Cyware Monthly Threat Intelligence, July 2022

The Good

• The exploitation of sensitive data, including users' browser behavior, healthcare data, and their precise whereabouts, is rising with each passing day. The U.S. Federal Trade Commission (FTC) has issued a warning that it will take action against tech companies that are illegally using and sharing highly sensitive data of users. The agency aims at using the full scope of its legal authorities to protect consumers’ privacy. 
• Google has officially added support for DNS-over-HTTP/3 (DoH3) in Android to keep DNS queries private. This will effectively prevent third parties from snooping on users' browsing activities. Phones running Android 11 and higher versions are expected to use DoH3 instead of DNS-over-TLS (DoT), which came with Android 9.0.
• After six years, the NIST handpicked four encryption algorithms—CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+—that will withstand attacks from quantum computers. While CRYSTALS-Kyber will be used for access to websites, the other three are to protect digital signatures. These algorithms will also be helpful in safeguarding daily-in-use critical online banking and email software systems.
• The U.S. federal credit union regulators announced a new mandate to report cyber incidents. According to the new proposed rule, federally chartered credit union organizations are required to report within 72 hours of a cyberattack and apply for third-party security breaches as well.

The Bad

• The FBI issued a warning against cybercriminals distributing fake cryptocurrency investment applications to crypto enthusiasts in the U.S. They make users install fake apps and deposit funds into wallets allegedly associated with the victims' accounts. Cybercriminals defrauded at least 244 investors to pilfer roughly $42.7 million.
• The decentralized music platform Audius was hacked, with threat actors stealing over 18 million AUDIO tokens worth approximately $6 million. The hacker exploited a bug in the contract initialization code to launch the hack.
• Austrian hack-for-hire company DSIRF, along with the Knotweed gang, was spotted abusing multiple bugs in Windows and Adobe software products in a targeted attack campaign against European and Central American individuals. The Private-Sector Offensive Actor (PSOA) drops a surveillance tool known as Subzero. The malware can be used to hack phones, computers, and IoT devices.
• American Marriage Ministries (AMM) disclosed a data breach incident that affected the data of about 185,000 officiants and 15,000 married couples, as well as their wedding guests. This occurred due to an unsecured Amazon bucket that contained around 630GB of data. 
• Solana-based liquidity protocol Crema Finance lost more than $8.78 million worth of cryptocurrencies after hackers attacked the platform. The attackers used the infamous flash loan trick to manipulate the prices of assets before stealing the assets.
• Microsoft researchers revealed that a large-scale phishing attack campaign has targeted more than 10,000 organizations since September 2021. The campaign used the Evilginx2 phishing toolkit to construct phishing pages, bypass MFA, and steal credentials and session cookies from Office 365 users.
• Professional Finance Company disclosed a ransomware attack that impacted the private data of around 1.9 million people associated with hundreds of U.S. hospitals, medical clinics, and dental firms. The debt collection firm revealed that the criminals were able to access files from more than 650 healthcare providers.
• Threat actors compromised the official website of Premint NFT and stole 314 NFTs, amounting to approximately $375,000. The attack has six primary EOAs associated with it, among which two wallets contain Bored Ape Yacht Club, Otherside, Oddities, and goblintown.wtf NFTs.
• Over the last month, a crimeware group named 8220 has expanded its botnet to roughly 30,000 hosts. The group makes use of SSH brute force attacks and abuses Linux and cloud app vulnerabilities to grow its botnet.  
• Neopets, a virtual pets website, suffered a data breach that impacted the personal data of 69 million members. Reportedly, a hacker named 'TarTarX' has begun selling the source code and database for the Neopets.com website for four bitcoins.
• The Marriott hotel chain suffered another data breach incident that allowed attackers to exfiltrate around 20GB of data, including customer credit card details. Threat actors used social engineering techniques to trick an employee into providing access to their computer. 
• About 4295 ETH (approximately $4.6 million at the time of reporting) was stolen in a phishing attack on the Uniswap cryptocurrency exchange. The attackers exploited the Uniswap V3 protocol on the ETH blockchain to launch the attack.
• Cozy Bear (APT29) was seen abusing legitimate cloud services, such as Google Drive and DropBox, to target a number of Western diplomatic missions, including foreign embassies of Portugal and Brazil. The group’s phishing technique involves the use of a malicious HTML file, called EnvyScout, which acts as a dropper for Cobalt Strike and additional payloads.

New Threats

• Phishers and scammers are following the ebbs and flow of the threat landscape. A highly-successful phishing campaign was observed stealing banking data from the likes of Bank of America, Capital One, Citibank, Wells Fargo, and others. Linux systems continue to gain the attention of cybercriminals as Orbit and Lightning Framework join as fresh threats against the open-source, community-developed operating system. That’s not all. The introduction of new malware strains, such as Autolycos, Havanacrypt and Checkmate, has stirred anxiety among researchers.
• A new malware, masquerading as cleaner apps, infected over 1 million users across the globe. These apps are distributed via the Google Play Store. Once executed, the malware displays unwanted advertisements and runs malicious payloads without the knowledge of the users.
• Multiple DHL phishing pages were found exfiltrating users’ personal data via a Telegram bot. The fake pages use design elements like colors, fonts, and styles found on a typical DHL tracking page to convince victims that it’s legitimate in nature.
• A new macOS malware, CloudMensis, was observed gathering information from the victims’ systems by exfiltrating documents, keystrokes, and screen captures. Developed in Objective-C, the spyware uses public cloud storage services to communicate back and forth with its operators.
• Lightning Framework emerged as a new threat that targets Linux systems and can be used to backdoor infected devices using SSH and deploy multiple types of rootkits. The malware masquerades as the Seahorse GNOME password and encryption key manager to evade detection on infected systems.
• QNAP warned customers about a new Checkmate ransomware attack aimed at its NAS devices. The ransomware employs dictionary attacks to break accounts with weak passwords. It appends .checkmate extension to encrypted files and drops a ransom note named !CHECKMATE_DECRYPTION_README.
• A total of 53 fake apps on the Google Play Store were spotted distributing Joker, FaceStealer, and Coper malware strains. These apps posed as SMS, photo editors, blood pressure monitor, emoji keyboards, and translation apps were downloaded over 300,000 times.
• A new threat group named the Atlas Intelligence Group (A.I.G), aka Atlantis Cyber-Army, is actively selling Cybercrime-as-a-Service on Telegram and dark web forums. The services include exclusive data leaks, distributed denial-of-service (DDoS) campaigns for hire, RDP attacks, and initial access. 
• Trend Micro identified over a thousand malicious repositories and more than 550 code samples that abused GitHub Actions to mine cryptocurrency in an automated attack. The attack involved threat actors forking a legitimate repository that has GitHub Actions enabled. This allowed them to inject malicious code into legitimate repositories. 
• A new phishing-as-a-service (PhaaS) platform is being sold to cybercriminals aiming to gain access to the financial information of individuals residing in the U.S., the U.K, Canada, and Australia. The toolkit is tracked as Robin Banks and was utilized in a large-scale phishing campaign observed in June.
• Another new malware targeting the Linux operating system named OrBit is primarily designed to drop malicious payloads. It implements advanced evasion capabilities to gain persistence on targeted machines. The main goal of the backdoor is to steal information by hooking the read and write functions. 
• A new ransomware family, dubbed HavanaCrypt, makes use of a fake Google Software Update application to propagate across systems. Additionally, it relies on Microsoft web hosting service IP address to circumvent detection. 
• A new Android malware family named Autolycos was discovered in at least eight Android applications, two of which are still available on the Google Play Store. By the time of reporting, the malware had infected over 3 million users and is capable of harvesting data from mobile devices.
• Researchers reported a new malware attack campaign that exploited the known Follina vulnerability to distribute a backdoor malware dubbed Rozena. The malware is capable of injecting a remote shell connection linking back to the attacker’s machine.