Cyware Monthly Threat Intelligence, November 2022

The Good

• A team of scientists from Johns Hopkins University and NTT Research proposed a new approach to build One-Time Programs (OTPs) using commodity hardware found in mobile phones and cloud computing services. Such programs are purported to have multiple uses, including preventing brute-force attacks and strengthening various authentication methods.
• MITRE Engenuity’s Center for Threat-Informed Defense (CTID) released an updated version of the Attack Flow project, which would allow defenders to gain better visibility into a potential threat. The project will help security teams easily describe, display, and share sequences of adversary behavior.
• The FDA and MITRE released an updated version of the ‘Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.’ The playbook provides healthcare organizations with actionable strategies and resources to respond to cyber incidents while ensuring the security of medical devices.
• The CISA updated its Infrastructure Resilience Planning Framework (IRPF) with new tools and guidance to help state, local, tribal, and territorial (SLTT) entities counter evolving cyber threats. The framework was released last year and can be used by any organization to improve resilience planning.

The Bad

• Sports betting company DraftKings suffered a credential stuffing attack that led to a loss of up to $300,000. The firm claims that the hackers accessed their customers’ accounts by using login information that was compromised on other websites. It has urged users to enable 2FA to secure their accounts while assuring them to make up for the lost funds.
• File-sharing and synchronization service Dropbox disclosed a phishing attack that enabled a threat actor to compromise the GitHub account of one of its employees. The attacker gained access to private repositories that stored API keys and personal information of some of its employees. 
• In an update on its data breach disclosure, Australian private health insurance provider Medibank revealed that the personal information of more than 9.7 million Australians was stolen in a ransomware attack last month. A ransomware gang known as BlogXX took credit for the attack and demanded a $10 million ransom payment. The gang also leaked the stolen sensitive details.
• The LockBit ransomware group was found selling files stolen from German car parts giant Continental for $50 million. The hackers claim to have stolen a total of 40GB of files and screenshots. Cybercriminals further published the negotiation messages between them and the company’s representatives.
• A cybercrime group named Crimson Kingsnake emerged in a new BEC attack campaign targeting well-known international law firms. The targeted firms include Allen & Overy, Deloitte, Dentons, Herbert Smith Freehills, and Lindsay Hart, among others. The threat actors impersonate lawyers sending invoices for overdue payment of services.
• Ukrainian hacktivists claimed to breach the Central Bank of Russia, stealing around 2.6GB of files. The files contained details of the bank’s operations, its security policies, and the personal data of employees. Earlier this year, Anonymous published 35,000 pilfered documents from the bank.
• A wave of spear-phishing attacks orchestrated by the Mustang Panda APT was used to target government, academic, foundations, and research sectors around the world. The infection routines led to the distribution of several malware payloads, such as TONEINS, TONESHELL, and PUBLOAD. The ultimate goal of the attackers was to steal sensitive documents and information.
• A French-speaking cybercrime group tracked as OPERA1ER was spotted wreaking havoc worldwide for four years, between 2019 and 2021. It has been held responsible for 35 intrusions at different organizations across 15 countries, with most of the attacks targeting African banks. The group is suspected to have stolen more than $30 million.
• Iranian state-backed actors exploited the Log4Shell vulnerability in a VMware system to compromise a federal agency. They exploited the vulnerability in an unpatched VMware Horizon server, installed XMRig crypto-mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.
• The Russian scooter-sharing service Whoosh confirmed a data breach that affected the data of 7.2 million customers. Reportedly, the data was found being sold on hacker forums along with other sensitive information such as promotion codes and payment card details.
• Group-IB researchers revealed a worldwide password-stealing campaign that resulted in the compromise of over 50 million passwords in the first seven months of the year. Around 34 Telegram groups were used by threat actors to infect over 890,000 devices. Each of these groups had as many as 200 active members and tricked victims by redirecting them to fake websites.
• Online gamers were the target of a massive phishing campaign that leveraged YouTube videos offering cracked software for popular games. This cracked software distributed info-stealing malware to steal passwords, cookies, autofill information from browsers, and cryptocurrency wallet information. 
• Security experts exposed a dataset that appears to contain data from nearly 500 million WhatsApp users from 84 countries. The data is being sold on cybercrime forums for prices ranging between $2000 to $7000. Threat actor claims that there are over 32 million US user records included in the dataset.

