Cyware Monthly Threat Intelligence, March 2023

The Good 

• The White House unveiled its National Cybersecurity Strategy that focuses on securing cyberspace across public and private sectors. The strategy includes mandatory regulations on critical infrastructure vendors and offensive actions to deal with nation-state actors. The strategy will enable the FBI’s National Cyber Investigative Joint Task Force to work in tandem with all relevant U.S. agencies.
• The CISA released a new open-source incident response tool called ‘Untitled Goose Tool’ that can help organizations detect signs of malicious activity in Microsoft cloud environments. The tool comes with several authentication and data collection methods that can be used to run a full investigation on Azure AD, Azure, and Microsoft 365 environments.
• The CISA released an open-source tool to help defenders map an attacker’s behaviors to the MITRE ATT&CK framework. The tool can also be used to assess security tools, identify defense gaps, hunt for threats, and validate mitigation controls. 
• The SEC proposed new cyber incident reporting rules for a range of financial organizations. The new rules make it mandatory for some financial organizations to annually test and review the effectiveness of their cybersecurity policies and procedures. In case of an attack, organizations are required to report within 48 hours of detecting the incident.

The Bad

• Enterprise communications software maker 3CX confirmed that it was a victim of a supply chain attack that affected multiple versions of its desktop app for Windows and macOS. A few days later, researchers at Volexity attributed the supply chain attack to the North Korean Lazarus APT group.
• The Cl0p ransomware group gave sleepless nights to security officials across industries owing to the Fortra GoAnywhere MFT breach incident. The list of victims includes Procter & Gamble, Pension Protection Fund (U.K), Hitachi Energy, data security firm Rubrik, Community Health Systems, Hatch Bank, luxury brand retailer Saks Fifth Avenue, the City of Toronto, and Crown Resorts.
• Acer confirmed that attackers broke into one of its servers and stole 160GB of confidential data. The stolen data was put up for sale on dark web forums and includes 655 directories and 2,869 files related to presentations, staff technical manuals, product documents, Windows System Deployment Image, BIOS components, and ROMs.
• The Hospital Clínic de Barcelona suffered an attack by the RansomHouse ransomware that disrupted its healthcare services. Meanwhile, Zoll Medical Corporation notified more than one million individuals of a healthcare data breach that affected their personal information. 
• DeFi platform Euler Finance was hacked for $197 million worth of cryptocurrency assets. The attackers exploited a vulnerability in the donation feature of the platform to exfiltrate legitimate funds and transfer them to an account they controlled.  
• Lionsgate Play streaming platform leaked nearly 37 million subscribers’ IP addresses and data due to an unprotected Elasticsearch database. The entries in the database were as old as May 2022 and also contained other information such as the platform’s usage data, search queries entered by users, and titles of URLs.
• The Winter Vivern APT group was found exploiting a Zimbra flaw to gain access to emails and steal sensitive information of NATO officials, government agencies, military personnel, and diplomats involved in the Russia-Ukraine war. The attack is launched via phishing emails from a compromised address. 
• A hacker group that goes by the name Dark Angels stole 3TB of emails and corporate information from Brazilian multinational firm, Andrade Gutierrez. The stolen data belonged to over 10,000 employees and consisted of names, email addresses, passport details, tax ID numbers, and payment information. 
• The official network portal of the City of Waynesboro, Virginia, was compromised by a BianLian ransomware attack. The attackers claimed to have exfiltrated 350GB of data from the network, including file server data and public relations documents. The exfiltrated data also included internal files and personal data of staff members. 
• Latitude Financial, Australia, updated that a cyberattack earlier this month resulted in the theft of over 14 million customer records. While an investigation was underway, the firm further stated that 6.1 million records dating back to 2005 were also stolen.
• Researchers discovered that a series of cyberespionage attacks launched by subgroups of Earth Preta APT affected over 200 organizations. Among the targets were educational institutions and financial services organizations, the maritime industry, the energy production industry, and ore and material refineries.
• Around 500,000 individuals were impacted by a data breach at debt buyer NCB Management Services. The incident occurred after attackers gained unauthorized access to NCB’s systems and stole information such as names, addresses, phone numbers, email addresses, birth dates, and social security numbers of users.

New Threats

• The GlobeImposter ransomware was being distributed by the same threat actors who are responsible for MedusaLocker. The ransomware was being disseminated via RDP endpoints. Once the attackers take over systems via RDP, GlobeImposter conducts lateral movement and internal reconnaissance.
• After three months of inactivity, the Emotet trojan resumed its malspam campaign last month. Unlike previously where it would use reply-chain emails, new phishing emails include ZIP files that are related to fake invoices. As per the researchers, the operators are gathering new credentials from address books to drive the campaign. 
• A new and sophisticated malware dubbed HiatusRAT, that targets various business-grade routers, has emerged in the threat landscape. Threat actors compromise DrayTek Vigor routers that have reached end-of-life to deploy the malware along with a variant of tcpdump, which enabled packet capture. At least 100 computers were infected, predominantly in Europe and Latin America. 
• A new variant of Xenomorph Android banking trojan surfaced in the wild. The new version comes with features to perform financial fraud seamlessly. It is capable of targeting more than 400 banking and financial institutions, including several cryptocurrency wallets.
• Two fake ChatGPT Chrome extensions were recently discovered, called Quick access to Chat GPT and Chat GPT for Google. Both the variants were found targeting Facebook users in an attempt to hijack their accounts and installing backdoors that could give threat actors super-admin permissions to run paid ads and steal cookies of authorized active sessions.
• Microsoft stumbled across a new phishing kit that has been part of several high-volume AiTM phishing attacks. Offered by a threat actor named DEV-1101, the kit was first advertised on a cybercrime forum in May 2022. The kit includes a wide range of readymade phishing pages that mimics several services such as Microsoft Office and Outlook.
• A newly discovered .NET malware injector was discovered in the wild to deliver a wide range of malware. Tracked as dotRunpeX, the malware rose to prominence between November 2022 and January 2023. The malware leverages the process hollowing technique to hide its presence during the infection process. 
• A new Kritec skimming malware was used in Magecart attacks to target Magento stores. The malware masqueraded as a legitimate Google Tag Manager to evade detection. Once executed, the stolen credit card details were exfiltrated twice - one via a WebSocket skimmer and the other via a POST request. 
• Several threat actors were observed using a new Android banking trojan, dubbed Nexus, to target 450 financial applications and conduct fraud. While it was found to be still under development, the trojan provides all the main features to perform ATO attacks against banking portals and cryptocurrency services. The trojan was advertised on various hacking forums for a monthly fee of $3,000. 
• The threat group tracked as REF2924 was found deploying previously unseen malware in its attacks against entities in South and Southeast Asia. The malware, dubbed NAPLISTENER, is an HTTP listener programmed in C# and is designed to evade network-based forms of detection.
• A new variant of BlackGuard stealer was spotted with capabilities like USB propagation, persistence mechanisms, and targeting additional crypto wallets. While the developers are constantly improving the malware, researchers warn that the new variant was being widely used to launch attacks.