Cyware Monthly Threat Intelligence, December 2023

The Good

• Increasingly prevalent data privacy threats have prompted the Federal Communications Commission's Privacy and Data Protection Task Force to partner with attorneys general of New York, Connecticut, Pennsylvania, and Illinois in consolidating resources crucial in bolstering investigations and enforcement actions on various threats. These resources also include information related to SIM swapping scams, port-out frauds, and data breaches.
• MITRE unveiled a novel threat model framework named EMB3D to help government agencies and private organizations safeguard their OT and ICS. It offers a knowledge base on cyber threats to embedded devices, enabling users to map these threats with vulnerabilities using frameworks like CWE, CVE, and MITRE ATT&CK. The framework suggests mitigations, emphasizing technical mechanisms for device vendors to implement against specific threats. It is set for public release in early 2024.
• The NSA, the ODNI, the CISA, and industry partners released a joint advisory to bolster the security against software supply chain attacks. The guidance primarily covers how to manage and maintain SBOMs, open-source software. Additionally, it provides details on things to consider when adopting open-source software and distribution of approved software components using an SBOM.
• NASA released its first Space Security Best Practices Guide, a 57-page document aimed at improving cybersecurity for future space missions. The guide leverages security controls outlined in the NIST’s Special Publication 800-53 and serves as a translation guide between NIST verbiage and NASA flight project language. It aims to enhance cybersecurity not only for NASA's missions but also for its international partners and the growing space industry. The guide provides principles applicable to various organizations and space missions, addressing risks such as cyberattacks on ground systems, communications jamming, and spoofing attempts.

The Bad

• The Ohio Lottery faced a cyberattack on Christmas Eve, leading to the shutdown of some key systems. While the gaming system remained operational, certain services, such as mobile cashing, prize cashing above $599 at Super Retailers, and the display of winning numbers for KENO, Lucky One, and EZPLAY Progressive Jackpots, were affected. Again, DragonForce has claimed responsibility for the attack, stating they stole data worth over 600GB.
• Yakult Australia, the manufacturer of a popular probiotic milk drink, fell victim to a cyber incident, allegedly by the DragonForce group. The group claimed to have pilfered 95GB of data belonging to the company. The leaked data includes company databases, contracts, passports, and other sensitive information. The company's IT systems in both Australia and New Zealand were affected, but operations remain open.
• LoanCare, a subsidiary of Fidelity National Financial (FNF), has reported a data breach to state regulators following a cyberattack in November. The breach, claimed by the ALPHV/Blackcat ransomware gang, resulted in unauthorized access to FNF’s IT network. The hackers were able to obtain personal information, including names, addresses, social security numbers, and loan numbers of 1,316,938 individuals.
• Iran confirmed a nationwide cyberattack that disrupted the operations of 70% of gas stations. An Israel-linked hacking group called Predatroy Sparrow claimed responsibility for the attacks while adding that it breached the central servers of gas stations, gaining access to specific station information, payment system details, and management systems.  
• An unprotected database with a size of 1.16 TB, leaked the real estate records of several people, including major celebrities. The database belonged to Real Estate Wealth Network and contained 1.5 billion records spanning from April 2022 to October 2023.  It is unclear how long the database was exposed or who else may have accessed the data but researchers reported that user names, phone numbers, emails, and device information were among the leaked data. 
• A passwordless MongoDB database belonging to Goyzer was found leaking details of around 690,000 customers before it was secured. The exposed details included names, email addresses, phone numbers, and scanned copies of receipts, checks, contracts, and IDs. According to security researchers, the specific database was populated with data about customers from Dubai.
• A ransomware attack on cold storage giant Americold affected nearly 130,000 people, including the information of current and former employees. Investigation revealed that details like names, addresses, Social Security numbers, passport numbers, financial information, and medical information were compromised in the incident. 
• Kentucky-based Norton Healthcare confirmed that attackers stole around 2.5 million users’ data in the May ransomware attack. The data included driver’s licenses, government ID numbers, financial information, and digital signatures of people. Health information, insurance information, and medical ID numbers belonging to former patients, employees, and employee dependents and beneficiaries were also impacted by the incident. 
• Healthcare device manufacturer LivaNova PLC fell victim to the LockBit ransomware group. The attack, detected on December 9 allegedly exposed a substantial 2.2TB of sensitive data, including product specifications, employee information, financial documents, and more. The threat actor has uploaded the stolen data on its leak site and set a deadline for its potential public release.
• A hacker group, which goes by the name of Malek Team, leaked 500GB of data, including 70,000 documents, stolen from Ziv Medical Center. The data was leaked on a Telegram channel and dates back to 2022 and contains personal and medical information of patients and Israeli soldiers. Meanwhile, the investigation is ongoing to determine whether an information leak occurred. 
• The notorious Akira ransomware group added two organizations—Compass Group Italia and Aqualectra Utility—to its list of victims. While the group obtained a staggering 107GB of sensitive data from Compass group, a plethora of payment records, and business documents were stolen from the utility provider.
• Andariel, linked to the Lazarus APT, was accused of stealing anti-aircraft system data from South Korean companies connected to the defense industry. According to Seoul Investigators, the attackers specifically targeted defense companies as well as research institutes and pharmaceutical companies and stole 1.2TB of data in attacks.

