We use cookies to improve your experience. Do you accept?

Cyware Announces Healthcare TIP

Check it Out

Skip to main content

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Sep 2, 2024

The Good

In a series of proactive measures aimed at bolstering global cybersecurity resilience, significant strides were made in the education and law enforcement sectors to safeguard critical systems against evolving threats. The NASA Katherine Johnson IV&V Facility broadened its focus to include cybersecurity services and education in response to increasing cyber threats against NASA missions. Meanwhile, more than a dozen global cybersecurity agencies released new guidance to establish baseline standards for logging and threat detection, addressing threats from adversaries using living off-the-land techniques. In another significant move, NIST formalized the world’s first post-quantum cryptography standards to protect against future quantum computing threats. Moreover, The FBI, in collaboration with law enforcement agencies in the U.K and Germany, dismantled the Radar/Dispossessor ransomware group, which targeted small and mid-sized businesses across the U.S. and Europe.

  • The NASA Katherine Johnson IV&V Facility expanded its focus to include cybersecurity services and education, in response to the growing concern of cybersecurity threats to NASA missions. The facility has integrated cybersecurity expertise into its traditional role of examining software for glitches and failures, aiming to identify and manage cyber risks that could impact mission diversity. Efforts also include educational outreach and workforce development, such as internships and community outreach, to groom a cybersecurity-savvy next-generation of workers.

  • Over a dozen global cyber authorities endorsed new guidance to establish baseline standards for logging and threat detection, addressing the rising threat from adversaries using living off-the-land techniques. The guidance emphasizes enhanced cybersecurity monitoring to detect critical software changes, potentially mitigating incidents like the SolarWinds attack and Colonial Pipeline hack. Released by organizations including the ACSC and the CISA, it urges logging of all control plane operations and recommends capturing administrative changes and authentication events.

  • The NCSC launched a new Cyber Resilience Audit aimed at helping organizations assess their resilience against cyber threats. This audit will provide organizations with a structured approach to evaluate their cybersecurity practices and identify areas for improvement. The initiative is part of the NCSC's ongoing efforts to enhance the UK's overall cyber resilience and support businesses in safeguarding their operations against increasing cyber risks.

  • Funding has been announced for a new cybersecurity pilot project aimed at social care providers in the North East and Yorkshire. The project, a collaboration between the North East Business Resilience Centre and NHS England, will provide free cyber services and training to help tackle cyber threats in the social care sector. The initiative is crucial in light of the high incidence of cyber security breaches reported by businesses and charities.

  • NIST formalized the world's first post-quantum cryptography standards to protect systems and data from future quantum threats. The new NIST standards aim to help organizations transition to quantum-secure encryption before this occurs. Three post-quantum cryptography standards have been finalized by NIST after public consultation. These include a key-encapsulation mechanism standard, a lattice-based digital signature standard, and a stateless hash-based digital signature standard. These standards contain the computer code for encryption algorithms and instructions for implementation on various devices.

  • The FBI announced the dismantling of the Radar/Dispossessor ransomware operation, which targeted small to mid-sized businesses and organizations across the U.S., Europe, and other regions. The group, possibly formed by former LockBit affiliates, used similar tactics and infrastructure. Law enforcement agencies in the U.S., the U.K, and Germany collaborated to take down servers and domains associated with the group.

The Bad

This month’s threat landscape revealed alarming trends, with state-sponsored and organized cybercriminal groups continuing to wreak havoc across various sectors. The CISA, FBI, and DC3 identified Pioneer Kitten, an Iranian state-linked hacking group, as a key player behind several breaches in the U.S. and other countries. Meanwhile, Securonix uncovered SLOW#TEMPEST, a sophisticated campaign targeting Chinese-speaking users with Cobalt Strike payloads delivered through phishing emails. Additionally, the North Korean BeaverTail malware campaign has evolved, with the Lazarus group introducing a native macOS version disguised as legitimate software, alongside weaponized Windows games targeting job seekers. In another concerning development, the Qilin ransomware group targeted network endpoints by exploiting credentials stored in Google Chrome browsers.

