Cyware Monthly Threat Intelligence, November 2023

The Good

• The CISA released its first-ever Secure by Design alert to raise awareness of malicious cyber activities against web management interfaces. The document recommends organizations implement security best practices, eliminate classes of vulnerabilities arising from software design, and align their work to Secure by Design principles to prevent the exploitation of vulnerabilities in their web management interfaces. As part of the recommendations, software manufacturers should identify common patterns in design and configuration that lead to compromised systems
• The U.S. Navy released its first cyber strategy as part of an effort to revamp the security posture across its services. Touted to be a more detailed version of the two-page Navy Cyberspace Superiority Vision, the strategy will focus on multiple areas. These include securing critical infrastructure and weapon systems, improving and supporting the cyber workforce, conducting cyber operations, and defending enterprise, IT, data, and networks against threats while bolstering collaboration and cooperation with allies and partners.
• The DHS and the CISA released the first Roadmap to AI to ensure the secure development and implementation of AI capabilities across public and private organizations. As part of the effort, the roadmap outlines five strategies to help organizations build a resilient digital ecosystem while leveraging AI tools. These include using AI responsibly to support CISA’s mission, assessing and assuring AI systems, protecting critical infrastructure from malicious AI use, collaborating on key AI efforts, and expanding AI expertise in the workforce.     
• The DHS, along with the CISA and the FEMA, launched a new project named Shields Ready to bolster the security of critical infrastructure. This initiative, complementing Shields Up, addresses cyber threats, physical security risks, and natural disasters. It encourages organizations to enhance resilience by identifying critical assets, assessing risks, and improving incident response plans. The CISA provides resources, including cybersecurity guidance and operational resilience evaluations, to support preparedness efforts.
• The FBI dismantled the IPStorm botnet proxy network and its infrastructure after the hacker behind the operation pleaded guilty. The botnet was taken down along with its 23,000 proxies from all over the world. The convict allegedly sold illegitimate access to the infected devices and made a profit of at least $550,000. In a similar move, the Ransomed.vc gang claimed to shut down its operations after six of its affiliate members were arrested.

The Bad

• The infamous PLAY ransomware group extended its list of victims by adding 17 new names of companies based in the U.S., the U.K, the Netherlands, and Canada. Some of the impacted organizations were Single Point Outsourcing, Thillens, Elston Nationwide, American Insulated Glass, Moore Co., Continental Shipping Line, Sparex, Retailer Web Services, Byfod, SurvTech Solutions, EDGE Realty Partners, Noble Mountain Tree Farm, Unitransfer, SC Hydraulic Engineering, Labtopia, OLA Consulting Engineers, and Canderel Management. 
• Holding Slovenske Elektrarne, Slovenia's largest power generation company, experienced a ransomware attack that encrypted its files, however, did not disrupt power production. The attack reportedly occurred last Wednesday, with containment achieved by Friday. While no ransom demand has been received, unofficial information suggests the involvement of the Rhysida ransomware gang; the group is known for targeting high-profile organizations.
• The Qilin ransomware group claimed responsibility for a recent cyberattack on Yanfeng Automotive Interiors, one of the world's largest automotive parts suppliers. The attack reportedly disrupted production at Stellantis' North American plants. The ransomware gang has threatened to release stolen data, including financial documents and internal reports, in the coming days. Yanfeng's website was inaccessible during the incident.
• The LockBit ransomware group leaked over 43GB of data stolen from Boeing after the latter refused to pay the ransom. Most of the data listed on the leak site was backup data for various systems, the most recent of which dated back to October 22. The data included configuration backups, audit logs for IT management software, and logs for monitoring and auditing tools. Citrix backups were also listed in the leaked data. 
• Denmark’s CSIRT disclosed that Russian GRU exploited zero-day vulnerabilities in Zyxel firewalls to coordinate attacks on 22 energy companies in Denmark. The first wave of attacks was launched on May 11 and the second wave on May 22. The flaw in question was CVE-2023-28771 and affected Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73. 
• Over 20GB of data stolen from Plume, a smart Wi-Fi service provider, was dumped by a threat actor on the BreachForums marketplace. The stolen database contains over 15 million lines of information, including email addresses, full names, and device details of users. A majority of the leaked email addresses were associated with the @plume.com and @plumewifi.com domains. 
• Dolly[.]com, an on-demand moving and delivery service provider, had its stolen data leaked despite making a partial ransom payment. The attackers posted the details on a Russian-language forum and included high-level account login details, credit card information, full names, email addresses, and home addresses of customers. Besides these, 95 AWS S3 bucket names belonging to the company, including backups, were attached to the post. 
• A Monero Project maintainer revealed that one of its wallets was hacked on September 01 to drain around $437,000 in Monero cryptocurrency. The funds were drained in nine separate transactions that took place in a couple of minutes. While the team is trying to determine the initial access vector of the attack, it claims that none of the project’s other wallets were affected. 
• A threat actor named USDoD leaked a scraped LinkedIn database, holding the personal information of over 35 million users. The data was dumped on the BreachForums cybercrime marketplace. The leaked data primarily includes full names, email addresses, and profile bios of users, with some screenshots showing that many of these email addresses belong to various government agencies worldwide. 
• Cook County Health, a healthcare provider in Chicago, notified that the personal information of around 1.2 million patients was compromised following an attack at its third-party vendor, Perry Johnson & Associates. The data includes names, birthdates, addresses, medical information, and dates and times of service of patients. 
• Auto parts giant AutoZone disclosed that the data of around 184,995 people was affected in the Cl0p MOVEit file transfer attacks that occurred earlier this year. It took the company three more months to determine what data the intruders had stolen from its systems. Furthermore, the listing on the Office of the Maine Attorney mentioned full names and Social Security numbers were among the breached data.
• The LockBit ransomware group claimed responsibility for the attack on two Canadian government contractors, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services. The incident allegedly exposed 1.5TB of sensitive information of an undisclosed number of government employees. Data of current and former Government of Canada employees, Canadian Armed Forces members, and Royal Canadian Mounted Police personnel was compromised in the breach.