New Threats

• The North Korean group Kimsuky has been observed using spear-phishing attacks to deliver various backdoors and tools, including AppleSeed, Meterpreter, and TinyNuke, to compromise targeted machines. Cybersecurity firm AhnLab attributed the activity to Kimsuky. The group's espionage campaigns involve spear-phishing attacks with malicious lure documents that deploy different malware families, with a notable Windows-based backdoor being AppleSeed.
• Cybercriminals breached the fan expansion "Downfall" for the game Slay the Spire, distributing the Epsilon information stealer malware through the Steam update system. The compromised package was a standalone modified version, not a mod installed via Steam Workshop. The attackers compromised one of the developers' Steam and Discord accounts, allowing them to control the mod's Steam account. The malware collects cookies, saved passwords, credit card details, and more from browsers, as well as Steam and Discord information.
• According to cybersecurity firm NCC Group, Carbanak, a notorious banking malware, has evolved to incorporate ransomware attacks with updated tactics. In recent attacks observed in November 2023, Carbanak was distributed through compromised websites, impersonating various business-related software such as HubSpot, Veeam, and Xero. The malware, initially known for banking fraud, has been utilized by the FIN7 cybercrime syndicate. 
• ESET Research discovered 116 malicious packages on the PyPI repository. These packages infected both Windows and Linux systems and were used to deliver either a W4SP stealer variant or a clipboard monitor designed to steal cryptocurrency. In some cases, a backdoor was delivered in the final stage to execute arbitrary commands, exfiltrate data, and take screenshots. These packages were downloaded over 10,000 times.
• An attack campaign, associated with the Fancy Bear, was observed using lures related to the ongoing Israel-Hamas war to deliver a custom backdoor called HeadLace. The campaign targeted critical infrastructure organizations across Hungary, Turkey, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania. The infection chain exploited a WinRAR flaw called CVE-2023-38831 to propagate the backdoor. 
• Researchers linked a sophisticated botnet, tracked as KV-Botnet, to the China-linked Volt Typhoon threat actor. The botnet is designed to target SOHO devices and VPN devices, some of which have reached End-of-Life. The botnet has been active since at least 2022 and, based on its target scope, it is believed that attackers are using it for espionage and information gathering. 
• A month after the patches were made available by Netgate, around 1,459 pfSense instances were found vulnerable to command injection and cross-site scripting flaws, allowing attackers to perform remote code execution on the appliance. The flaws were tracked as CVE-2023-42325 (XSS), CVE-2023-42327 (XSS), and CVE-2023-42326 (command injection).
• The Shadowserver Foundation observed a spike in the number of devices hacked via recently patched Cisco IOS vulnerabilities. As part of the attacks, threat actors exploited the flaws (CVE-2023-20198 and CVE-2023-20273) to create high-privileged accounts and deploy and Lua-based backdoor implant to take over 23,000 vulnerable devices, mainly in Mexico and Chile. 
• Security researchers discovered the Krasue RAT that has been targeting the Linux systems of telecommunications companies since 2021. The malware is based on code from three open-source projects (Diamorphine, Suterusu, and Rooty) and includes seven variants of a rootkit that supports multiple Linux kernel versions. It is believed either to be deployed through a botnet or sold by initial access brokers. Research highlights that the attacks are limited to telecommunications companies in Thailand. 
• Over 15,000 Go module repositories on GitHub were found to be vulnerable to repojacking, a supply chain attack that exploits changes in GitHub usernames and account deletions. Out of these, over 9,000 repositories were at risk due to GitHub username changes, while more than 6,000 were vulnerable due to account deletions. This issue particularly affected Go modules as they are decentralized, allowing attackers to register unused usernames, duplicate module repositories, and publish malicious modules.
• Cado Security spotted a new version of the P2PInfect botnet targeting MIPS-based devices, including routers, and IoT devices. The new variant includes several evasion mechanisms, such as debugger detection, anti-forensics on Linux hosts, and VM detection methods for embedded payloads, to make it more difficult for researchers to analyze. It is believed to be propagated via vulnerable SSH servers. 
• FortiGuard Labs identified an email phishing campaign that leveraged deceptive booking information to distribute a Python-based information stealer named MrAnon Stealer. The email masqueraded as a company looking to reserve hotel rooms and tricked victims into opening a malicious PDF file to learn more about booking details. The malware is designed to steal its victims' credentials, system information, browser sessions, and cryptocurrency extensions.