Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware x Team Cymru: Accelerated Threat Defense.

Learn More

Skip to main content

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Feb 1, 2023

The Good

When thinking about satellite operations and not paying attention to the cyber resilience of ground networks is like sending an open invitation to cyber threats. The final version of the cybersecurity framework concerning the ground segment of space operations was released by the NIST. Cyberattacks on K-12 schools have major implications for teaching and learning. To overcome these challenges, the CISA released a guide to help safeguard K 12 Schools from ever-rising attacks in the sector. That’s not it! The FBI raided and seized Hive’s Tor payment and data leak sites in a major crackdown.

  • The NIST published the final version of its cybersecurity framework for the ground segment of space operations. The framework is designed to help organizations in the space sector manage their cybersecurity risks by implementing security measures on satellites and other critical infrastructure.

  • President Joe Biden approved a set of new laws under the VA Cybersecurity Act of 2022 to boost cybersecurity across the Department of Veterans Affairs. As part of the new law, the department needs to conduct an independent audit of its IT systems and cybersecurity programs. This is intended to boost data security for veterans.

  • The CISA released a report and toolkit to bolster the cyber defense of K-12 schools and districts. The report is mandated by the K-12 Cybersecurity Act and includes three recommendations to help educational institutions build, operate, and maintain resilient cybersecurity programs.

  • Europol and Eurojust took action against a fake crypto scam that defrauded victims of at least $2.2 million through call centers. They would lure them to invest in fake cryptocurrency schemes. In another major catch, the FBI busted the network of the prolific Hive ransomware gang that raked in over $100 million in cryptocurrency payments.

The Bad

Cybercriminals continue to up their game with new strategies and tactics to extort from a range of industries. Several top firms and brands, such as PayPal, Toyota, Nissan, Zacks Investment Research, and Solar Industries India, suffered critical breaches in the last month. Healthcare institutions also fell prey to hackers as in the case of the 550 GB data theft from Consulate Health Care. That was the work of Hive before the disruption. BayCare Clinic also exposed the PHI of over 100K individuals, however, that was in light of an online information tracking pixel installed on its partner’s website.

  • U.S. rail and locomotive company Wabtec Corporation confirmed being hit by the LockBit ransomware gang. The incident took place in June 2022 and impacted its operations in the U.S. Canada, U.K., and Brazil. It was further revealed that the ransomware was introduced onto certain systems as early as March 15, 2022.

  • The Hive ransomware group leaked 550 GB of data, including employee and customer PII, stolen from Consulate Health Care. The leaked samples include stolen contracts, agreement documents, and the company’s private info. This also included email addresses, phone numbers, credit card details, Social Security numbers, and medical records of employees.

  • Bay Bridge Administrators notified around 250,000 individuals of a September 2022 data breach. The compromised information includes names, addresses, birth dates, Social Security numbers, ID and driver’s license numbers, and medical and health insurance information.

  • PayPal disclosed that the login credentials of 35,000 US customers were accessed in an unauthorized manner in a credential-stuffing attack spree between December 6 and 8, 2022. While there has been evidence of unauthorized transactions, threat actors may have also accessed personal information such as names, social security numbers, addresses, and dates of birth of customers.

  • Toyota Motor Corporation revealed a data breach at Toyota Kirloskar Motor, a joint venture with Indian giant Kirloskar Group, that compromised the personal information of over 290,000 customers. The breach was reported after an access key was left exposed to the public on GitHub for over five years.

  • Costa Rica’s Ministry of Public Works and Transport (MOPT) suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by Conti ransomware. Cybersecurity experts were called in to address the situation.

  • A data breach at a third-service provider resulted in the compromise of the personal information of roughly 18,000 Nissan customers in North America. The car manufacturer learned about the attack in June 2022. The compromised information includes birth dates and NMAC account numbers.

  • Nearly one million active and inactive Norton LifeLock accounts have been targeted in multiple credential-stuffing attacks. The attacks started on December 1, with a large number of failed login attempts observed on December 12, 2022. The company took several actions to secure the accounts.

  • Wisconsin-based BayCare Clinic revealed that the PHI of 134,000 patients was inadvertently disclosed to unauthorized third parties as a result of the use of tracking pixels by its partner, Advocate Aurora Health. Previously Advocate Aurora Health had disclosed that the personal and protected health information of up to three million patients was disclosed to third parties such as Google and Meta.

  • Zacks Investment Research (Zacks) suffered a data breach that exposed the personal information of 820,000 customers. The incident occurred between November 2021 and August 2022. Upon discovery, the firm took immediate action to implement additional security measures to protect its network.

  • The BlackCat ransomware group added Solar Industries India to its list of victims. The group claims to have stolen 2TB of data, including secret military data related to weapons production. Other stolen data includes personal information about the company’s employees, blueprints, and engineering documentation of weapons.

  • Confidential data from 14 U.K schools was leaked online by hackers. These include SEN information and passport scans of children, along with contract details and pay scales of staff members. The attacks and leaks were believed to be perpetrated by the Vice Society ransomware group.

  • Access to the websites of the Danish Central Bank and seven private banks in the country was briefly disrupted following a DDoS attack. Attackers redirected unwanted traffic to the targeted servers in a bid to knock them offline. Among the banks affected were Jyske Bank and Sydbank.

New Threats

Cybercriminals are mindful of the fact that they won’t survive unless they innovate. The Gootloader malware received an update weeks after being spotted using SEO poisoning techniques against the Australian healthcare industry. Meanwhile, the cyber landscape witnessed a rise in new RAT deployment in the form of PoweRAT, SparkRAT, SpyNote, and others. Furthermore, some major car brands, including Toyota, Mercedes, and BMW may have exposed car owners’ personal info owing to a sensitive bug.

  • Symantec researchers documented the activities of Bluebottle (aka OPERA1ER), a cybercrime group that targeted banks in French-speaking nations in Africa. The initial infection vector is unknown but in some cases, job-themed file lures written in the French language were leveraged to trick victims.
  • Numerous financial institutions, including Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank, are being targeted by a new version of the SpyNote Android malware. The attack campaign has been active since October 2022 and the malware comes with a plethora of data-stealing capabilities.
  • A cybercrime group tracked as Scattered Spider was observed exploiting an old vulnerability (CVE-2015-2291) in an Intel Ethernet diagnostics driver to target telecom and BPO firms. The attack was launched using phishing and social engineering techniques to obtain victims’ credentials and OTPs.
  • A new round of supply chain attacks deploying the PoweRAT malware on victims’ systems was observed. The attacks leveraged several PyPI packages—EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles—to drop the malware that is capable of stealing browser cookies, passwords, Discord tokens, and Telegram data.
  • Gootkit loader (aka Gootloader) resurfaced in a new spate of attacks that targeted the Australian healthcare industry. The malware operators leveraged SEO poisoning attacks for initial infection. In other news, the group behind it appears to have restructured Gootkit by adding new components and implementing new obfuscation techniques.
  • A new Android malware dubbed Hook is being sold on underground forums for $5000/month. The malware is promoted by the creators of Ermac and can help threat actors steal credentials from over 460 banking and crypto apps via overlaid login pages. Researchers claim that the malware borrows its source code from Ermac.
  • The Roaming Mantis attack campaign was found implementing a new DNS changer to control infected Android devices and steal sensitive information. The changes were done to deploy the Wroba Android malware (aka Moqhao, XLoader) to steal user credentials.
  • Threat actors were observed leveraging Google Ads to deploy Vidar Stealer and IcedID trojan on victims’ systems. The campaign has been active since November 2022 and uses fake websites of Audacity, Blender, and GIMP to target users. In a similar campaign, hackers targeted Bitwarden and other password managers via Google Ads phishing to steal users’ password vault credentials.
  • Bitdefender security analysts stumbled across a malware threat campaign dropping the EyeSpy spyware. The campaign started in May 2022 and has been targeting 20Speed VPN users through trojanized installers. Users in Iran, the U.S., and Germany are targeted by the spyware.
  • Researchers at SentinelLabs tracked a new attack campaign by a Chinese hacking group, dubbed DragonSpark, that deployed SparkRAT malware on victims’ systems. The attack was targeted against organizations in East Asia and used compromised infrastructures located in China and Taiwan to launch the Golang malware.
  • Critical flaws discovered in vehicles of popular car brands, including Honda, Nissan, BMW, Rolls Royce, Ford, Ferrari, and Toyota, could allow attackers to perform malicious activities. Some of these flaws can be exploited to achieve remote code execution or access the memory of some systems.
  • The ASEC analysis team discovered a new attack that targeted systems vulnerable to Sunlogin vulnerability to deploy Sliver backdoor and BYOVD malware that disabled security products and installed a reverse shell. In 2022, the flaw was exploited to distribute Gh0st RAT, XMRig coin miner, and Powercat.

Related Threat Briefings

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024

Cyware Monthly Threat Intelligence

The Good The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and t

Sep 2, 2024

Cyware Monthly Threat Intelligence

The Good In a series of proactive measures aimed at bolstering global cybersecurity resilience, significant strides were made in the education and law enforcement sectors to safeguard critical systems against evolving threats. The NASA Katherine Jo

Aug 1, 2024

Cyware Monthly Threat Intelligence

The Good The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disin

Jul 1, 2024

Cyware Monthly Threat Intelligence

The Good Recent developments showcase a proactive stance in bolstering cybersecurity across critical sectors. The collaboration between the U.K’s National Crime Agency (NCA) and the FBI to dismantle the Qilin ransomware gang highlights internationa

Jun 3, 2024

Cyware Monthly Threat Intelligence

The Good In recent AI developments, NIST, OpenAI, and government bodies are taking significant steps to ensure the responsible use of AI technologies. NIST's new ARIA program aims to ensure AI technologies are valid, reliable, safe, secure, private

May 3, 2024

Cyware Monthly Threat Intelligence

The Good In a major stride towards security with AI, the Five Eyes agencies released a cybersecurity guide to help organizations secure AI system deployments. Separately, heightened attacks on mobile networks made the GSM Association unveil the MoT

Apr 11, 2024

Cyware Monthly Threat Intelligence

The Good Revolutionizing cybersecurity with innovative and adaptive measures, the Pentagon unveiled the first-ever strategy to protect the defense industrial base from cyber threats, emphasizing resilience and cooperation to defend critical infrast

Mar 4, 2024

Cyware Monthly Threat Intelligence

The Good In a move towards enhancing quantum computing security, the Linux Foundation revealed an initiative in collaboration with major global technology corporations. The past month marks a step forward in file-type detection tooling as Google op

Feb 1, 2024

Cyware Monthly Threat Intelligence

The Good With cloud environments facing an ongoing battle against complex cyber threats, the NCSC stepped in to help SMBs enhance cloud service security. Account takeovers are the ultimate impersonation tactic and pose a significant threat. To tack

Jan 4, 2024

Cyware Monthly Threat Intelligence

The Good For safeguarding Operation Technology (OT) and Industrial Control Systems (ICS), MITRE introduced a new threat model framework dubbed EMB3D. Meanwhile, the U.S. federal agencies and industry partners issue an advisory to enhance security a