Cyware Monthly Threat Intelligence, May 2022

The Good

• Researchers at the Chinese Academy of Sciences devised a tool called Coopers (referenced from Cooperative mutation technique) that identifies flaws in the fashion of how apps such as Microsoft Word and Adobe Acrobat process JavaScript. They reported 134 bugs in total. Cooper has three components: object clustering, relationship inference, and relationship-guided mutation.
• Singapore launched E-commerce Marketplace Transaction Safety Ratings, a scheme that assesses online marketplaces based on the type of anti-scam measures they take. It also set up the National Integrated Center for Evaluation (NICE) to evaluate and certify systems for cybersecurity strength. 
• The U.K government published the 2022 Civil Nuclear Cyber Security Strategy for the country’s civil nuclear sector that focuses on more testing, design-based security, enhanced resilience, and improved collaboration. The nuclear industry aims to achieve enhanced resilience by preparing better for and responding to incidents faster.
• The U.S. announced the launch of the Joint Ransomware Task Force, which will be headed by the CISA and the FBI. The main purpose of the task force is to disrupt ransomware activities and confiscate crypto assets routed through the blockchain. 
• The U.K NIST released updated cybersecurity guidance for managing risks by identifying, assessing, and responding to threats at different stages of the software supply chain. Last month, it also released updated guidance to cater to everyone—from small businesses to large enterprises—with tools to ensure appropriate cybersecurity measures for cloud-computing users.

The Bad

• The FBI found that hackers were increasingly targeting the higher education sector and now, more credentials are being offered on multiple public and dark web marketplaces. In its warning, it also claimed that some VPN and network access credentials are being sold for thousands of dollars.
• Pennsylvania-based Mercyhurst University was reportedly breached by the LockBit 2.0 gang. Chicago Public Schools disclosed a data breach that occurred due to a ransomware attack at a third-party vendor. An attack at Washington Local Schools rattled several of its online operations, including Google Classroom.
• A hacker demanded a reward of $250,000 in exchange for the data stolen from a database belonging to Verizon. The stolen data includes full names, corporate ID numbers, email addresses, and phone numbers of employees. 
• U.S. automobile giant General Motors confirmed a credential stuffing attack that occurred last month. As a result, the hackers were able to access customer information and redeem gift card reward points. The firm advised victims to review their credit reports and initiate a security freeze if they see some irregularities.
• The SafetyDetectives team discovered a misconfigured Elasticsearch server that leaked 147GB of data for millions of microloan applicants from Ukraine, Kazakhstan, and Russia. Researchers attribute the ownership of the server to a Russian entity.
• A server at Nikkei Group Asia, an overseas subsidiary of Nikkei Inc. based in Singapore, was compromised in a ransomware attack. Unauthorized access to the server was first detected and reported on May 13. The server supposedly stored some customer data; however, the exact impact of the attack is yet to be determined. 
• The new Costa Rican President announced that the country was at war with the Conti cybercriminal group. Officials had reportedly denied paying the $20 million ransom to the group. Meanwhile, Conti threatened to topple the government with cyberattacks. However, it was reported that the group split into smaller groups and that its infrastructure no longer exists.
• Lincoln College closed amid efforts to recover from a ransomware attack coupled with pandemic-related economic challenges. The 150-year-old college was hit by ransomware on December 19 and this affected its IT systems from recruitment, retention, and fundraising departments. The system outage lasted for one and a half months.
• The Washington University School of Medicine, Toronto-based Scarborough Health Network (SHN), and Oklahoma City Indian Clinic (OKCIC) disclosed disparate breach incidents impacting the PII and medical records of thousands of individuals in total.
• A hacker group infiltrated the networks of the wedding planning website Zola through a credential stuffing attack to access the user accounts. They attempted to initiate fraudulent cash transfers. A Reddit user claimed that cracked Zola accounts were being resold or used to buy gift vouchers.
• An alleged data leak exposed the information of 22.5 million Malaysians born between 1940 and 2004. The database—160GB in size—was seemingly stolen from the National Registration Department (NRD) and put up for sale on the dark web for $10,000. However, Malaysia's Home Minister claimed that NRD isn’t related to the alleged data breach.
• Rari Capital and Fei Protocol suffered a major loss after threat actors stole more than $80 million from both platforms. The hackers exploited a reentrancy vulnerability in Rari’s Fuse lending protocol to hack the platforms. Rari Capital acknowledged the hack, adding that borrowing was paused globally and no further funds were at risk.
• The Bank of Zambia experienced a ransomware attack by the Hive group that disrupted some of its operations. Officials have urged businesses in the financial sector to stay alert as the incident might impact them. Also, the bank reportedly refused to pay the ransom.
• Microsoft revealed that it discovered over 35 unique ransomware families and 250 unique threat actors last year. Most of these ransomware leveraged Cobalt Strike and several legitimate enterprise tools (AnyDesk, Splashtop, and Teamviewer) to gain initial access and persistence on networks. Upon gaining access, most of the attackers create new backdoor user accounts to proceed with the infection chain process. 
• A misconfigured database laid bare around 10GB of data comprising 21 million unique records in a Telegram group. The unprotected database contained the personal data of VPN users from SuperVPN, GeckoVPN, and ChatVPN. Another unprotected ElasticSearch server exposed around 5.8GB of financial information about loans from Indian and African financial services.

