Cyware Monthly Threat Intelligence, June 2023

The Good

• MIT researchers developed the Metior framework that provides a quantitative assessment of cybersecurity obfuscation schemes, helping engineers evaluate the effectiveness of different security approaches. The framework enables users to analyze the impact of various factors, such as victim programs, attacker strategies, and obfuscation scheme configurations, on the leakage of sensitive information. Microprocessor engineers can, hence, use it to determine the most promising architecture during the early stages of chip design.
• The FCC announced the launch of its first-ever privacy and data protection task force with an aim to address SIM swapping attacks and thwart threats concerning data privacy. The creation of the task force comes in the wake of the rising number of data protection issues faced by customers of U.S. telecom providers. The task force will coordinate with the FCC to create authentication-related standards for carriers transferring a number to a new device or a new carrier.
• The U.S. and Israeli government agencies released a guide for organizations to secure remote access software against malicious attacks. The guide highlights the attractiveness of remote access software to malicious actors, particularly ransomware groups, and offers recommendations to improve security and identify and prevent malicious activity.
• Google has introduced a Secure AI Framework (SAIF) to help mitigate the risks of AI systems being misused. SAIF builds on Google's experience developing cybersecurity models and is designed to help protect against theft of AI models, data poisoning, malicious inputs, and extraction of confidential information.

The Bad

• National Health Service (NHS), the U.K, suffered a breach impacting the sensitive personal information of about 1.1 million patients, including trauma patients and victims of terrorism. The attack originally targeted the University of Manchester, which led to the NHS leak. The incident also led to the compromise of student and alumni information, which includes personal details, including demographic data. The university's backup servers were accessed by criminals; however, their identity remains unknown at this time.
• The Cl0p ransomware group, responsible for numerous breaches due to a bug in the MOVEit file transfer tool, may have impacted at least 158 organizations. The number of individuals impacted by hackers exploiting vulnerabilities in the MOVEit software has surpassed 16 million, and this count is expected to rise further.
• The LockBit ransomware group claimed to have hacked into Taiwan Semiconductor Manufacturing Company (TSMC) and demanded $70 million in ransom demand. Meanwhile, TSMC confirmed that one of its IT hardware suppliers was hit by a cyberattack that compromised data related to initial server setup and configuration. The supplier that suffered the actual attack is Kinmax Technology, Taiwan.
• Hawai'i Community College observed dealing with a ransomware attack that knocked off its network. The ransomware group named N0_Esc4pe claimed responsibility for the attack and threatened to leak 65 GB of data stolen from the college. Experts said the incident did not impact the other campuses of the University of Hawaii (UH).
• Major global airlines American Airlines and Southwest Airlines disclosed data breaches resulting from a hack at a third-party vendor, Pilot Credentials. On April 30, an unauthorized individual reportedly infiltrated Pilot Credentials' systems and illicitly obtained documents containing sensitive information. As a result, personal information belonging to 5,745 pilots from American Airlines and 3,009 pilots from Southwest Airlines has been affected.
• A database containing 255,756 records, worth 93.93 GB, was left publicly available. Researchers claimed that the unprotected database belonged to RateForce and contained scans and images of various documents, including vehicle registrations, driver’s licenses, insurance cards, vehicle titles, and state Medicaid health coverage cards.
• Hackers breached the computer network at a Scranton, Pennsylvania-based cardiology group and potentially obtained the private data of over 181,000 patients. The exposed information included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and passport numbers.
• A misconfigured database containing the personal information of more than 8.8 million Zacks Investment Research users was dumped on a hacking forum. The compromised information included names, addresses, phone numbers, email addresses, usernames, and passwords stored as unsalted SHA-256 hashes. The oldest entry in the database dated back to May 2020. 
• A widespread brand impersonation scam campaign was discovered targeting over 100 popular clothing, footwear, and apparel brands. The campaign has been active since 2022 and peaked between November 2022 and February 2023. Scammers have set up more than 3,000 domains impersonating major brands such as Nike, Puma, Clarks, Crocs, Caterpillar, Fila, and Vans. SEO poisoning tactic is used to dupe unsuspecting users.
• The government of the Canadian province of Nova Scotia and the University of Rochester, New York, confirmed data theft as a result of the exploitation of a new vulnerability affecting the popular file transfer tool MOVEit Transfer. The payroll provider Zellis was also hit by a cyberattack due to the same vulnerability, compromising the personal data of employees at the BBC, British Airways, Boots, and Aer Lingus, among other companies.
• Globalcaja, a major bank in Spain, suffered a ransomware attack by the Play ransomware group. The group claimed to have stolen personal and confidential data and threatened to publish it if the bank did not pay the ransom. While the bank claims that the attack did not affect transactions or accounts of clients, some operations were temporarily limited.

