Go to listing page

Cyware Monthly Threat Intelligence, February 2023

Cyware Monthly Threat Intelligence, February 2023

Share Blog Post

The Good 

Counterterrorism and confronting new challenges in cyberspace is the only way forward. In the wake of the newest offensive cyber operations and national security threats against the U.S. and its allies, the DoJ has introduced the Disruptive Technology Strike Force. With increasing attempts to compromise IoT devices, NIST has picked Ascon as the new cryptography standard for small IoT devices. Get ready to witness post-quantum cryptography guidance in the first, much anticipated National Cybersecurity Strategy from the White House Office of the National Cyber Director.

  • The DoJ launched a new Disruptive Technology Strike Force to address several national security threats. The force will consist of top experts and will use intelligence and data analytics to tackle nation-state-sponsored cyberattacks, supply chain attacks, and abuse of sensitive data. The force is also assigned with the job of providing early warnings of threats to critical assets.
  • Singapore and the European Union (EU) signed a partnership agreement to drive collaboration across multiple digital platforms. These include digital payments, trusted data flows, 5G, artificial intelligence (AI), and digital identities. The agreement also mentions improving and maintaining cybersecurity standards across these platforms.
  • The NIST selected the Ascon algorithm developed at Graz University as a cryptography standard for lightweight IoT protection. The algorithm has been selected from 57 proposals submitted in 2019. The agency will publish the full standard later this year, which applies to miniature technologies, such as medical implants or keyless car openers. 
  • The White House Office of the National Cyber Director confirmed it will include guidance on post-quantum cryptography in the upcoming National Cybersecurity Strategy to fortify digital networks. This will enable the government and private industries to better safeguard sensitive information, such as medical and personal data, against cyberattacks in the coming years.

The Bad

With organizations striving to detect, track, and take down phishing and malware attack attempts, the DDoS landscape also continues to evolve. Last month, security analysts took the wraps off of a DDoSaaS activity dubbed Passion, which may have an inimitable connection with Russian hacking groups. Meanwhile, Vice Society, which also happens to have a Russian connection, claimed two victims in the education sector in the U.S. and the U.K. Besides, there were several data breach incidents this month.

  • Web hosting giant GoDaddy disclosed that it was a victim of a multi-year security breach that started in May 2020. The same attackers stole the source code for Managed WordPress (MWP) in November 2021 and, later in December 2022, infected the cPanel hosting server with malware.
  • Lehigh Valley Health Network revealed that it suffered an attack by the BlackCat ransomware group. The unauthorized activity was detected on February 6 and involved a computer system used for patient images for radiation oncology treatment. The investigation to understand the full scope of the attack is underway.
  • A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen being used in attacks targeting medical institutions in the U.S. and Europe. Although its origins are unknown, the operation has distinctive ties with Russian hacking groups, such as Killnet, Mirai, Venom, and Anonymous Russia.
  • The Vice Society ransomware group claimed to have stolen sensitive data from the Guildford County School, the gang posted several files containing sensitive information belonging to teachers and students. U.S-based Mount Saint Mary College also disclosed a ransomware attack incident that it suffered from the same group.
  • A novel phishing attack, dubbed Screentime, was observed deploying a first-stage malware payload that infected over 1,000 organizations in the U.S. and Germany. The campaign was first observed in October 2022 and has been attributed to a new threat actor TA866. The malware used in the campaign were WasabiSeed, Screenshotter, AHK Bot, and Rhadamanthys Stealer. 
  • The Tallahassee Memorial HealthCare (TMH) hospital was forced to cancel all non-emergency surgeries and other medical procedures following a security incident that crippled its computer systems. The incident is believed to be yet another ransomware attack on the U.S. healthcare providers. 
  • Berkeley County Schools, West Virginia, was forced to temporarily cancel its daily classes and activities following a cyberattack. Law enforcement agencies were notified about the attack and the institution worked constantly to restore the affected IT systems, internet, and phone services. 
  • Unknown hackers stole internal data from the gaming giant Activision and published them on dark web forums. According to the firm, the hackers stole information, such as full names, email addresses, phone numbers, salaries, work addresses, and home addresses of employees. 
  • Indigo Books & Music, the largest bookstore chain in Canada, was hit by a ransomware attack that forced the chain to shut down its website. The incident compromised the current and former employees' data, including their credit card numbers.
  • A hacking crew called SiegedSec targeted Atlassian by gaining access to a third-party contractor’s systems and stole the personal data of more than 13,000 employees, along with floor plans for two of Atlassian’s offices. The exposed data included names, email addresses, work departments, and other information of employees.
  • Cutout, a popular AI image editing tool, suffered a data breach that exposed user images, usernames, and email addresses. An unsecured Elasticsearch database belonging to the tool included 9GB of user data with 22 million log entries. It also had information on the number of user credits, a virtual in-game currency, and links to Amazon S3 buckets.
  • German airport websites were hit by DDoS attacks once again. The alleged attack took place a day after an IT failure that caused cancellations and delays for thousands of passengers traveling via the country’s flag carrier Lufthansa. The investigations are underway.

