Cyware Monthly Threat Intelligence, October 2023

The Good

• The U.S. and the UAE signed a memorandum to work closely to improve the security of critical infrastructure in the financial sector. The MoU emphasizes increased information sharing about digital threats, more staff training, and conducting cross-border cybersecurity exercises. This new partnership is part of the U.S. Treasury Department’s continued effort to improve cybersecurity outcomes across the financial service sector. 
• Singapore's Infocomm Media Development Authority and the U.S. Federal Communications Commission (FCC) signed a memorandum to work together to combat online scams. As part of the effort, the two government agencies will be involved in exchanging information and working with other regulators to deal with scams originating from messages and calls.
• The HHS Office of Civil Rights (OCR) unveiled two resource documents to educate patients about the privacy and security risks of their PHIs when using telehealth services. These resources offer tips on basic cybersecurity hygienes such as employing strong and unique passwords, enabling lock screen functions to protect stored health information, activating MFA on accounts, and avoiding public WiFi networks at public charging stations.
• The Transportation Security Administration (TSA) announced updates to three security directives regulating passenger and freight railroad carriers in the continued effort to strengthen the industry’s defenses against cyberattacks. The revised directive required owners and operators to submit an annual Cybersecurity Assessment Plan to TSA, test two objectives in their Cybersecurity Incident Response Plan, and provide cybersecurity training to employees.

The Bad

• The LockBit ransomware group added aerospace giant Boeing to its list of victims and claimed to have stolen a significant amount of sensitive data from the company. The group threatens to publish the data unless Boeing contacts it before the specified deadline. LockBit reportedly demanded an $80 million ransom, however, it claimed that the company only offered $1 million.
• Stanford University was struck with a ransomware attack claimed by Akira that allegedly exfiltrated 430GB of data. The university stated that, to date, there is no evidence that the breach extended to other parts of the institution or affected emergency police response.
• In an update to the August cyberattack, the University of Michigan informed that threat actors stole sensitive personal information belonging to around 230,000 students, applicants, employees, and others. They had access to the university’s systems from August 23–27, even after the campus network was disconnected from the internet.
• French professional basketball team LDLC ASVEL confirmed a data breach after the NoEscape ransomware gang claimed to steal 32GB of data from the club. The stolen data included the personal information of players, passports, and ID cards, and many documents related to finance, taxation, and legal matters. 
• An unsecured 7TB database belonging to Indian diagnostic service provider Redcliffe Labs exposed over 12 million healthcare records. These included medical scans, test results, internal business documents, mobile application details, and patient information. 
• A threat actor, who goes by the name ‘Sheriff’, claimed to sell 1.2 million Airbnb user records on the dark web. The records included sensitive details such as users’ names, email addresses, countries of residence, and cities. Meanwhile, the firm has not confirmed the claim. 
• The DNA testing company 23andMe suffered the leak of its customers’ data on popular hacking forums. The database contains 20 million pieces of data, which also includes users’ personal information such as names, addresses, phone numbers, and dates of birth. Two weeks later, a threat actor going by the name ‘Golem’ leaked an additional 4.1 million genetic data profiles on a hacking forum.
• The ALPHV ransomware group claimed attacks on QSI Inc., a prominent ITM and ATM solutions provider. It stole 5TB of data, including financial and work-related information, from the firm. Moreover, the attackers listed the names of 10 banks, associated with QSI Inc., which were impacted by the attack. Meanwhile, the firm did not confirm the cyberattack.
• CERT-UA revealed that a threat group tracked as UAC-0165 targeted at least 11 telecommunication service providers in Ukraine between May and September. These attacks were launched via exposed RDP or SSH interfaces and used two specialized programs called POEMGATE and POSEIDON to steal credentials and gain remote control of the infected hosts.  
• Taiwanese manufacturer D-Link confirmed a data breach after a threat actor offered 1.2GB of stolen data for sale on the BreachForums platform. The threat actors allegedly stole three million lines of individual information and the source code for D-Link’s D-View network management software. Other data stolen included information for many Taiwanese government officials, as well as the CEOs and employees of the company. 
• The PLAY ransomware group added thirteen organizations to its list of victims in the gap of a week. The victims include Roof Management, Security Instrument Corp, Filtration Control Ltd, Cinépolis Cinemas, CHARMANT Group, Stavanger Municipality, Hughes Gill Cochrane Tinetti, Saltire Energy, Centek Industries, NachtExpress Austria, WCM Europe, Starr Finley, and a Missouri-based organization.
• A report on the global state of ICS security by BitSight revealed that nearly 100,000 ICSes are exposed on the public internet, allowing attackers to probe them for vulnerabilities and launch attacks against organizations. These exposed systems belong to Fortune 1000 companies located across 96 countries and include sensors, actuators, switches, and building management systems, among others.
• Misconfigured databases at B2B CRM provider Really Simply Systems exposed over three million records containing images, invoices, templates, and internal files of the firm. Among other documents, the database contained customers’ names, addresses, and CRM plan details.
• The BianLian extortion group claimed responsibility for attacks on Air Canada by sharing screenshots of the stolen data on its leak site. The group added that it stole 210GB of data, which includes details about the company's technical and security challenges, SQL backups, personal information of employees, information of vendors and suppliers, confidential documents, and archives from company databases.