New Threats

• The China-based Cicada hacking group, aka APT10, was observed using a new version of the LODEINFO backdoor to infect Japanese organizations. The malware was distributed by abusing security software. It uses the XOR algorithm as part of its evasion techniques. The targeted entities include media groups, diplomatic agencies, and think tanks in Japan.
• A new clipboard stealer called Clipper, capable of imitating cryptocurrency wallet addresses, was sold at a price of $549 for a year. Researchers have spotted the use of the malware in the wild, with 55 attacks in a month. It is distributed via Smoke Loader and Raccon Stealer 2.0.
• Emotet botnet is back with a new phishing campaign that uses malicious Excel and Word documents. When users open these documents and enable macros, Emotet gets loaded into the memory.
• Zimperium researchers took a deep dive into Cloud9, a botnet that is delivered via a malicious Chrome extension spread via third-party websites. Once it infects users’ browsers, it can steal cookie files, keystrokes, and browser session data, and can also deploy other malware on the infected system. 
• An updated version of IceXLoader malware (version 3.3.3) compromised thousands of personal and enterprise Windows machines across the world. The malware variant is written in the Nim programming language and is sold for $118 on underground forums. 
• Trend Micro researchers found five banking malware families targeting customers of seven banks in India via phishing campaigns. The malware families—Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy—are being distributed via different phishing emails.   
• Previously unknown Chinese APT group Earth Longzhi was spotted targeting government, infrastructure, healthcare, defense, aviation, insurance, and urban development organizations in Ukraine, East Asia, and Southeast Asia with a custom Cobalt Strike loader called Symatic. Active since 2020, the attackers leverage spear-phishing emails to launch their attacks.
• Fortinet researchers found that a botnet called RapperBot has been repurposed to launch DDoS attacks. The botnet was first spotted in August and was used in brute-force attacks. According to the latest data, the botnet is being used to target gaming servers and is a continuation of similar attacks observed earlier this year.
• Several new versions of the LodaRAT malware were found to be deployed alongside RedLine and Neshta trojans in a series of attack campaigns. Significant upgrades include new functionality allowing proliferation via removable storage devices and a new string of encoding algorithms. The new implementations are likely to improve the speed of execution and evasion process.
• Palo Alto Networks’ Unit 42 researchers uncovered a new crypto miner for hire named Typhon Stealer. Shortly after, a new version of the malware was released. Both versions of the malware have the ability to steal crypto wallets, monitor keystrokes, and evade antivirus products. 
• North Korean hacking group Lazarus was caught using a new variant of the DTrack backdoor to target organizations in Europe and South America. The new variant conceals itself within legitimate-looking executable files to evade detection. Moreover, it uses three layers of encryption algorithms to make analysis difficult.
• A new attack method, dubbed PCspooF, affects Time-Triggered Ethernet (TTE), a networking technology used in safety-critical infrastructure. This attack is designed to break TTE's security guarantees and induce TTE devices to lose synchronization for up to a second, potentially causing the failure of time-sensitive systems powering spacecraft and aircraft.
• Google Cloud Threat Intelligence researchers found 34 cracked versions of Cobalt Strike in the wild. These versions contained 257 unique JAR files and Beacon components, which upon execution could log keystrokes, perform code execution, escalate privileges, and conduct port scanning, among other nefarious activities. 
• Two new RaaS families called Octocrypt and Alice were observed by the researchers. While Octocrypt is being offered at a price of $400 to target all Windows versions, Alice is being sold at $600, with fast encryption capabilities and compatibility with Asian/Arabic PCs. Additionally, a new ransomware named AXLocker was seen stealing Discord tokens from victims’ systems. 
• Cybercriminals were found using fake VPN apps to distribute the Bahamut spyware in a campaign that has been active since January. The campaign is conducted by a group of the same name and the main purpose is to extract sensitive user data from devices. So far, eight versions of these malicious apps have been discovered to be distributed via a VPN website.