Cyware Monthly Threat Intelligence, August 2023

The Good

• A team of academics and researchers at Tohoku University, Ruhr University Bochum, and NTT Social Informatics Laboratories have developed a new standard to address the threat of cache side-channel attacks. Dubbed Secure CAche Randomization Function (SCARF), the technique is compatible with different computer architectures, bolstering widespread applicability and computer security.
• The CISA released the RMM Cyber Defense Plan to help government organizations mitigate the risk of deploying and using RMM software in their environments. Built upon the JCDC 2023 Planning Agenda, the new guideline will also be useful for SMBs that are MSP/MSSP customers, as threat actors can gain a foothold into MSPs/MSSPs via RMM software.
• The White House reportedly has initiated working on a plan to replace vulnerable and outdated IT systems across federal civilian agencies in an effort to bolster the nation’s cyber posture. The Office of Management and Budget has been assigned the job of developing a multi-year lifecycle plan that includes migrating to cloud-based services and mitigating risks associated with older systems. This development comes after the GAO found in May that 10 critical federal agencies had failed to take proper security measures to secure their legacy systems.
• CERT-NZ officially joined hands with the NCSC to bolster the nation’s cyber defenses. The development comes a month after the government announced its commitment to enhance cybersecurity readiness and response. The integration marks the first step in creating a unified operational cybersecurity agency in New Zealand, with similar actions taking place in countries like Australia, the U.K, and Canada.

The Bad

• Cryptocurrency firms FTX, BlockFi, and Genesis suffered data breaches caused by a SIM-swapping attack at Kroll. By transferring a victim’s phone number to a new SIM card, the attacker successfully accessed information stored on Kroll’s systems, specifically files containing personal information of bankruptcy claimants.
• A data breach at Topgolf Callaway exposed the personal and account details of 1.1 million customers, including those associated with Callaway’s sub-brands Odyssey, Ogio, and Callaway Gold Preowned sites. The incident occurred on August 1 and the affected data includes full names, email addresses, phone numbers, and order histories.
• Two cryptocurrency platforms, Exactly Protocol and Harbor Protocol, experienced cyberattacks resulting in millions of dollars worth of cryptocurrency being stolen. While Harbor Protocol could not disclose how much amount was stolen from its vaults, Exactly Protocol reported losing $7.3 million worth of ETH in the attack.
• Brunswick Corporation, one of the leading marine parts manufacturers, suffered a financial loss of $85 million due to the downtime following a cyberattack. The incident affected its IT systems and other facilities, forcing the firm to halt its operations and businesses for almost nine days. No hacking group claimed responsibility for the attack. 
• The French national employment agency, Pôle emploi, is the latest in a series of victims affected in the MOVEit hack. The incident impacted the critical information of up to 10 million people, summing the count to almost 59 million impacted individuals. Moreover, the total number of impacted organizations due to the MOVEit incident reached almost 1,000.
• Travel giant Mondee inadvertently exposed more than 1.7TB of customers’ data due to a vulnerable database hosted on Oracle’s cloud. The exposed information included names, genders, dates of birth, home addresses, flight information, and passport numbers.
• The LockBit ransomware group added Varian Medical Systems to its list of victim organizations and threatened to leak the medical data of cancer patients if the firm failed to pay the ransom by August 17. Neither the group disclosed the amount of data stolen nor did the firm confirm the attack.
• Around 60% of Kubernetes clusters belonging to more than 350 organizations were targets of an active cryptomining campaign. These clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies in the financial, aerospace, automotive, industrial, and security sectors. 
• A pro-Russian hacking group, NoName057, listed the Dutch public transport website, local bank SNS, the Groningen seaport, and the website of the municipality of Vlardingen among its targets. These websites were taken down in DDoS attacks, making them unreachable. 
• The personal information of 1.5 million individuals was compromised in a ransomware attack at Canada’s Alberta Dental Service Corporation (ADSC). The attack occurred last month, and according to ADSC, the attackers had access to its network for more than two months before deploying the ransomware. The compromised systems contained the personal and banking information of the users.
• The New Haven Public Schools district in Connecticut disclosed losing more than $6 million in a BEC scam that took place in June. While more than $3.6 million of the stolen funds have been recovered so far, the FBI is working to understand the scope of the incident to recover the remaining amount. 
• The scraped data of 2.6 million Duolingo users were leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks. The data includes public login and real names, email addresses, and internal information related to the Duolingo service. This data was scraped using an exposed API that has been shared openly since at least March. 
• Danish cloud hosting services provider, CloudNordic, suffered a ransomware attack that paralyzed all of its systems, including websites, customer systems, and email systems. According to the firm, the attackers leveraged an existing dormant infection to encrypt all systems.

New Threats

• A new mobile malware called Infamous Chisel infected the Android devices of the Ukrainian military in a campaign launched by the Russian Sandworm APT group. The malware consists of components that provide the attackers with backdoor access to infected devices for network monitoring and file transfer operations.
• Microsoft discovered a new version of the BlackCat ransomware (version 2.0) that includes the Impacket networking framework and the Remcom hacking tool to facilitate lateral movement for attackers in target environments. Adding these tools only makes it harder for defenders to detect the ransomware. 
• After a two-year hiatus, the DreamBus botnet resurfaced in a new campaign to deliver Monero mining malware. The campaign exploited a recently patched vulnerability (CVE-2023-33246) in Apache RocketMQ that allowed attackers to perform remote code execution attacks. 
• The Lazarus group was found to be associated with a new campaign against healthcare entities in Europe and the U.S. In this campaign, the attackers are exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to distribute the QuiteRAT malware. The malware has many capabilities similar to MagicRAT, another malware from the Lazarus group. 
• A new version of Adhubllka ransomware, dubbed TZW, has been launching attacks since 2019 with lower ransom demands from small businesses and individuals. Studies conducted by researchers reveal that the ransomware shares similarities with LOLKEK, BIT, OBZ, and U2K ransomware families. 
• According to researchers at Aquasec, the Meow attack campaign has been revamped to target misconfigured Jupyter notebooks. Interestingly, the attackers use Python scripts to target databases, maintaining an unusual modus operandi. While the infrastructure of the attackers is still under investigation, a total of 1,283 distinct IP addresses have been targeted by them. 
• A new version of Rilide info-stealer is targeting Chromium-based web browsers to steal sensitive information and cryptocurrency from users. The updated version overlaps with a malware strain tracked as CookieGenesis, and includes modules for infecting Chrome Extension Manifest V3 and code obfuscation.
• A newly discovered QwixxRAT (aka TelegramRAT) was found being advertised on Telegram and Discord platforms, boasting the ability to collect and exfiltrate a wide range of sensitive information. This includes data from browser histories, credit card details, FTP credentials, screenshots, and keystrokes. Written in C#, it includes a clipper code to capture cryptocurrency wallet information. 
• Sophos revealed that a threat actor linked to the FIN8 hacking group is exploiting a critical vulnerability in Citrix NetScaler systems to launch domain-wide attacks. The vulnerability under abuse, in Citrix NetScaler ADC and NetScaler Gateway, is tracked as CVE-2023-3519 and can allow attackers to launch remote code execution attacks.
• Cybercriminals behind Smoke Loader malware have been found dropping a new Wi-Fi scanning malware called Whiffy Recon. The malicious code locates the position of infected devices using nearby Wi-Fi access points, thus helping attackers carry out further attacks.
• ESET Researchers observed a new phishing campaign, aimed at collecting Zimbra account users’ credentials. Active since April, the campaign was carried out via phishing emails notifying recipients about an email server update and deceiving them by redirecting them to a fake Zimbra web login page that steals their credentials.