New Threats

• A new cyberattack campaign was found distributing a novel malware loader, GHOSTPULSE, using deceptive MSIX Windows app package files disguised as popular software like Google Chrome and Microsoft Edge. MSIX, a legitimate Windows app format, is being misused by threat actors who have access to code signing certificates. Victims are enticed to download these malicious MSIX packages through compromised websites and SEO manipulation. Once executed, the campaign unfolds through multiple stages, delivering various payloads such as SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.
• Over three dozen data-stealing packages designed to exfiltrate sensitive data from developers’ systems were discovered in the npm repository. Some of these packages leveraged a Discord webhook to exfiltrate sensitive data, while a few others were engineered to automatically download and execute a potentially malicious executable. 
• The Russian-aligned APT group Winter Vivern exploited a zero-day vulnerability (CVE-2023-5631) in Roundcube Webmail servers to compromise government systems across Europe remotely. As part of the campaign, the emails were sent from the address team.managment@outlook[.]com with the subject line ‘Get started in your Outlook’. These emails included a malicious SVG file that contained a base64-encoded payload.
• Three variants derived from the Mirai botnet, named hailBot, kiraiBot, and catDDoS, were spotted in the wild, targeting IoT devices. All these botnets are designed to launch a variety of DDoS attacks, including TCP flood attacks, UDP flood attacks, and ack_flood attacks. They are distributed via brute force attacks or by exploiting old vulnerabilities. 
• FortiGuard Labs uncovered a significant evolution in the IZ1H9 Mirai-based DDoS campaign, which involved the addition of 13 new exploit payloads. The exploits focus on targeting vulnerabilities in D-Link, Netis, Sunhillo SureLine, Geutebruck, Yealink Device Management, Zyxel, TP-Link Archer, Korenix JetWave, and TOTOLINK devices. A peak in the exploitation of these vulnerabilities was observed on September 6, with trigger counts reaching tens of thousands.
• A previously undocumented threat actor named Grayling was linked to several attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan. Evidence revealed that the campaign was executed between February and May. The initial foothold to victim environments was achieved by exploiting public-facing infrastructures.
• Researchers shared details of a new fake browser update threat that used a new malware called ClearFake to deliver malicious payloads onto victims’ devices. The malware threat is similar to SocGholish and FakeSG campaigns that use social engineering tactics to trick users into installing a bogus web browser update. As part of the attack campaign, the attackers also use the watering hole technique to inject malicious JavaScript code into compromised WordPress sites. 
• BlackCat ransomware operators recently added a new utility tool, Munchkin, to circumvent VM security solutions while deploying their malware payloads. The utility tool is delivered as an ISO file that is loaded in a newly installed instance of Alpine OS. Upon execution, the ransomware changes the root password of the VM and subsequently downloads the malware binary named controller to pilfer sensitive data from victims’ systems. 
• Researchers discovered a new ExelaStealer malware that can steal sensitive data, such as passwords, credit card details, cookies, session data, and key logs, from Windows systems. Written in Python language, the malware is being advertised on hacker forums and Telegram channels.
• Microsoft shared details of a financially-motivated threat actor Octo Tempest whose campaigns became a growing concern for organizations across multiple industries. Notably, it became an affiliate of the BlackCat ransomware group a few months ago. The attackers leverage a wide range of social engineering tactics, including SMS phishing, and SIM swapping attacks, to gain control over a user’s phone number. Other tools used by the group include DBeaver, MongoDB Compass, Azure SQL Query Editor, and Cerebrata. 
• Iranian threat actor known as Tortoiseshell was associated with a new wave of watering hole attacks that deployed a malware dubbed IMAPLoader. Based on the .NET framework, IMAPLoader is a replacement for a previously used Python-based IMAP implant and can fingerprint victim systems using native Windows utilities. It also acts as a downloader for delivering other malicious payloads. 
• Researchers identified several malicious apps on the Google Play Store pushing FakeApp, Joker, and HiddenAds malware on infected devices. These apps tracked as Super Skyibydi Killer, Agent Shooter, Rainbow Stretch, Rubber Punch 3D, Eternal Maze, Jungle Jewels, Stellar Secrets, Fire Fruits, Cowboy’s Frontier, and Enchanted Elixir amassed over 2 million downloads.