New Threats

• Security researchers stumbled across a new mobile malware campaign targeting online banking customers in the U.S., the U.K., Germany, Austria, and Switzerland. The campaign, active since March 2023, utilizes the Anatsa Android banking trojan embedded within apps posing as PDF scanners, QR code scanners, and fitness tracking apps, among others. The malware has already amassed over 30,000 installations and targets approximately 600 financial apps globally.
• The relatively new Akira ransomware broadened its operations by including Linux-based platforms among its targets. Cyble Research and Intelligence Labs (CRIL) came across the Linux version of the malware and revealed that the group has 46 publicly disclosed victims. The attacks carried out by the group aimed at a broad spectrum of industries, including education, BFSI, professional services, manufacturing, and others.
• Researchers uncovered an active cryptojacking campaign abusing and breaking into Internet-exposed Linux and IoT devices through brute-force attacks. Once inside a system, the attackers utilize a modified OpenSSH package to create a backdoor on the compromised devices and illicitly obtain SSH credentials, enabling them to maintain persistence. Criminals also deploy Reptile and Diamorphine open-source LKM rootkits to conceal their malicious actions.
• China-linked APT15 (aka Flea) was found using a new Graphican backdoor in a long-running campaign that targeted foreign affairs ministers in the Americas. The backdoor shares similarities with Ketrican, another backdoor used by APT15 in previous attacks. Attackers leveraged a critical flaw in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC) that was patched in 2020, to gain initial access.
• A cyberespionage operation deploying RDStealer on systems in East Asia was observed by Bitdefender Labs. The malware was used to steal data from drives through RDP connections. The operation initially relied on commonly available malware such as AsyncRAT and hacking tools like Cobalt Strike. However, in late 2021 or early 2022, the threat actors switched to custom-made malware to avoid detection. 
• Iranian threat actor Charming Kitten introduced a new version of its PowerStar backdoor malware. The latest iteration of the backdoor unveils enhanced operational security measures, rendering the malware even more challenging to analyze and gather intelligence on. The updated malware utilizes the InterPlanetary File System (IPFS) and publicly accessible cloud hosting for its decryption function and configuration details.
• Cyfirma and Zscaler published two simultaneous reports on a new info-stealer, named Mystic Stealer. The malware targets a wide range of applications and platforms, including 40 web browsers, 70 browser extensions, 21 cryptocurrency applications, nine MFA and password management applications, 55 cryptocurrency browser extensions, as well as Steam and Telegram credentials. 
• Researchers uncovered a new malware loader, dubbed DoubleFinger, deploying the GreetingGhoul cryptocurrency stealer on victims’ machines. The multi-stage campaign appears to be primarily targeting entities in Europe, the U.S., and Latin America. In some cases, the malware loader was found deploying Remcos RAT alongside DoubleFinger, using multiple evasion tactics, including steganography.
• The newly discovered Pikabot trojan was found to be capable of executing a range of malicious commands, including running arbitrary shellcode, DLLs, and distributing malicious tools such as Cobalt Strike. The trojan is modular in nature, comprising a loader and a core module. It shares similarities with the QakBot trojan.
• A new version of the GravityRAT Android spyware was observed being distributed via trojanized versions of BingeChat and Chatico apps. The malware came with two new capabilities — receiving commands to delete files and exfiltrating WhatsApp backup files. The campaign was attributed to a group named SpaceCobra. 
• Adlumin discovered a new malware named PowerDrop, which uses PowerShell and Windows Management Instrumentation (WMI) to infiltrate networks and execute remote commands. The malware was designed to target the aerospace industry in the US. The use of PowerShell for remote access and WMI-based persistence of PowerShell scripts, as well as ICMP triggering and tunneling, suggests the involvement of more proficient threat actors.
• Check Point Research revealed a cyberespionage campaign using a previously undisclosed backdoor named Stealth Soldier targeting Libyan organizations. The malware is a customized modular backdoor with surveillance capabilities, and there are three distinct versions of it, varying in factors such as filenames and registry keys.
• Researchers linked the recent attacks exploiting a zero-day vulnerability in a Barracuda Networks email security appliance to a cyberespionage group operating in China. The flaw, tracked as CVE-2023-2868, could lead to a remote command injection attack by sending a specially crafted TAR file as an attachment.