Cyware Monthly Threat Intelligence, March 2022

The Good

• Under the new cyber incident reporting law signed by President Biden, critical infrastructure organizations will be required to report cyber incidents to the DHS within 72 hours of the discovery of the event, and within 24 hours if they make a ransomware payment.
• Researchers at the Massachusetts Institute of Technology devised a technique to thwart memory-timing side-channel attacks. They shaped the memory requests by running them via a request shaper. Named DAGuise, the technique utilizes a graph structure to process requests and send them to the memory controller on a fixed schedule.
• Microsoft launched an open-source tool—RouterOS Scanner—to secure MicroTik routers and check for IOCs for TrickBot infections. The tool enables users to check the device version and charts it to known vulnerabilities. It also searches for DNS cache poisoning, traffic redirection rules, scheduled tasks, suspicious files, default port changes, non-default users, and firewall rules.
• MITRE launched the first official version of Engage, a framework for conducting cyber adversary engagement, deception, and denial activities. This framework will help CISOs, security analysts, and vendors to implement defense strategies by taking cues from adversary behavior observed in the real world.

The Bad

• A ransomware attack at Shutterfly affected the personal information of its employees. The attack occurred on December 3, 2021, after which the Conti ransomware group had leaked around 7.05GB of stolen data on its site. Apart from stealing employee data, the gang had also encrypted over 4,000 devices and 120 VMware ESXi servers. 
• Cyber attackers hacked the Ronin network of Axie Infinity, the blockchain-based game, and stole more than $620 million in cryptocurrency. They used hacked private keys to forge fake withdrawals. 
• The FBI disclosed that the Ragnar Locker ransomware has targeted at least 52 organizations across 10 critical infrastructure sectors in the U.S. These attacks have been identified since January 2022. The impacted ones include entities in the critical manufacturing, energy, financial services, government, and IT sectors. 
• Hive ransomware gang claimed to have stolen 850,000 PII records from Partnership HealthPlan of California (PHC) in around 400GB files. Rompetrol, the largest oil refinery in Romania, suffered a major attack by the group. 
• The Lapsus$ ransomware gang reportedly targeted Samsung, Microsoft, Okta, and Vodafone and stole a huge trove of internal company data from respective firms. Meanwhile, the City of London Police claimed to have arrested seven teenage suspects related to the Lapsus$ gang, two of whom were charged recently.
• Pro-Russia Monday Group crippled over 30 WordPress-hosted Ukrainian university websites. Also, a threat actor launched a DDoS attack using DanaBot against the Ukrainian Ministry of Defense’s webmail server. Scammers jumped the bandwagon to weaponize the Russia-Ukraine conflict and target users in well-crafted phishing campaigns, such as fake purchase order, tricking users into downloading offensive—but malware-laced—cyber tools, and impersonating European government personnel. Researchers identified three separate DDoS attacks, involving the new Zhadnost botnet, targeting the Ukrainian government and financial websites.
• Automotive giant Denso confirmed a cyberattack by Pandora ransomware. While the incident is under investigation, the attackers revealed that they have stolen 1.4TB of data from the firm. This includes a purchase order, a technical component document, and a sales file.
• A cyberattack on South Denver Cardiology Associates (SDCA) had exposed the PHI of almost 300,000 patients. The attack was detected on January 4, and the impacted information included patients’ names, dates of birth, Social Security numbers, drivers’ license numbers, patient account numbers, and health insurance information.
• A data breach at a Japan-based beauty product retailer Acro affected the details of more than 100,000 payment cards. The incident occurred as a result of the exploitation of a vulnerability in a third-party payment processing vendor. It affected the Three Cosmetics domain and Amplitude site.
• CRM tool Hubspot was hacked, which has led to data breaches at Swan Bitcoin, BlockFi, Circle, and NYDIG. A total of 30 clients have been affected. However, treasuries and operations remain unaffected, stated the companies. The attack was caused by a threat actor gaining access to an employee account and targeting stakeholders in the cryptocurrency sector.
• Omega Company—the R&D unit of Russian oil pipeline company Transneft—was hacked by the Anonymous collective. The hacktivists exfiltrated 79GB of emails and published them on the Distributed Denial of Secrets, a non-profit whistleblower leak site. The hackers, in another incident, announced hacking Nestlè and stealing 10 GB of sensitive data, including company emails, passwords, and data related to business customers. 
• The personal information of roughly 820,000 current and former New York City public school students were affected in a breach that occurred in January after threat actors gained unauthorized access to an online grading system and attendance system. 
• Researchers warned against active exploitation of the Log4Shell vulnerability, to deliver backdoors and cryptocurrency miners onto vulnerable VMware Horizon servers. The campaign leverages remote monitoring software packages, Atera or Spashtop, and the Sliver backdoor.
• Hackers knocked the website of the U.K Ministry of Defense offline. The Army, which was resorted to using paper systems, had declared a cyber emergency and enacted Op Rhodes. The number of affected candidates stood somewhere between 125 and 150, and some recruits’ data was for sale for one BTC on the dark web. 

