Go to listing page

Cyware Monthly Threat Intelligence, April 2023

Cyware Monthly Threat Intelligence, April 2023

Share Blog Post

The Good

Did you know vulnerabilities in Google products are exploited in the wild within seven days of discovery? As worrying as it can get for billions of users worldwide, Google has decided to do its bit for those who act as the liaisons between it and the users - the security community. The organization has introduced multiple initiatives aimed at bolstering the vulnerability management ecosystem and assisting the security community in mitigating cyber risks. In another progressive step, a coalition of Five Eyes security agencies issued guidance urging tech manufacturers to prioritize customer safety and built-in cybersecurity features.

  • Google collaborated with several other companies to form a new group, called the Hacking Policy Council, that will advocate better regulations and policies for vulnerability management and disclosure. The council is an initiative of the Center for Cybersecurity Policy and Law. It will also be putting aside an undisclosed legal defense fund for researchers that are sued or prosecuted for pursuing “good faith research in cases that would advance cybersecurity for the public interest.”
  • The NIST released a new post-quantum cryptography guidance draft that is open for public comments until June 8. The document is meant to help organizations understand the security architecture in their networks and implement post-quantum security measures where it is necessary. The new draft follows NIST’s ongoing effort to finalize quantum-resistant algorithms in 2024 after identifying other encryption algorithms in 2022. 
  • The DOD launched a new website, www.hackthepentagon[.]mil, to enhance and support the Hack the Pentagon program that was launched in 2016. The website includes educational materials that can be used as a foundation step for launching a bug bounty program. The platform will also enable the engagement and recruitment of technical talent.
  • New guidance to enhance the security of software and technology products was issued by the CISA in collaboration with the FBI, the NSA, and security agencies from the Five Eyes Intelligence Alliance. The authorities urged manufacturers to ship only those products to customers that follow secure-by-design and secure-by-default approaches.

The Bad

Moving on. Crypto is favored by cybercriminals due to its liquidity, borderless nature, and ability to evade sanctions and regulations. Crypto exchanges GDAC and Bitrue were targeted in two separate incidents that incurred a total loss of $36 million. With the ransomware threat actors upping the game every season, there were some headline-grabbing incidents last month. Top victims include a London-based corporation, a U.S.-based payment processing giant, and a Taiwanese PC parts maker.

  • Hackers broke into South Korea-based GDAC and stole nearly $13 million worth of Bitcoin, Ethereum, and Wemix tokens from the firm. Moreover, crypto exchange Bitrue’s hot wallet was accessed by cybercriminals, which resulted in the theft of $23 million worth of ETH, GALA, QNT, SHIB, MATIC, and HOT. The firm temporarily suspended its operations, including withdrawals.
  • Hackers dumped the private data of around 400,000 Kodi users on several hacking forums. The media player maker suffered a data breach on February 16 and 21 after threat actors compromised the account of an inactive administrator and accessed the web-based MyBB admin console.
  • Taiwanese PC parts maker MSI was struck with a $4 million ransomware attack by a newly-formed ransomware group called Money Message. The threat actors threatened to publish 1.5 TB of data they allegedly stole from the firm. To claim the attack, the group posted screenshots of the hardware vendor’s CTMS and ERP databases containing software source code, private keys, and BIOS firmware.
  • Around 250 million software artifacts and over 65,000 container images were found to be exposed via thousands of internet-facing registries and repositories. Some 1400 hosts also allowed access to secret keys, passwords, and other sensitive information that could enable attackers to mount a supply chain attack or poison a software development environment. These hosts were linked to addresses of several Fortune 500 companies such as Siemens, Cisco, Alibaba, and IBM. 
  • A misconfigured database exposed more than 1.2 million police records on the internet. The database also included 800 GB of information on people who applied for employment in law enforcement in the Philippines, along with documents on tax identification numbers of officers. It is believed that the database had been left exposed for at least six weeks.
  • London-based Capita admitted to a ransomware attack that compromised nearly 4% of its server infrastructure to steal data of its staff, potential customers, and vendors. Black Basta claimed responsibility for the attack and put up for sale sensitive data stolen from the firm. This includes bank account information, addresses, and passport photos.
  • Payment processing giant NCR disclosed that it was a victim of a ransomware attack that occurred last weekend. This caused a PoS outage and affected multiple companies using the service. One of the affected systems was Aloha, the payments service which is used by multiple restaurants.
  • Sensitive details of several banks, including QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, Reed, HSBC, and Westpac, were leaked due to a misconfiguration issue in a digital identification tool provided by OCR Labs. The leaked data included access credentials to AWS, application tokens, and various API keys.
  • The Medusa ransomware group added the Open University of Cyprus to its data leak site, giving the institute 14 days time to respond. The hackers demanded $100,000 in ransom to prevent the further leak of data that includes the PII of students, and the financial details of research contractors.
  • An online marketplace Z2U was found exposing 600,000 customer support attachments due to an unprotected database. The attachments included images of individuals holding credit cards, passports, and other ID documents. Other exposed information were email addresses, passwords, and IBAN numbers of users.

New Threats

A lot happened in the cyber landscape in the last couple of fortnights. Let’s brush through the top threats that you may need to defend against in the near future. Researchers have reported the first-ever exploitation of Kubernetes (K8s) Role-Based Access Control (RBAC) to create persistent cluster backdoors. Meanwhile, Rilide, ViperSoftX, and CryptoClippy malware emerged as threats to the crypto industry. Apple devices also remained a focus of cybercriminals with Atomic and RustBucket targeting users in their own unique ways.

  • Threat actors devised a new attack method to abuse Kubernetes role-based access control (RBAC) to deploy backdoors for persistence. Dubbed RBAC Buster, the attack method can also enable attackers to launch cryptojacking attacks on targeted Kubernetes clusters by exploiting misconfigured API servers linked to the clusters. 
  • ViperSoftX, a cryptocurrency and info-stealer malware, was updated to include more sophisticated encryption and data-stealing methods. So far, the variant has infected a significant number of victims in consumer and enterprise sectors across Australia, Japan, the U.S., India, Taiwan, Malaysia, France, and Italy.
  • Charming Kitten APT was observed using a previously unseen custom dropper malware, BellaCiao, to target users located in the U.S., Turkey, India, Europe, and the Middle East. The attackers possibly exploited known vulnerabilities in internet-exposed applications such as Zoho ManageEngine or Microsoft Exchange Server to drop the malware.
  • An ongoing attack campaign, tracked as OCX#HARVESTER, was found distributing More-eggs backdoor, along with other malicious payloads. The More-eggs backdoor was observed in the wild from December 2022 through March 2023. The attack chain leveraged specially crafted phishing emails to lure victims in the financial sector, especially those organizations involved with cryptocurrencies. 
  • Researchers observed a new variant of LockBit ransomware that focuses on disrupting macOS systems. While the variant is in active development, it is revealed that the malware enables threat actors to encrypt files stored on ARM-powered Macs. 
  • Threat actors were abusing Eval PHP, an abandoned WordPress plugin, to take over and backdoor websites. The plugin allowed attackers to insert malicious PHP code into pages and posts on WordPress sites. These malicious codes are executed every time the posts or the pages are opened in a browser.  
  • A new commercial spyware, dubbed KingsPawn, was used to compromise the iPhones of high-profile individuals. The spyware was distributed using a zero-click exploit, named ENDOFDAYS, that targeted a zero-day flaw affecting iPhones running iOS 1.4 up to 14.4.2. The targeted victims include journalists, political opposition figures, and NGO workers in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
  • A newly discovered CryptoClippy clipper malware was found targeting Portuguese cryptocurrency users. The attack leverages SEO poisoning techniques to entice users searching for ‘WhatsApp web’ to rogue domains hosting the malware. The malware monitors a victim’s clipboard to replace the actual wallet address with a wallet address controlled by threat actors. 
  • A new malware strain named Rilide used Chromium-based browsers to steal cryptocurrency assets. The malware is disguised as a Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities such as taking screenshots and monitoring browsing history. 
  • Poorly secured MS-SQL servers were found being hacked to deploy Trigona ransomware and encrypt all files. The servers were breached via brute-force attacks. After connecting to a server, the attackers deployed a malware dubbed CLR Shell in the first stage and Trigona ransomware in the last stage of the attack.
  • A new macOS info-stealing malware named Atomic (aka AMOS) is being sold on private Telegram channels. The malware steals keychain passwords, files from local filesystems, passwords, cookies, and credit card details stored in browsers. It can steal from 50 cryptocurrency extensions. North Korea-based BlueNoroff threat actor also introduced a new macOS malware called RustBucket. The malware masquerades as a legitimate Apple bundle identifier that helps the attackers override Gatekeeper on Macs. Written in Rust language, it is capable of gathering system information.


macos malware
hacking policy council
rustbucket malware
five eyes intelligence alliance
rilide malware
ncr corporation
money message
atomic malware

Posted on: May 03, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite