Cyware Monthly Threat Intelligence, September 2023

The Good

• The CISA released new guidelines to help federal agencies combat DDoS attacks. Separately, the CISA launched a new initiative “K-12 Education Technology Secure by Design Pledge,” as part of its ongoing efforts to bolster cybersecurity in K-12 schools.
• The CISA released an Open Source Software (OSS) Security roadmap that aligns with the layouts of the National Cybersecurity Strategy and the CISA Cybersecurity Strategic Plan. The roadmap will focus on four key goals to ensure collaboration between the CISA, federal agencies, and OSS consumers and communities for the security of OSS infrastructure.
• The NIST announced the release of a special publication for a Zero-Trust Architecture model for federal organizations to assist them in having control over cloud-native applications in multi-location environments. This guidance recommends the formulation of network-tier and identity-tier policies, along with the configuration of technology components that enable the deployment and enforcement of these policies. 
• The DHS released its new IT strategic plan for fiscal years 2024 through 2028, which prioritizes including the DHS IT academy to upskill its workforce on cybersecurity, among other training. The plan also lays out its objective of retiring legacy systems and building modern, effective, and secure software across the department.
• Australia is in the process of building six cyber shields to defend its organizations and people against cyber threats. Slated to come into force by 2030, the six shields include educating people about cybersecurity, building digital products with minimum cybersecurity standards, threat intelligence sharing, limiting access to critical infrastructure, building cybersecurity skills, and increasing engagement with other countries to improve cybersecurity.

The Bad

• The infamous ALPHV ransomware group added three new organizations to its list of victims. These include Clarion, Phil-Data Business Systems Inc., and MNGI Digestive Health. While the information stolen from the firms is not clear, BlackCat gave MNGI a 48-hour deadline to contact them before it made the stolen data public.
• The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, Canada, announced that it was impacted by the recent Clop ransomware-led MOVEit hacking spree. The investigation revealed that the threat actors copied files containing sensitive information of approximately 3.4 million people.
• Hackers stole more than $200 million in assets from the centralized database of Mixin Network, a peer-to-peer transactional network for digital assets located in Hong Kong, forcing it to halt operations. The attack occurred on September 23 and is believed to be the work of Lazarus. The hackers are thought to have stolen at least $93.5 million in Ethereum and more than $23.5 million in Tether, according to cryptocurrency dealers.
• Researchers from Sophos revealed that over $1 million was stolen in a pig-butchering cryptocurrency scam in just three months. The attackers used fake trading pools on DeFi trading applications to make profits by trading from one cryptocurrency to another. A total of 14 domains and dozens of nearly identical fraud sites were used as part of the attack.
• The Canadian Nurses Association (CNA) confirmed a data theft incident from earlier this year. Two different ransomware groups—Snatch and Nokoyawa—took credit for the attack, with Snatch leaking 37GB of data stolen from CNA. The group further mentioned that it did not use ransomware during its attack on CNA.  
• North Korea’s Lazarus group stole at least $55 million in ETH, TRON, and Polygon coins by hacking the CoinEx cryptocurrency exchange. The attackers pilfered the digital assets from several hot wallet addresses associated with the platform. The affected wallet addresses were identified and isolated by the firm.
• A vishing attack on the development platform Retool allowed attackers to access and take over the accounts of 27 cloud customers, all in the crypto industry. The spear-phishing email was sent to a number of employees, pretending to be from the company’s IT department. The recipients were asked to click on a fake Retool identity portal, designed to redirect the calls to attackers. 
• In another incident, Caesars Entertainment was apparently targeted by the BlackCat ransomware group. The company revealed that it was the victim of a social engineering attack on an outsourced IT support vendor associated with the company. A ransom of $15 million was paid to the cybercriminals.
• Alabama-based Acadia Health LLC, which operates as Just Kids Dental, notified that the sensitive information of nearly 130,000 patients, parents, and employees was compromised in a recent cyberattack. The compromised details included names, addresses, email addresses, phone numbers, birthdates, Social Security numbers, driver's license numbers, health insurance policy information, and treatment information.
• The ShinyHunters group claimed to have stolen more than 30 million customer order records from Pizza Hut Australia, in addition to the personal information of more than one million customers. Pizza Hut later confirmed that a cyberattack allowed hackers to gain unauthorized access to the personal information of its 193,000 customers including full names, delivery addresses, phone numbers, and masked credit card details.
• Booking.com users were the target of a large-scale phishing attack, wherein their personal data, including names, booking dates, hotel details, and partial payment methods, was stolen by attackers. The attackers utilized the stolen data to craft personalized messages designed to play on the fears and urgency of potential victims. 
• Ten years’ worth of pathology referral letters and other sensitive details such as patient names, contact details, and Medicare numbers were exposed in a cybersecurity incident affecting the Melbourne-based pathology clinic TissuPath. Russia-based BlackCat claimed responsibility for the attack by threatening to release 4.95TB of data stolen from the firm. 
• A novel cloud-native cryptojacking operation, codenamed AMBERSQUID, targeted uncommon AWS offerings, such as AWS Amplify, AWS Fargate, and Amazon SageMaker, to illicitly mine cryptocurrency. The activity was first noticed in May and remained active throughout August. 

