a zero-click exploit, named ENDOFDAYS, that targeted a zero-day flaw affecting iPhones running iOS 1.4 up to 14.4.2. The targeted victims include journalists, political opposition figures, and NGO workers in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
• A newly discovered CryptoClippy clipper malware was found targeting Portuguese cryptocurrency users. The attack leverages SEO poisoning techniques to entice users searching for ‘WhatsApp web’ to rogue domains hosting the malware. The malware monitors a victim’s clipboard to replace the actual wallet address with a wallet address controlled by threat actors. 
• A new malware strain named Rilide used Chromium-based browsers to steal cryptocurrency assets. The malware is disguised as a Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities such as taking screenshots and monitoring browsing history. 
• Poorly secured MS-SQL servers were found being hacked to deploy Trigona ransomware and encrypt all files. The servers were breached via brute-force attacks. After connecting to a server, the attackers deployed a malware dubbed CLR Shell in the first stage and Trigona ransomware in the last stage of the attack.
• A new macOS info-stealing malware named Atomic (aka AMOS) is being sold on private Telegram channels. The malware steals keychain passwords, files from local filesystems, passwords, cookies, and credit card details stored in browsers. It can steal from 50 cryptocurrency extensions. North Korea-based BlueNoroff threat actor also introduced a new macOS malware called RustBucket. The malware masquerades as a legitimate Apple bundle identifier that helps the attackers override Gatekeeper on Macs. Written in Rust language, it is capable of gathering system information.