New Threats

• Trend Micro reported multiple deployments of a new ransomware family, dubbed Cheerscrypt. It was found targeting one of its customer’s ESXi servers that manage VMware files. The malware family employs the double extortion scheme to extort victims. Previously, other ransomware actors, including LockBit, Hive, and RansomEXX, have targeted a similar environment.
• Red Canary researchers noted a surge in the ChromeLoader malware that uses a malicious ISO archive file to infect its victims. It comes packaged as cracked executables for games or commercial software. In fact, researchers also witnessed instances wherein hackers promoted cracked Android games and offered QR codes on Twitter, which lead to the malware-hosting sites.
• A new password-stealing malware builder is being sold on the Discord platform by a user named ‘Portu’. Security experts observed the first Portu-inspired malware sample, dubbed KurayStealer, in the wild. It is being used to target Discord users. Besides, it makes use of webhooks to steal passwords, tokens, and IP addresses from 18 other apps.
• A researcher from Microsoft Security Response Center and an independent researcher warned that cybercriminals are abusing vulnerabilities that were already fixed for platforms like Instagram, LinkedIn, Zoom, WordPress, and Dropbox. These bugs can be exploited to hijack the online accounts of users even before they create or register them.
• A security researcher uncovered a method to exploit a recently patched deserialization flaw in Microsoft SharePoint to conduct Remote Code Execution (RCE) attacks. Microsoft patched the flaw, identified as CVE-2022-29108, in May’s Patch Tuesday updates. The researcher found that another bug in Microsoft SharePoint Server, tracked as CVE-2022-22005, could be used to trigger the same attack.
• Google's TAG reported that a threat actor is developing exploits for five zero-days; four in Chrome and one in Android, to infect Android users. The adversary, as believed to be the case, is packaging and selling the exploits to different government-backed criminal groups across multiple countries. Those groups were spotted weaponizing the bugs in at least three different campaigns.
• VMware alerted organizations about two critical bugs, tracked as CVE-2022-22954 (an RCE flaw) and CVE-2022-22960 (a privilege escalation flaw), that are allegedly under active exploitation by APT actors. They affect VMware Workspace ONE Access, vRealize Automation, and Identity Manager. The CISA also urged federal agencies to patch the flaws.
• ShadowServer Foundation identified 381,645 Kubernetes API servers with “unnecessarily exposed attack surface” located across the U.S., Southeast Asia, Western Europe, and Australia. A vast majority of the exposed instances are running versions 1.17 through 1.22 on Linux/amd64 accounts.
• A new Linux malware, dubbed BPFdoor, was identified targeting Linux and Solaris systems. The malware can bypass firewalls, making it an ideal tool for corporate espionage and persistent attacks. It uses a Berkeley Packet Filter sniffer to parse ICMP, UDP, and TCP packets. Researchers have detected BPFdoor activity on networks of organizations in the U.S., South Korea, Hong Kong, Turkey, India, Vietnam, and Myanmar.
• A new cybercrime service, named Eternity Project, emerged on Telegram and dark web marketplaces. The malware toolkit offers a variety of malware such as an info-stealer, a coinminer, a clipper, ransomware, a worm, and a DDoS-based bot. According to researchers, low-skilled threat actors can leverage the service to build their own malware.
• New research reveals that the Bitter APT group added a new malware to target government organizations in Bangladesh. The campaign has been active since August 2021 and leverages spoofed email addresses to trick victims. The phishing emails appear to come from government organizations in Pakistan.
• A new credit card stealing service, called Caramel, was spotted growing in popularity. Operated by a Russian cybercrime organization named ‘CaramelCorp,’ the skimmer-as-a-service can allow any low-skilled threat actor to get started with financial fraud. The skimmer service is capable of stealing credit card details and sending them back to remote servers to be collected by threat actors.
• Researchers released details of an Apple Silicon vulnerability called Augury. It exists in Apple’s implementation of the Data-Memory Dependent Prefetcher (DMP). The microarchitectural flaw affects the M1, M1 Max, and A14 Bionic chips from Apple.
• A new APT group, tracked as UNC3524, was found using IP cameras to deploy backdoors and steal Microsoft Exchange emails. The APT group primarily targets employees that focus on corporate development, mergers, and acquisitions, and large corporate transactions. It also uses a backdoor, tracked as QUIETEXIT, that borrows code from the open-source Dropbear SSH client-server software to maintain persistence on infected networks.