New Threats

• A newly discovered ValleyRAT malware was used alongside Sainbox RAT and Purple Fox malware in an attack campaign to target Chinese-speaking users. These malware were distributed via phishing emails including business-themed content—like invoices, payments, and new products—to lure recipients. Written in C++, ValleyRAT includes the functionalities of a basic RAT. 
• A previously undocumented backdoor malware named LightlessCan was attributed to the Lazarus group. The attackers use the malware as part of the Operation Dreamjob campaign to target employees of an aerospace company located in Spain. The malware is a successor to BlindingCan and is deployed alongside miniBlindingCan (another variant of BlindingCan) via the NickelLoader malware.
• Two previously unknown trojans, AtlasAgent and DangerAds, were revealed in attacks by the recently identified AtlasCross hacking gang. These trojans were distributed using phishing lures that claimed to be from the American Red Cross, encouraging users to take part in a "September 2023 Blood Drive." Both Atlas Agent and DangerAds are intended to infect Windows devices.
• A new variant of Xenomorph emerged in the threat landscape, adding overlays for multiple crypto wallets, and targeting over 30 banking institutions in the U.S. and Portugal. The malware variant was distributed via phishing pages posing as Chrome updates, which also propagated LummaC2 Stealer and RisePro Stealer at different time periods. 
• Chinese hacking group Earth Lusca was discovered using a new Linux backdoor, SprySOCKS, in a campaign targeting government agencies in multiple countries. The malware borrows much of its source code from the Trochilus open-source Windows backdoor. The structure of SprySOCK’s C2 protocol is similar to the one used by the RedLeaves backdoor.
• The new Sandman APT group was identified using a new modular backdoor named LuaDream to target telecom service providers in Europe and Asia. The malware utilizes the LuaJIT platform to propagate on targeted organizations’ systems. According to SentinelOne, it shares similarities with another malware named DreamLand. 
• A previously unseen variant of MidgeDropper was found deploying additional malware payloads on Windows systems. The dropper is deployed via phishing emails that contain two files—”Notice to Work-From-Home groups.pdf” and “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe”. Recipients are tricked into opening the files that initiate the dropper download. 
• A new version of the BBTok banking trojan was used to target clients of over 40 Mexican and Brazilian banks in a campaign that employed various file types, including ISO, ZIP, LNK, DOCX, JS, and XLL. The new variant replicates the interfaces of the banking sites and tricks victims into entering 2FA codes to steal payment card details from their bank accounts.
• The Budworm APT used a previously unseen variant of SysUpdate backdoor, known as SysUpdate DLL inicore_v2.3.30.dll, to target a Middle Eastern telecommunications organization and an Asian government. The malware provides attackers with various capabilities, such as capturing screenshots, command execution, and service manipulation.
• A phishing kit dubbed W3LL Panel served at least 500 cybercriminals in the last 10 months to compromise more than 56,000 Microsoft 365 corporate accounts in the U.S., Australia, and Europe. The phishing kit is used along with 16 other tools that are primarily designed for BEC attacks. Some of these tools include SMTP senders (PunnySender and W3LL Sender), a malicious link stager (W3LL Redirect), a vulnerability scanner (OKELO), an automated account discovery instrument (CONTOOL), and reconnaissance tools.  
• A new ransomware family, dubbed 3AM, was detected in an attack by a LockBit affiliate who attempted to deploy the ransomware when LockBit was blocked on the targeted network. Written in Rust language, the ransomware gets its name from the fact that it appends encrypted files with the .threeamtime extension.
• Symantec’s Threat Hunter Team shared details of an attack where the Redfly threat group used the ShadowPad trojan to compromise the national grid in an Asian country for as long as six months and steal network credentials. The attack is the latest in a series of espionage intrusions against Critical Nation Infrastructure (CNI) targets.