  • The CISA, the FBI, and the DC3 identified an Iranian hacking group, Pioneer Kitten, as being responsible for breaching organizations in the U.S. and other countries. This group, connected to the government of Iran, has been enabling ransomware attacks and collaborating with affiliate actors to extort victims. Some of the ransomware affiliates include NoEscape, BlackCat, and RansomHouse. They have targeted various sectors including education, finance, healthcare, and defense.

  • Securonix discovered a sophisticated campaign, named SLOW#TEMPEST, targeting Chinese-speaking users with Cobalt Strike payloads delivered through phishing emails. The attackers were able to evade detection for over two weeks by using malicious ZIP files, DLL hijacking, and Cobalt Strike implants. They established persistence, escalated privileges, moved laterally, and engaged in extensive post-exploitation activities, including network reconnaissance, credential harvesting, and running various tools. The attackers also demonstrated operational security failures, providing insights into their infrastructure.

  • The Razr ransomware is utilizing the PythonAnywhere cloud platform to distribute and encrypt files using the AES-256 algorithm. ANY.RUN's analysis uncovered the ransomware's behavior, communication with a C2 server, and ransom demands sent via Tor. The ransomware begins by generating a unique machine ID, encryption key, and IV, which are then sent to the C2 server.

  • A pro-Russian hacker group called Vermin is using fake information about Ukraine's offensive in Kursk to spread malware. The hackers are believed to be linked to the Luhansk People’s Republic and are suspected of acting on behalf of the Kremlin. CERT-UA reported that the group has deployed two types of malware, including Spectr spyware and a new strain called Firmachagent. Spectr can capture screenshots of a victim's screen every 10 seconds, copy files with specific extensions, and extract data from messengers and web browsers. The stolen data is then uploaded to the hackers' server using Firmachagent malware.

  • The BeaverTail malware campaign, originating from North Korea, has evolved to target job seekers and now includes a native macOS version disguised as legitimate software. The malware is designed to steal confidential information, including browser data and cryptocurrency wallets, and has expanded its reach to Windows users through weaponized games. The Lazarus group has shown adaptability by developing different versions of BeaverTail for various operating systems and using sophisticated techniques to target victims.

  • The Qilin ransomware group targeted a network's endpoints, stealing credentials stored in Google Chrome browsers. They gained access through compromised credentials and used a logon GPO to execute scripts that harvested credentials on user devices. The stolen credentials were exfiltrated, event logs were cleared, and files were encrypted with a ransom note left behind. The attack exploited the widespread use of Chrome and required defenders to change all Active Directory passwords.

  • Earth Baku, linked to APT41, has expanded its operations from the Indo-Pacific to Europe, Middle East, and Africa. Countries like Italy, Germany, the UAE, and Qatar are targeted, with suspected activity in Georgia and Romania. The attackers use IIS servers as entry points, deploying advanced tools like Godzilla webshell, StealthVector, StealthReacher, and SneakCross. The latest backdoor, SneakCross, utilizes Google services for command-and-control. Post exploitation, Earth Baku uses tools like IOx, Rakshasa, Tailscale, and MEGAcmd for persistence and data exfiltration.

New Threats

The emergence of sophisticated attack vectors and malware platforms emphasizes the continually evolving nature of cyber threats. Trend Micro discovered a new attack vector exploiting the Atlassian Confluence vulnerability CVE-2023-22527, using a fileless backdoor known as the Godzilla webshell. Meanwhile, the Iranian APT33 group, also known as Peach Sandstorm or Refined Kitten, launched new attacks using Tickler malware to backdoor networks in the U.S. and the UAE, focusing on the government, defense, satellite, and oil and gas sectors. In other news, Sophos analysts identified a new tool called EDRKillShifter, designed to disable endpoint protection software during ransomware attacks. In addition, a new Ransomware-as-a-Service (RaaS) platform called DeathGrip has surfaced on underground forums, offering aspiring threat actors advanced ransomware tools.

  • Trend Micro revealed a new attack vector targeting the Atlassian Confluence vulnerability CVE-2023-22527, using an in-memory fileless backdoor known as the Godzilla webshell. This backdoor, developed in Chinese, employs AES encryption to avoid detection and enables remote code execution on compromised servers. The attackers exploit the vulnerability by executing malicious JavaScript code and dynamically loading and defining classes in memory.

  • The APT33 Iranian hacking group, aka Peach Sandstorm and Refined Kitten, used the new Tickler malware to backdoor the networks of organizations in the U.S. and UAE. The attackers particularly targeted the government, defense, satellite, and oil and gas sectors. They leveraged Microsoft Azure infrastructure for C2, using compromised user accounts in the education sector to host their infrastructure. Microsoft observed consistent password spray attacks across sectors and warned of extensive breaches in defense, satellite, and pharmaceutical sectors since February 2023.

  • A phishing campaign has been targeting users downloading VPN applications for Windows, Linux, and macOS. The threat actors created a phishing site impersonating a legitimate VPN service called WarpVPN and distributed distinct stealer binaries for each operating system. They used a Telegram channel with over 54,000 subscribers to distribute Cheana Stealer. The campaign involves detailed installation instructions for each platform, with the stealer targeting sensitive data such as cryptocurrency-related browser extensions, crypto wallets, and stored browser passwords.

  • Researchers observed the emergence of a new threat called Cthulhu Stealer. This malware targets macOS users by disguising itself as legitimate software, prompting users to enter their passwords and MetaMask credentials, and then stealing sensitive information such as cryptocurrency wallets and game account details. The functionality of Cthulhu Stealer is similar to another macOS malware called Atomic Stealer, indicating that the code may have been modified from the latter.

  • Cisco Talos identified a new RAT family called MoonPeak, which is based on the XenoRAT malware and is actively being developed by a North Korean threat actor known as UAT-5394. The MoonPeak malware has been evolving gradually, with each new variant introducing changes to make detection more difficult and prevent unauthorized connections to the C2 server. The threat actors have made modifications to the source code of XenoRAT, upon which MoonPeak is based, to ensure compatibility with their infrastructure and prevent rogue implants from connecting.

  • Mandiant warned of a new threat known as "WireServing" enabling attackers to launch TLP bootstrap attacks against Azure Kubernetes Services (AKS). By exploiting weaknesses in how AKS clusters handled TLS bootstrap tokens, attackers could download configuration files containing credentials to escalate privileges and access sensitive information. Microsoft promptly addressed the issue by updating AKS clusters to prevent unauthorized access to TLS bootstrap tokens.

  • Sophos analysts discovered a new tool called EDRKillShifter being used by cybercriminals in an attempted ransomware attack. This tool is designed to disable endpoint protection software and is delivered through a multi-step process. It is used to deploy various EDR killer variants that exploit vulnerable drivers to disable endpoint security. The attackers may have acquired the loader tool from the dark net, and the final payloads are developed separately.

  • A new Ransomware-as-a-Service (RaaS) called DeathGrip appeared in the ransomware landscape. It is being promoted on underground forums and offers aspiring threat actors sophisticated ransomware tools. The emergence of DeathGrip ransomware highlights the evolving threat landscape, emphasizing the importance of robust cybersecurity measures to safeguard against ransomware attacks.

  • A new cyber threat called Banshee Stealer targets macOS systems, posing a significant risk to users. This malicious software can extract sensitive information like passwords from Keychain, system data, and browser details. It also targets cryptocurrency wallets and plugins, making it a comprehensive tool for cybercriminals.

