Cyware Monthly Threat Intelligence, August 2022

The Good

• The RTF introduced the ‘Blueprint for Ransomware Defense.’ It includes a set of actionable measures for SMEs to protect against and respond to ransomware and other common cyberattacks. It contains defensive actions and preventive controls for enterprise asset and software inventory management, vulnerability management, malware defense, training, data recovery, incident response, and more.
• A trade group representing producers of unmanned drones, airplanes, boats, cars, and other vehicles has teamed up with a cybersecurity company to develop security standards for the autonomous vehicles market. These include applying effective encryption and authentication tools around remote operations and connectivity, looking at third- and fourth-party suppliers in the supply chain, and evaluating the security of products.
• The U.S. Cyber Command’s Cyber National Mission Force has successfully concluded 35th ‘Hunt Forward’ operations in 18 countries, including Estonia, Lithuania, Montenegro, North Macedonia, and Ukraine. The last one took place in Croatia. These operations are carried out to help countries across the globe to uncover advanced malware and defend against incoming cyberattacks. 
• The Forum of Incident Response and Security Teams (FIRST) has released the version 2.0 of Traffic Light Protocol (TLP), five years after the release of the initial version. In the new update, the TLP:WHITE level has now been renamed TLP:CLEAR. Also, TLP:AMBER has been modified to add another sub-level named TLP:AMBER+STRICT.

The Bad

• Group-IB researchers estimated that the state-sponsored APT41 hacker group, aka Winnti, had targeted at least 13 organizations worldwide in 2021. The targeted organizations included the public sector, manufacturing, healthcare, logistics, hospitality, and media. In its campaigns, the group used tools such as Acunetix, Nmap, SQLmap, subdomain3, subDomainsBrute, and Sublist3r for reconnaissance. 
• In a mix-up, the Cl0p ransomware gang claimed attacks and stole data belonging to South Staffs Water believing it to be for Thames Water. The attackers had stolen more than 5TB of data from the organization and also asserted that they had access to some SCADA systems. 
• Cryptocurrency service Nomad suffered a major setback after hackers drained almost $200 million in digital funds from the company within a few hours. The attacker exploited a security flaw in the blockchain bridge to steal the funds.
• For the past three years, the China-based cyberespionage group RedAlpha, aka Deepcliff and Red Dev 3, has been observed targeting numerous government organizations, humanitarian entities, and think tanks. The purpose of these campaigns is to harvest credentials from the targeted individuals and organizations. 
• An unknown actor drained funds from approximately 8,000 wallets on the Solana network, causing a loss of approximately $8 million. The funds were drained from internet-connected hot wallets that include Phantom, Slope, and TrustWallet.
• One of the largest platforms for trading CS:GO in-game skins, CS.MONEY was attacked and the website was pulled down. Attackers reportedly stole 20,000 items worth nearly $6 million. The attack spurred out of 100 controlled bot accounts pursuing thousands of transactions, stealing the items to their own accounts. All the stolen skins transferred are in trade-lock now.
• Over 35,000 software repositories on GitHub were discovered distributing malware. Threat actors created copies of legitimate projects including crypto projects, Golang, Python, Docker, JavaScript, and bash to trick unsuspecting developers into downloading the malware. 
• More than 20 malicious PyPI packages designed to steal passwords and other sensitive information from victims’ machines were uncovered in a new software supply chain attack. In a similar vein, PyPI warned Python project managers about the first known phishing attack against its community, aimed at stealing credentials and initiating supply chain attacks.
• The sophisticated scam-as-a-service operation dubbed Classiscam has now expanded to Europe. Active for more than a year, the scam especially targets people using online marketplaces and services relating to property rentals, hotel bookings, online bank transfers, online retail, ride-sharing, and package deliveries. 
• A large-scale phishing campaign was found abusing Google Sites and the Microsoft Azure Web app to create fake websites for Coinbase, MetaMask, Kraken, and Gemini. These fake websites are being used as channels to target people’s crypto wallets and their assets.
• Microsoft disclosed a potential connection between the Raspberry Robin malware and a Russian cybercrime group - Evil Corp. The company’s researchers discovered that the Raspberry Robin Windows worm was being used to deliver the FakeUpdates malware. It is believed that the Raspberry Robin malware was deployed on the networks of hundreds of organizations across a wide range of industry sectors.
• A massive phishing campaign codenamed 0ktapus leveraged compromised Okta identity credentials and bypassed two-factor authentication to gain initial access to victims’ computers. Over 130 organizations, including Twilio, MailChimp, and Klaviyo, located in the U.S. and Canada are affected by the campaign. 
• Accelya—a technology firm providing services to Delta, British Airways, JetBlue, United, Virgin Atlantic, and American Airlines—confirmed that it was targeted by the BlackCat ransomware group. The group has reportedly stolen emails, and worker contracts from the firm, a part of which was also published on the group’s data leak site. 
• Hospitality and travel industry firms located in Latin America, North America, and Western Europe are under attack from TA558 threat actors. The actors are using phishing emails to pivot the campaign that has been ongoing since the beginning of the year.

