Cyware Monthly Threat Intelligence, January 2023

The Good

• The NIST published the final version of its cybersecurity framework for the ground segment of space operations. The framework is designed to help organizations in the space sector manage their cybersecurity risks by implementing security measures on satellites and other critical infrastructure. 
• President Joe Biden approved a set of new laws under the VA Cybersecurity Act of 2022 to boost cybersecurity across the Department of Veterans Affairs. As part of the new law, the department needs to conduct an independent audit of its IT systems and cybersecurity programs. This is intended to boost data security for veterans.
• The CISA released a report and toolkit to bolster the cyber defense of K-12 schools and districts. The report is mandated by the K-12 Cybersecurity Act and includes three recommendations to help educational institutions build, operate, and maintain resilient cybersecurity programs.
• Europol and Eurojust took action against a fake crypto scam that defrauded victims of at least $2.2 million through call centers. They would lure them to invest in fake cryptocurrency schemes. In another major catch, the FBI busted the network of the prolific Hive ransomware gang that raked in over $100 million in cryptocurrency payments.

The Bad

• U.S. rail and locomotive company Wabtec Corporation confirmed being hit by the LockBit ransomware gang. The incident took place in June 2022 and impacted its operations in the U.S. Canada, U.K., and Brazil. It was further revealed that the ransomware was introduced onto certain systems as early as March 15, 2022. 
• The Hive ransomware group leaked 550 GB of data, including employee and customer PII, stolen from Consulate Health Care. The leaked samples include stolen contracts, agreement documents, and the company’s private info. This also included email addresses, phone numbers, credit card details, Social Security numbers, and medical records of employees. 
• Bay Bridge Administrators notified around 250,000 individuals of a September 2022 data breach. The compromised information includes names, addresses, birth dates, Social Security numbers, ID and driver’s license numbers, and medical and health insurance information.
• PayPal disclosed that the login credentials of 35,000 US customers were accessed in an unauthorized manner in a credential-stuffing attack spree between December 6 and 8, 2022. While there has been evidence of unauthorized transactions, threat actors may have also accessed personal information such as names, social security numbers, addresses, and dates of birth of customers. 
• Toyota Motor Corporation revealed a data breach at Toyota Kirloskar Motor, a joint venture with Indian giant Kirloskar Group, that compromised the personal information of over 290,000 customers. The breach was reported after an access key was left exposed to the public on GitHub for over five years.
• Costa Rica’s Ministry of Public Works and Transport (MOPT) suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by Conti ransomware. Cybersecurity experts were called in to address the situation. 
• A data breach at a third-service provider resulted in the compromise of the personal information of roughly 18,000 Nissan customers in North America. The car manufacturer learned about the attack in June 2022. The compromised information includes birth dates and NMAC account numbers.  
• Nearly one million active and inactive Norton LifeLock accounts have been targeted in multiple credential-stuffing attacks. The attacks started on December 1, with a large number of failed login attempts observed on December 12, 2022. The company took several actions to secure the accounts.
• Wisconsin-based BayCare Clinic revealed that the PHI of 134,000 patients was inadvertently disclosed to unauthorized third parties as a result of the use of tracking pixels by its partner, Advocate Aurora Health. Previously Advocate Aurora Health had disclosed that the personal and protected health information of up to three million patients was disclosed to third parties such as Google and Meta.
• Zacks Investment Research (Zacks) suffered a data breach that exposed the personal information of 820,000 customers. The incident occurred between November 2021 and August 2022. Upon discovery, the firm took immediate action to implement additional security measures to protect its network.
• The BlackCat ransomware group added Solar Industries India to its list of victims. The group claims to have stolen 2TB of data, including secret military data related to weapons production. Other stolen data includes personal information about the company’s employees, blueprints, and engineering documentation of weapons.
• Confidential data from 14 U.K schools was leaked online by hackers. These include SEN information and passport scans of children, along with contract details and pay scales of staff members. The attacks and leaks were believed to be perpetrated by the Vice Society ransomware group.
• Access to the websites of the Danish Central Bank and seven private banks in the country was briefly disrupted following a DDoS attack. Attackers redirected unwanted traffic to the targeted servers in a bid to knock them offline. Among the banks affected were Jyske Bank and Sydbank.

New Threats

• Symantec researchers documented the activities of Bluebottle (aka OPERA1ER), a cybercrime group that targeted banks in French-speaking nations in Africa. The initial infection vector is unknown but in some cases, job-themed file lures written in the French language were leveraged to trick victims. 
• Numerous financial institutions, including Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank, are being targeted by a new version of the SpyNote Android malware. The attack campaign has been active since October 2022 and the malware comes with a plethora of data-stealing capabilities. 
• A cybercrime group tracked as Scattered Spider was observed exploiting an old vulnerability (CVE-2015-2291) in an Intel Ethernet diagnostics driver to target telecom and BPO firms. The attack was launched using phishing and social engineering techniques to obtain victims’ credentials and OTPs.
• A new round of supply chain attacks deploying the PoweRAT malware on victims’ systems was observed. The attacks leveraged several PyPI packages—EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles—to drop the malware that is capable of stealing browser cookies, passwords, Discord tokens, and Telegram data. 
• Gootkit loader (aka Gootloader) resurfaced in a new spate of attacks that targeted the Australian healthcare industry. The malware operators leveraged SEO poisoning attacks for initial infection. In other news, the group behind it appears to have restructured Gootkit by adding new components and implementing new obfuscation techniques.
• A new Android malware dubbed Hook is being sold on underground forums for $5000/month. The malware is promoted by the creators of Ermac and can help threat actors steal credentials from over 460 banking and crypto apps via overlaid login pages. Researchers claim that the malware borrows its source code from Ermac.
• The Roaming Mantis attack campaign was found implementing a new DNS changer to control infected Android devices and steal sensitive information. The changes were done to deploy the Wroba Android malware (aka Moqhao, XLoader) to steal user credentials.
• Threat actors were observed leveraging Google Ads to deploy Vidar Stealer and IcedID trojan on victims’ systems. The campaign has been active since November 2022 and uses fake websites of Audacity, Blender, and GIMP to target users. In a similar campaign, hackers targeted Bitwarden and other password managers via Google Ads phishing to steal users’ password vault credentials.
• Bitdefender security analysts stumbled across a malware threat campaign dropping the EyeSpy spyware. The campaign started in May 2022 and has been targeting 20Speed VPN users through trojanized installers. Users in Iran, the U.S., and Germany are targeted by the spyware.
• Researchers at SentinelLabs tracked a new attack campaign by a Chinese hacking group, dubbed DragonSpark, that deployed SparkRAT malware on victims’ systems. The attack was targeted against organizations in East Asia and used compromised infrastructures located in China and Taiwan to launch the Golang malware. 
• Critical flaws discovered in vehicles of popular car brands, including Honda, Nissan, BMW, Rolls Royce, Ford, Ferrari, and Toyota, could allow attackers to perform malicious activities. Some of these flaws can be exploited to achieve remote code execution or access the memory of some systems.
• The ASEC analysis team discovered a new attack that targeted systems vulnerable to Sunlogin vulnerability to deploy Sliver backdoor and BYOVD malware that disabled security products and installed a reverse shell. In 2022, the flaw was exploited to distribute Gh0st RAT, XMRig coin miner, and Powercat.