New Threats

• Zimperium researchers discovered more than 200 malicious apps as part of an Android malware campaign that has been active since July. Earlier, the campaign leveraged 40 credential-harvesting banking apps to target customers of Bank Mellat, Bank Saderat, Resalat Bank, and Central Bank of Iran. The campaign later evolved to mimic a broader set of banks and cryptocurrency firms to steal login credentials and credit card details from victims.
• Cisco discovered a new variant of Gh0st RAT, dubbed SugarGh0st, targeting the Uzbekistan Ministry of Foreign Affairs and users in South Korea. The campaign leveraged a Windows Shortcut file to deliver the components that dropped the payload. Compiled in C++, the variant is designed to steal system information such as computer names, OS versions, and drive information. 
• Threat actors were found actively exploiting a critical security flaw in Apache ActiveMQ to distribute a new Go-based botnet called GoTitan and a .NET program known as PrCtrl Rat on victims’ systems. While GoTitan is designed for orchestrating DDoS attacks via HTTP, UDP, TCP, and TLS protocols, PrCtrl Rat can remotely commandeer the infected hosts.
• Researchers at Eurecom developed six new attacks, collectively named BLUFFS, which can allow for device impersonation and MitM attacks. The attacks exploit two previously unknown flaws in Bluetooth related to how session keys are derived to decrypt data in exchange. The issues are tracked under the identifier CVE-2023-24023 and impact Bluetooth Core Specification 4.2 through 5.4.  
• A new variant of DJvu ransomware called Xaro was observed leveraging a malware loader delivered via cracked software for propagation. According to researchers at Cybereason, the new variant is being deployed alongside various commodity loaders and info-stealers to infect systems. The infection begins with the user downloading the archive file install.7z from an untrusted source masquerading as a site that distributes legitimate freeware.
• A new Android malware named FjordPhantom has been found leveraging emails, SMS, and messaging services to infect banking users in Indonesia, Thailand, Vietnam, Singapore, and Malaysia. The malware incorporates a virtualization solution to run malicious code in a container to evade detection. It is also capable of stealing online bank account credentials and manipulating transactions by performing on-device fraud. In one case, a customer was defrauded of $280,000.
• North Korea-based threat actors deployed two new malware families, BeaverTail and InvisibleFerret, in a couple of campaigns targeting job seekers. These malware are designed to perform data theft on Windows, Linux, and macOS systems. While InvisibleFerret is a Python-based backdoor malware, BeaverTail is distributed as JavaScript inside npm packages.
• DarkGate and Pikabot replaced the now-defunct QakBot trojan, indicating that threat actors use two malware loaders with features similar to Qbot to perform ransomware, espionage, and data theft attacks. Cofense researchers drew a conclusion based on the recent phishing campaigns using tactics and techniques similar to previous QBot campaigns. One of these campaigns was observed hijacking email threads in September. 
• Security researcher Tom Forbes from GitGuardian uncovered nearly 4,000 unique secrets inside nearly 3,000 PyPI packages, which attackers could abuse to gain unauthorized access, impersonate package maintainers, or manipulate users through social engineering tactics. Some of these secrets include AWS, Azure AD, GitHub, Dropbox, and Auth0 keys, credentials for MongoDB, MySQL, PostgreSQL, SSH, Coinbase, and Twilio Master. 
• According to a joint advisory from the CISA and the FBI, the Royal ransomware group rebranded itself to BlackSuit in an attempt to avoid detection and countermeasures by law enforcement and cybersecurity experts. This change is not just in name but also reflected in their modus operandi, which includes advanced encryption methods and sophisticated attack vectors.
• Checkmarx discovered a malicious campaign on PyPI distributing a new malware strain, BlazeStealer. Controlled via a Discord bot, the malware can be used to steal credentials from infected hosts, take screenshots via webcam, and even deploy additional malware. The malware is also capable of encrypting files, potentially for ransom. 
• A new macOS malware, named ObjCShellz, was attributed to the North Korean BlueNoroff APT group for targeting cryptocurrency users. The malware was believed to be used as part of another BlueNoroff’s cyberespionage campaign, named RustBucket, which was discovered earlier this year. It is written in Objective-C language and is used as a remote shell to execute commands sent from C2 servers controlled by attackers. 
• A newly identified malware dropper, dubbed SecuriDropper, was found using a session-based installer to bypass the ‘Restricted Settings’ feature in Android 13. It was used to install the SpyNote malware and Ermac banking trojan on compromised Android phones. According to researchers, the dropper camouflages itself as a legitimate application, spanning from social apps to productivity tools, to evade detection during the infection process.