Cyware Monthly Threat Intelligence, February 2022

The Good

• Researchers from JPMorgan Chase, Ciena, and Toshiba developed a unique QKD network for metropolitans, which is resistant to quantum computing attacks. The QKD network sustains encryption of 800Gbps under real-world conditions and can rapidly identify and defend against quantum computing threats.
• Singapore government announced plans to design a quantum-safe network to display crypto-agile connectivity and encourage trials with private and public firms. The initiative is driven by the Quantum Engineering Program (QEP) and includes a quantum security lab for vulnerability research. The project is supported by the National Research Foundation, along with 15 partners from both the public and private sectors. The three-year program aims to conduct an extensive analysis of security systems and design guidelines to support organizations adopting quantum-safe technologies.
• New York City established a centralized cybersecurity hub to aid state officers in times of a cyber crisis. The Joint Security Operations Center consists of experts from state and federal law enforcement agencies, NYC3, and representatives from the country and local governments.
• The DHS announced the creation of a new Cyber Safety Review Board to gather all security experts from private and public sectors to review and analyze cybersecurity incidents. This board comes as a part of the executive order signed by the U.S. President last year. The board’s first task would focus on Log4j vulnerabilities.
• In the light of rising sophisticated cyberattacks targeting critical infrastructure throughout 2021, cybersecurity agencies from Australia, the U.K, and the U.S. released a joint advisory that offers trends and behaviors of criminals while also underlining recommendations for mitigation.

The Bad

• The Russia-Ukraine crisis spilled into the cyber domain as multiple Ukrainian government sites and two of the country’s largest banks were once again hit with a wave of DDoS attacks. In response, multiple Russian government websites also experienced DDoS attacks. Furthermore, a new data wiper malware, dubbed HermeticWiper, was found targeting financial organizations and government contractors in Ukraine.
• A vulnerability in the Wormhole cryptocurrency platform allowed a threat actor to steal an estimated $322 million worth of Ether cryptocurrency. The attackers exploited the ‘smart contracts’ feature on the platform to hack the portal.
• A statement released by the CISA last month revealed that Russian state-sponsored operatives have been targeting the U.S. cleared defense contractor networks to obtain sensitive information. Some of these attacks have been ongoing for at least six months. According to the agency, threat actors are using tactics such as spear-phishing and brute-force attacks to breach networks.
• The BlackCat ransomware group was held responsible for the recent cyberattacks on two German oil companies. This ultimately affected hundreds of gas stations across northern Germany. The firms took immediate actions as part of their contingency plans. Meanwhile, the ransomware gang has confirmed that they are former members of the notorious BlackMatter/DarkSide ransomware. 
• A targeted spear-phishing campaign called Operation EmailThief exploited an XSS zero-day vulnerability in Zimbra to target several government and media organizations in Europe. Launched by a threat actor named TEMP_Heretic, the campaign was executed in December 2021 in two phases. The initial phase aimed at reconnaissance and leveraged specially designed phishing emails.
• More than 500 online stores running the outdated Magento 1 platform were compromised in a large-scale digital skimming attack. Researchers indicate that nearly 19 backdoors were deployed on compromised systems. All of these websites were compromised by exploiting a known vulnerability in the Quickview plugin.
• The U.K Foreign Office was the target of a serious cybersecurity incident. According to media reports, attackers infiltrated Foreign Commonwealth and Development Office (FCDO) systems. Nevertheless, not many details were available about the attack, and BAE Systems Applied Intelligence was called for urgent remediation.
• A low-lying threat actor tracked as TA2541 was spotted targeting entities in the aviation sector since 2017. The attacker used off-the-shelf malware and relied on malicious Microsoft Word documents to deliver trojans such as AsyncRAT, NetWire, WSH RAT, and Parallax. Most of the themes included transportation-related terms, such as flight, aircraft, fuel, yacht, charter, etc.
• New South Wales Premier Dominic Perrottet has admitted a data leak due to a misconfigured NSW government website. This affected more than 500,000 addresses, including defense sites, a missile maintenance unit, and domestic violence shelters, among others.
• The San Francisco 49ers NFL team confirmed a ransomware attack that encrypted the files on its corporate IT network. The attack is the work of the BlackByte ransomware gang which also claimed responsibility by leaking some stolen files on its site. The firm added that it has taken mitigation steps to contain the attack and has also informed the law enforcement agencies.
• A hack on the OpenSea platform affected its 32 users. This caused a loss of 254 tokens, which amounted to nearly $1.7 million. While the attack is no longer active, it is believed that the affected users might have signed a malicious payload sent by the attack. The attack vector is still unknown.
• A new attack campaign targeted publicly-exposed, unpatched Microsoft SQL servers. The attackers scanned port 1433 to check for vulnerable servers to launch brute force or dictionary attacks to gain access to system admin accounts. Consequently, the attackers would also deploy Cobalt Strike beacons on targeted hosts.

New Threats

• Microsoft warned about a new class of threats, named ice phishing, affecting Web3 and blockchain networks. Ice phishing involves luring a user into signing an agreement that assigns the user’s tokens to the malicious actor. It completely ignores private keys. The transaction requires interaction with DeFi smart contracts for a token swap to occur.
• A new backdoor, dubbed Marlin, was associated with a long-running espionage campaign named Out to Sea that started in April 2018. The malware is a new addition to the arsenal of OilRig aka APT34 threat actor group. Victims of the campaign include diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates.
• A newly unearthed Goland-based Kraken botnet is under active development, claimed researchers. The botnet features an array of backdoor capabilities to pilfer sensitive information from compromised Windows hosts. It makes use of SmokeLoader to spread quickly, gaining control over hundreds of devices each time.
• A new phishing email attack campaign was found distributing the Emotet trojan. The campaign leveraged stolen email threads to bypass security systems. It included a zip file that resulted in the execution of Excel 4.0 macros.
• Hackers distributed a new version of CryptBot infostealer via pirated software sites that offered free downloads for games and pro-grade software. The operators behind the malware were leveraging SEO poisoning tactics to increase the visibility of these sites. The malware is capable of stealing browser credentials, cookies, browser history, cryptocurrency wallets, and credit card details.
• Researchers at Positive Security built an Apple Airtag clone that is able to bypass anti-stalking protection features while running on Apple's Find My protocol. The cloned Airtags could be used to successfully track iPhone users without triggering a tracking notification.
• In a significant revelation, researchers found that numerous Windows machines located in South Korea were targeted by the PseudoManuscrypt botnet since at least May 2021. The botnet employs the same tactics as CryptBot and is distributed in the form of an installer or via cracked software.
• New Mars Stealer malware was discovered in the wild. Researchers surmise it to be a redesign of the Oski malware that shut down development abruptly in 2020. Mars Stealer can steal data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.
• Researchers observed a new StrifeWater RAT being used by the Moses APT group. The RAT comes with multiple evasion and screen capturing capabilities. The malware can also create persistence, download additional extensions, and execute system commands.
• A Chinese threat actor group tracked as Antlion was seen using a new custom backdoor called xPack to target organizations in the financial and manufacturing sectors. The campaign has been active for over 18 months and the backdoor allows attackers to run WMI commands remotely. The ultimate goal of the campaign is to exfiltrate data from infected networks.
• Researchers tracked down a new campaign that exploits the Log4j vulnerability. The campaign is linked with the Iran-based TunnelVision APT group and is being used to deploy ransomware on machines running vulnerable VMware Horizon instances.
• A new wave of attack campaigns from the Kimsuky hacking group has been delivering a custom backdoor malware, dubbed Gold Dragon. The malware is a second-stage backdoor that establishes persistence on the victim’s system. Furthermore, it helps the attackers install the xRAT tool to manually steal sensitive data from the targeted system.
• Siemens released nine advisories to address 27 new flaws in its SIMATIC products. The vulnerabilities, if exploited, could allow the attackers to remotely launch DoS attacks against several Siemens PLCs and related products.