  • Researchers identified a new RAT named SharpRhino during a recent ransomware incident. This malware was used by the Hunters International threat group to gain remote access to devices and progress the attack. SharpRhino is delivered through a typosquatting domain impersonating a legitimate tool, Angry IP Scanner, and uses the C# programming language. The malware can obtain high levels of permissions on devices to ensure minimal disruption during the attack.

  • A new ransomware called CryptoKat surfaced on the dark web, featuring state-of-the-art encryption using AES, fast encryption speed, unique executable files, and operating silently without Windows pop-ups. It also utilizes Fear, Uncertainty, and Doubt tactics on Windows 11 to maximize impact. Of particular concern is that the decryption key is not stored on the victim's machine. This forces victims to pay the ransom in hopes of recovering their data.

  • Researchers from the Graz University of Technology discovered a new Linux Kernel cross-cache attack called SLUBStick, with a 99% success rate in exploiting heap vulnerabilities to gain arbitrary memory read-and-write capabilities. The attack works on both 32-bit and 64-bit systems, bypassing modern kernel defenses. The attack demonstrated high versatility by working on Linux kernel versions 5.9 and 6.2, and it bypassed modern kernel defenses like SMEP, SMAP, and KASLR.

Related Threat Briefings

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024

Cyware Monthly Threat Intelligence

The Good The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and t

Aug 1, 2024

Cyware Monthly Threat Intelligence

The Good The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disin

Jul 1, 2024

Cyware Monthly Threat Intelligence

The Good Recent developments showcase a proactive stance in bolstering cybersecurity across critical sectors. The collaboration between the U.K’s National Crime Agency (NCA) and the FBI to dismantle the Qilin ransomware gang highlights internationa

Jun 3, 2024

Cyware Monthly Threat Intelligence

The Good In recent AI developments, NIST, OpenAI, and government bodies are taking significant steps to ensure the responsible use of AI technologies. NIST's new ARIA program aims to ensure AI technologies are valid, reliable, safe, secure, private

May 3, 2024

Cyware Monthly Threat Intelligence

The Good In a major stride towards security with AI, the Five Eyes agencies released a cybersecurity guide to help organizations secure AI system deployments. Separately, heightened attacks on mobile networks made the GSM Association unveil the MoT

Apr 11, 2024

Cyware Monthly Threat Intelligence

The Good Revolutionizing cybersecurity with innovative and adaptive measures, the Pentagon unveiled the first-ever strategy to protect the defense industrial base from cyber threats, emphasizing resilience and cooperation to defend critical infrast

Mar 4, 2024

Cyware Monthly Threat Intelligence

The Good In a move towards enhancing quantum computing security, the Linux Foundation revealed an initiative in collaboration with major global technology corporations. The past month marks a step forward in file-type detection tooling as Google op

Feb 1, 2024

Cyware Monthly Threat Intelligence

The Good With cloud environments facing an ongoing battle against complex cyber threats, the NCSC stepped in to help SMBs enhance cloud service security. Account takeovers are the ultimate impersonation tactic and pose a significant threat. To tack

Jan 4, 2024

Cyware Monthly Threat Intelligence

The Good For safeguarding Operation Technology (OT) and Industrial Control Systems (ICS), MITRE introduced a new threat model framework dubbed EMB3D. Meanwhile, the U.S. federal agencies and industry partners issue an advisory to enhance security a

Dec 4, 2023

Cyware Monthly Threat Intelligence

The Good Crafting robust cyber policies is pivotal against evolving threats. Over 18 countries, including the U.S. and the U.K, introduced a non-binding agreement outlining general guidelines for secure AI design and deployment. The U.S. Navy also

Nov 1, 2023

Cyware Monthly Threat Intelligence

The Good Nations are uniting in the face of growing cybersecurity threats, pooling their resources and expertise to tackle shared challenges. The U.S. and the UAE have inked an agreement to enhance cybersecurity collaboration with information shari