New Threats

• A new class of HTTP request smuggling attacks can enable threat actors to compromise multiple popular websites. Named browser-powered desync, the attack can be used to compromise Amazon sites and those using the AWS Application Load Balancer, Cisco ASA WebVPN, Akamai, Varnish Cache servers, and Apache HTTP Server 2.4.52.
• Andariel, a subgroup of Lazarus, uses Maui ransomware and DTrack spyware, to carry out financially motivated attacks on companies. Reports suggest that multiple organizations located in India, Vietnam, and Russia were the target of such attacks in 2021.
• DeathStalker APT has upgraded the capabilities of VileRAT to perform more sophisticated attacks on foreign exchange and cryptocurrency trading companies. Researchers have observed multiple samples of the malware in the wild, with the latest sample identified in June.
• A new signed macOS malware sample developed by Lazarus APT group is being distributed via fake job offer emails from Coinbase. It is linked to the infamous ‘Operation Interception’ campaign that had earlier targeted high-profile aerospace and military organizations.
• A new RAT called Escanor is being advertised on the dark web and Telegram by attackers who go by the same name. The malware is delivered via weaponized Microsoft Office documents. The malware can target Android phones and computers.
• Hackers are adopting the Sliver toolkit as an alternative for Cobalt Strike to launch a variety of attacks, including ransomware operations. One group that adopted Sliver is tracked as DEV-0237. However, the use of Sliver by cybercriminals isn’t new. Russian APT29 has also used Sliver to keep access to compromised environments.
• A dodgy Chrome extension called ‘Internet Download Manager’ installed by more than 200,000 users was found to be adware in disguise. Once installed, it exhibited unwanted behavior such as opening links to spammy sites, changing the default search engine browser, and showing pop-ups about patches and unwanted programs.  
• A new data extortion group named Donut Leaks was linked to recent cyberattacks on various organizations including DESFA, Sheppard Robson, and Sando. The hacker group is likely a pentester or an affiliate for Hive, Ragnar, and possibly other ransomware groups. 
• A new ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. Dubbed Agenda, the ransomware can be customized and shares similarities with the BlackBast, BlackMatter, and REvil ransomware. 
• Researchers have documented PoC exploits for Evil PLC attacks against seven ICS manufacturers: Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson. A hijacked PLC can be used to compromise engineering workstations, which in turn, can open doors to other potential cyberattacks. 
• Security researchers discovered a new vulnerability called ParseThru affecting Golang-based applications. The issue stems from changes introduced to Golang's URL parsing logic that's implemented in the "net/url" library. It could be abused to gain unauthorized access to cloud-based applications.
• A new malware called Woody RAT has been in the wild for at least one year. This advanced custom trojan is used to target Russian entities by using lures in the form of archive files and, more recently, Office documents leveraging the Follina vulnerability.
• A fake website masquerading as the official Atomic Wallet website was found spreading copies of Mars infostealer. The website was promoted on social media, with direct messages on various platforms, SEO poisoning, and spam emails. The fake site even featured a contact form, email address, and FAQ section.