New Threats

Given all the hype around ChatGPT, cybercriminals are not far from exploiting it for disruptive attacks. A case in point is cybercriminals abusing the platform through fake Windows desktop clients and bogus payment portals. Additionally, three ransomware groups, namely ESXiArgs, Royal Ransomware, and BlackBasta, were found crippling ESXi servers. Moving on, we have two BEC scammer groups baiting users in at least 13 languages, such as Norwegian, Polish, Portuguese, and Spanish.

  • A new variant of the LockBit ransomware, dubbed LockBit Green, is capable of targeting cloud-based services. The variant resembles Conti ransomware v3. It uses a random extension rather than the standard .lockbit extension and the ransom note is identical to the one used by the LockBit Black variant.
  • Researchers shared technical details of a new Sh1mmer exploit that could allow attackers to gain root-level access to ChromeOS. Expanded as Shady Hacking 1nstrument Makes Machine Enrollment Retreat, the exploit could be used to bypass administrator restrictions and unenroll enterprise-managed Chromebooks.
  • Researchers discovered multiple phishing pages related to OpenAI’s ChatGPT chatbot that pushed a variety of malware onto the victims’ systems. These websites were either disguised in the form of a legitimate tool such as ChatGPT Windows desktop client or promoted via Facebook. The malware distributed includes RedLine stealer and Lumma stealer.
  • Android users in Southeast Asia are being targeted in a campaign that is active since July 2022. The campaign distributes a banking trojan called TgToxic which is capable of stealing victims’ assets from banking applications, cryptocurrency wallets, and other financial apps. The victims are targeted via phishing emails and SMSes that carry malicious links.
  • Malwarebytes Labs detected a Magecart skimmer that not only acquires the victim's email, address, phone number, and credit card details but also records their IP address and browser user agent. The skimmer code uses iframes that are loaded when the checkout page is accessed.
  • Users of the GoAnywhere MFT software were warned of a zero-day remote code execution vulnerability that could allow malicious actors to target systems directly from the Internet. While there are no security patches available currently, users were asked to follow recommendations to prevent exploitation.
  • A new version of the Medusa botnet, based on Mirai code, has been spotted in the wild. It features a ransomware module and a Telnet brute-forcer, along with DDoS capabilities. The new version of Medusa features a data exfiltration tool, however, it does not steal user files before encryption.
  • A new ransomware named ESXiArgs and the Royal Ransomware’s Linux variant was found actively targeting a two-year-old RCE vulnerability in VMware ESXi servers. Additionally, BlackBasta ransomware operators were blamed for multiple attacks that involved the exploitation of vulnerable ESXi servers. 
  • Chinese threat actor 8220 Gang has been found consistently change its C2 IP addresses to exploit Linux and cloud app vulnerabilities to expand its botnet and cryptomining attacks. The gang was also found using the ‘onacroner’ script, something that has been previously used by the Rocke cryptomining group.
  • The North Korean state-sponsored hacking group APT37, also known as RedEyes or ScarCruft, has recently added a new evasive malware, dubbed M2RAT, to its arsenal. The group is using the malware in conjunction with a steganography technique to target specific individuals and steal personal PC information and mobile phone data.
  • Two groups, identified as Midnight Hedgehog and Manadarin Capybara, were found impersonating executives to launch BEC attacks worldwide. While the first group is engaged in payment fraud, Mandarin Capybara executes payroll diversion attacks. Both groups have launched BEC campaigns in at least 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, and Spanish.
  • A new threat cluster tracked as WIP26 relies heavily on public cloud infrastructure to target telecommunication providers in the Middle East. It also used the backdoors, dubbed CMD365 and CMDEmber, to abuse Microsoft 365 Mail and Google Firebase services for C2 purposes.
  • A new version of Hardbit ransomware has been found asking for details on cyber insurance policies from victims as part of the negotiation process. This is a unique trick adopted by the operators so that their ransom demands are covered by the victim’s insurance company, without the involvement of intermediaries.
  • A new malware, dubbed S1deloaded Stealer, has been found leveraging the DLL sideloading tactic in an ongoing attack campaign to evade detection. The campaign targets YouTube and Facebook users, infecting their computers and hijacking their social media accounts to mine cryptocurrency. More than 600 devices have been targeted in the campaign.
  • A previously unseen threat group, dubbed Hydrochasma, was found targeting medical labs and shipping companies in Asia. The activity has been ongoing since October 2022 and primarily relies on phishing emails. The tools deployed by the threat actors indicate a desire to achieve persistent and stealthy access to victim machines.

 Tags

ascon
goanywhere mft
medusa botnet
lockbit green
hardbit
esxiargs
sh1mmer exploit
hydrochasma
chatgpt
wip26
s1deloaded stealer
activision
disruptive technology strike force
cutout
screentime campaign
german airports
apt37
vice society ransomware
8220 gang
tgtoxic

Posted on: March 02, 2023


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite