Cyware Monthly Threat Intelligence, February 2023

The Good

• The Linux Foundation announced a new initiative called the Post-Quantum Cryptography Alliance, with industry partners like Google, IBM, Amazon Web Services, and Cisco. This initiative responds to the potential security threats posed by quantum computing, which could render current cryptographic practices insufficient.
• In a coordinated effort labeled Operation Cronos, law enforcement agencies across multiple countries arrested two LockBit ransomware operators, seized over 200 crypto wallets, and created a decryption tool to aid victims. The operation resulted in the takedown of 34 servers worldwide. Additionally, almost 1,000 decryption keys were retrieved.
• Google open-sourced Magika, an AI-powered tool for identifying file types to enhance digital security. Magika provides a 30% accuracy boost and up to 95% higher precision on VBA, JavaScript, and Powershell content. Google emphasizes the benefits of deploying AI at scale to strengthen digital security and shift the cybersecurity balance from attackers to defenders.
• The Biden administration issued an executive order to strengthen cybersecurity at U.S. port facilities and invest over $20 billion in port infrastructure to bring back manufacturing capacity. The U.S. Coast Guard will have the authority to respond to cyber activity in the marine transportation system. Minimum standards for port cybersecurity are also to be established to address the growing concerns about the stability of the global supply chain.

The Bad

• Pepco Group's Hungarian business was hit by a sophisticated phishing attack, resulting in a loss of approximately €15.5 million (~ $16.8 million). While efforts to recover the funds are underway, the incident does not involve customer, supplier, or employee data. Experts suggest the attack resembles the BEC scam tactic. The group is thoroughly reviewing its systems and processes to bolster security.
• The ALPHV/Blackcat ransomware gang claimed responsibility for recently breaching Fortune 500 companies Prudential Financial and loanDepot. loanDepot confirmed a data breach affecting 16.6 million individuals, while the impact on Prudential was still under assessment. ALPHV planned to sell loanDepot's stolen data and release Prudential's data for free.
• The outage at UnitedHealth's technology unit was also attributed to the Blackcat ransomware gang. The breach, targeting Change Healthcare's IT systems, disrupted pharmacies nationwide. More than 90% of the nation's 70,000+ pharmacies adopted electronic claim processing to counteract the Change Healthcare cybersecurity issue.
• The IntelBroker group compromised a Los Angeles International Airport, database, stealing the confidential data of private plane owners. The breach impacted 2.5 million records containing full names, CPA numbers, email addresses, company names, plane model numbers, and tail numbers. No customer or traveler data was affected. Criminals claimed they exploited a bug in the airport's CRM system.
• Ireland's Department of Foreign Affairs (DFA) refuted claims of a cyber breach by the new extortion group Mogilevich that listed the DFA as a target for data sale. The group allegedly is in possession of 7GB of compromised documents but provided no evidence. DFA collaborated with Ireland's NCSC to investigate, finding no breach.
• The notorious Akira ransomware group allegedly crippled the municipality of Bjuv in South Sweden, threatening to leak nearly 200GB of stolen data. The data trove included confidential documents and personal HR files. Despite the cyberattack claim, Bjuv Municipality's website remains operational, raising doubts about the authenticity of the threat.
• SEIU Local 1000, a major California union, confirmed network disruptions following a cyber incident. The LockBit ransomware group purportedly stole 308GB of sensitive data, including SSNs and financial documents. Despite disruptions, the union asserts continued advocacy for workers' rights amidst ongoing operations, emphasizing resilience against coordinated attacks.
• The DNSC announced that the Backmydata ransomware attack on the Hipocrate Information System impacted 26 hospitals across Romania. Another 74 hospitals connected to the system were cut off from the internet. The attackers demanded a 3.5 Bitcoin ransom and reportedly extracted confidential data, prompting hospitals to isolate impacted systems, save ransom notes, and investigate the point of entry.
• Security researchers uncovered a significant campaign of repository confusion attacks on GitHub, impacting over 100,000 repositories and potentially millions more. Attackers clone popular repositories, inject them with malware, and upload them on GitHub with identical names. The attack campaign would target developers by tricking them into downloading and using these malicious repositories.
• Cybercriminals utilized a stolen private key to mint and steal over $290 million in PLA tokens from the PlayDapp ecosystem, a blockchain-based platform facilitating NFT trading within games. Along similar lines, decentralized cryptocurrency exchange FixedFloat fell victim to a significant data breach resulting in the theft of approximately $26 million worth of BTC and ETH. 
• Nearly 33 million of France's population was impacted by a significant security breach at healthcare payment servicers Viamedis and Almerys. The breach, disclosed by CNIL, compromised data dates of birth, SSNs, and insurance details. Although banking and medical data remained untouched, the breach marks France's largest cybersecurity incident. Viamedis fell victim to a phishing attack targeting healthcare professionals, while Almerys' breach method remains undisclosed.
• Willis Lease Finance Corporation disclosed a cybersecurity incident after Black Basta listed it as a victim on its leak site. While the extent of data compromise is still under assessment, attackers claimed to have stolen 910GB of company data. Black Basta also attacked Hyundai Motor Europe and, allegedly, stole 3TB of corporate data.
• The Cactus ransomware group took responsibility for crippling Schneider Electric's network and stealing 1.5TB of data. As proof of its claims, the group leaked 25MB of stolen data on its dark web leak site, including snapshots of American citizens' passports and NDA document scans. The breach occurred on January 17th, targeting Schneider Electric's Sustainability Business division.

New Threats

• Mexican users have been lately bombarded with tax-themed phishing attacks distributing TimbreStealer, a sophisticated Windows malware. The threat actors use geofencing and other evasive techniques to avoid detection and target various sectors. The malware included checks to detect sandbox environments, embedded modules for decryption, and the ability to harvest a wide range of data.
• Bitdefender researchers uncovered a new variant of the AMOS Stealer, dubbed Atomic, targeting macOS systems. This variant combines features of information stealers, keyloggers, and cryptocurrency mining tools. It utilizes Python and AppleScript code to target browser files, system information, and crypto wallets. Bitdefender has provided Indicators of Compromise to aid in detection and mitigation efforts.
• WordPress plugin issues: A security vulnerability (CVE-2023-40000) was disclosed in the LiteSpeed Cache plugin for WordPress, allowing unauthenticated users to escalate privileges via a single HTTP request. Meanwhile, another critical security flaw (CVE-2024-1071) was reported in the popular WordPress plugin Ultimate Member, concerning over 200,000 active installations.
• An ad fraud campaign, dubbed ‘SubdoMailing,’ came to light that utilizes over 8,000 legitimate domains and 13,000 subdomains, to bypass security filters. It included the likes of major brands, such as MSN, VMware, and eBay, that criminals abuse to send millions of scam emails daily. By hijacking abandoned subdomains of trusted brands, threat actors launch fraudulent schemes via fake giveaways or surveys to trick users. The daily number of emails reaching targets exceeds 5,000,000.
• The hacking group UAC-0184 evolved its tactics, employing steganographic image files to distribute the Remcos RAT to a Ukrainian entity in Finland. The attack was initiated through carefully crafted phishing emails, utilizing a modular malware loader, named IDAT, that employs sophisticated evasion techniques, such as dynamic loading of Windows API functions, HTTP connectivity tests, process blocklists, and syscalls.
• ASEC uncovered Nood RAT, a Gh0st RAT variant for Linux, being utilized in malware campaigns aiming to pilfer sensitive data from Linux servers. The RAT serves as a potent backdoor, enabling various malicious activities such as file downloads, system file theft, and command execution. The analysis laid bare the malware’s construction, including a builder program and encryption methods.
• Hackers target unpatched ConnectWise ScreenConnect software, exploiting critical vulnerabilities (CVE-2024-1709 and CVE-2024-1708) to deploy ransomware, info-stealers, and backdoors. Sophos observed ransomware payloads deployed across various sectors, including a U.S. local government 911 service. The Shadowserver Foundation identified over 8,200 vulnerable ScreenConnect instances, prompting urgent patching.
• Researchers uncovered a new banking trojan named Coyote. It is targeting at least 61 online banking applications, primarily in Brazil. Characterized by its sophisticated components and tactics, Coyote represents a significant evolution in Brazil's financial malware landscape. While currently focused on Brazil, its potential to expand globally warrants attention from security teams.
• Security researchers uncovered a campaign that utilizes cracked copies of popular macOS software to distribute the Activator macOS backdoor. The campaign stands out due to its scale, multistage payload delivery technique, and the threat actor's use of cracked macOS apps with titles likely to interest business users. The threat actor behind the backdoor employed as many as 70 unique cracked macOS applications to distribute the malware.
• Fortinet issued warnings regarding two critical vulnerabilities in FortiOS, including CVE-2024-21762 which is being actively exploited in the wild. This RCE flaw affects SSL VPN and can be exploited via specially crafted HTTP requests. Another flaw, CVE-2024-23113, poses a similar risk but is currently not being exploited. The firm then urged users to disable SSL VPN as a temporary fix.
• Proofpoint researchers revealed the resurgence of Bumblebee malware after a four-month hiatus, featuring a notably different attack strategy. The campaign, observed in February 2024, employs social engineering tactics, sending emails with OneDrive URLs posing as voicemail notifications. While the threat actor behind the new campaign remains unidentified, similarities in the tactics suggest potential ties to TA579 group activities.
• Avast researchers uncovered Lazarus APT exploiting a zero-day vulnerability (CVE-2024-21338) in Microsoft's appid.sys AppLocker driver. The flaw resides in the appid.sys driver's IOCTL dispatcher, central to AppLocker, allowing arbitrary code execution. Attackers can gain kernel-level access and disable security software. For instance, they use the FudModule rootkit to suspend PPL-protected processes such as Microsoft Defender.