Cyware Monthly Threat Intelligence

Monthly Threat Briefing • May 3, 2023
Monthly Threat Briefing • May 3, 2023
Did you know vulnerabilities in Google products are exploited in the wild within seven days of discovery? As worrying as it can get for billions of users worldwide, Google has decided to do its bit for those who act as the liaisons between it and the users - the security community. The organization has introduced multiple initiatives aimed at bolstering the vulnerability management ecosystem and assisting the security community in mitigating cyber risks. In another progressive step, a coalition of Five Eyes security agencies issued guidance urging tech manufacturers to prioritize customer safety and built-in cybersecurity features.
Moving on. Crypto is favored by cybercriminals due to its liquidity, borderless nature, and ability to evade sanctions and regulations. Crypto exchanges GDAC and Bitrue were targeted in two separate incidents that incurred a total loss of $36 million. With the ransomware threat actors upping the game every season, there were some headline-grabbing incidents last month. Top victims include a London-based corporation, a U.S.-based payment processing giant, and a Taiwanese PC parts maker.
A lot happened in the cyber landscape in the last couple of fortnights. Let’s brush through the top threats that you may need to defend against in the near future. Researchers have reported the first-ever exploitation of Kubernetes (K8s) Role-Based Access Control (RBAC) to create persistent cluster backdoors. Meanwhile, Rilide, ViperSoftX, and CryptoClippy malware emerged as threats to the crypto industry. Apple devices also remained a focus of cybercriminals with Atomic and RustBucket targeting users in their own unique ways.
Threat actors devised a new attack method to abuse Kubernetes role-based access control (RBAC) to deploy backdoors for persistence. Dubbed RBAC Buster, the attack method can also enable attackers to launch cryptojacking attacks on targeted Kubernetes clusters by exploiting misconfigured API servers linked to the clusters.
ViperSoftX, a cryptocurrency and info-stealer malware, was updated to include more sophisticated encryption and data-stealing methods. So far, the variant has infected a significant number of victims in consumer and enterprise sectors across Australia, Japan, the U.S., India, Taiwan, Malaysia, France, and Italy.
Charming Kitten APT was observed using a previously unseen custom dropper malware, BellaCiao, to target users located in the U.S., Turkey, India, Europe, and the Middle East. The attackers possibly exploited known vulnerabilities in internet-exposed applications such as Zoho ManageEngine or Microsoft Exchange Server to drop the malware.
An ongoing attack campaign, tracked as OCX#HARVESTER, was found distributing More-eggs backdoor, along with other malicious payloads. The More-eggs backdoor was observed in the wild from December 2022 through March 2023. The attack chain leveraged specially crafted phishing emails to lure victims in the financial sector, especially those organizations involved with cryptocurrencies.
Researchers observed a new variant of LockBit ransomware that focuses on disrupting macOS systems. While the variant is in active development, it is revealed that the malware enables threat actors to encrypt files stored on ARM-powered Macs.
Threat actors were abusing Eval PHP, an abandoned WordPress plugin, to take over and backdoor websites. The plugin allowed attackers to insert malicious PHP code into pages and posts on WordPress sites. These malicious codes are executed every time the posts or the pages are opened in a browser.
A new commercial spyware, dubbed KingsPawn, was used to compromise the iPhones of high-profile individuals. The spyware was distributed using a zero-click exploit, named ENDOFDAYS, that targeted a zero-day flaw affecting iPhones running iOS 1.4 up to 14.4.2. The targeted victims include journalists, political opposition figures, and NGO workers in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
A newly discovered CryptoClippy clipper malware was found targeting Portuguese cryptocurrency users. The attack leverages SEO poisoning techniques to entice users searching for ‘WhatsApp web’ to rogue domains hosting the malware. The malware monitors a victim’s clipboard to replace the actual wallet address with a wallet address controlled by threat actors.
A new malware strain named Rilide used Chromium-based browsers to steal cryptocurrency assets. The malware is disguised as a Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities such as taking screenshots and monitoring browsing history.
Poorly secured MS-SQL servers were found being hacked to deploy Trigona ransomware and encrypt all files. The servers were breached via brute-force attacks. After connecting to a server, the attackers deployed a malware dubbed CLR Shell in the first stage and Trigona ransomware in the last stage of the attack.
A new macOS info-stealing malware named Atomic (aka AMOS) is being sold on private Telegram channels. The malware steals keychain passwords, files from local filesystems, passwords, cookies, and credit card details stored in browsers. It can steal from 50 cryptocurrency extensions. North Korea-based BlueNoroff threat actor also introduced a new macOS malware called RustBucket. The malware masquerades as a legitimate Apple bundle identifier that helps the attackers override Gatekeeper on Macs. Written in Rust language, it is capable of gathering system information.