New Threats

• A new phishing technique called Browser-in-the-Browser (BitB) attack discovered takes advantage of third-party SSO options embedded on websites that issue popup windows for authentication to steal user credentials. The Belarusian threat actor Ghostwriter were recently observed using the technique. Hackers can spoof a legitimate domain and steal Google, Facebook, and Microsoft credentials. 
• Researchers uncovered a new campaign that seeks to distribute malicious Android and iOS apps posing as popular cryptocurrency wallets. The campaign is believed to be active from May 2021. So far, the apps have managed to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, TrustWallet, Bitpie, TokenPocket, and OneKey.
• French entities in the real estate, construction, and government sectors were attacked via macro-enabled Microsoft Word documents propagating the open-source Chocolatey package installer. The installer, in turn, was used to deliver a backdoor called Serpent. The backdoor is capable of enabling remote administration, data theft, C2, and delivering other payloads.
• A newly discovered macOS malware called GIMMICK has been attributed to the Storm Cloud Chinese espionage threat actor group. While the macOS variant is written in Objective C, the Windows versions are written in both .NET and Delphi. Researchers discovered the sample in a campaign that was used to compromise a MacBook Pro running macOS 11.6.
• A new variant of PlugX RAT named Hodur was spotted in an ongoing attack campaign and linked to Mustang Panda. Most of the victims are located in East and Southeast Asia, with a few in Europe and Africa. The malware is distributed via decoy documents that contain information about ongoing events in Europe and the war in Ukraine.
• Hive ransomware gang is using a new IPfuscation tactic to hide its payload. Here, the threat actors hide 64-bit Windows executables inside IPv4 addresses, which eventually causes the download of the Cobalt Strike Beacon. 
• Researchers have discovered a new Wslink malware loader that runs as a server and executes modules in memory. The malware makes use of the process virtual machine as part of its obfuscation process.
• The SunCrypt ransomware has been updated with new capabilities to terminate processes, stop services, and clean the machine of any evidence of the ransomware infection. The ransomware variant was first updated in 2022 and is still under development. The attackers also plan to include an anti-VM feature in the ransomware in the future.
• A newly discovered malware loader, dubbed Verblecon, is being used to install cryptocurrency miners on infected machines. Despite being around for more than a year, the malware sample is able to maintain a low detection rate due to the polymorphic nature of the code. Researchers claim that cybercriminals may use the loader in the future to disseminate ransomware and even launch espionage attacks.
• A new variant of Mars Stealer is being used widely in multiple large-scale attack campaigns. In one such campaign, threat actors were spotted using Google Ads for OpenOffice installer to distribute the malware variant. The campaign primarily targeted users in Canada.
• A new information-stealing malware, named BlackGuard, is being sold on the hacking forum for a lifetime price of $700 or a subscription of $200 per month. The stealer can pilfer sensitive information from a broad range of applications, including web browsers, cryptocurrency wallets, messengers, and emails. The collected information is bundled in a ZIP file and sent to the C2 server via a POST request.
• A new DoS amplification attack with an amplification ratio of 4 billion to 1 is being launched in the wild, according to a new report by a group of researchers. The attack leverages a flaw, CVE-2022-26143, that affects around 2600 incorrectly provisioned Mitel MiCollab and MiVoice Business Express systems that act as PBX-to-internet gateways. The attacks have been reported against financial institutions and logistics companies.
• Researchers detected a series of new TCP reflection/amplification attacks that leverage a new technique to knock websites offline. The amplification attack abuses vulnerable middleboxes, such as firewalls via TCP to magnify denial of service attacks. Middlebox devices from the likes of Cisco, Fortinet, SonicWall, and Palo Alto Networks are vulnerable to this new attack method.
• Iran-linked UNC3313 threat actor group was found deploying two new custom backdoors, tracked as GRAMDOOR and STARWHALE. These backdoors were used in the attack against an unnamed government entity in the Middle East in November 2021.