Go to listing page

Cyware Weekly Threat Intelligence, December 12-16, 2022

Cyware Weekly Threat Intelligence, December 12-16, 2022

Share Blog Post

The Good

The demand for 5G cellular networks for office and home uses has attracted the attention of cybercriminals. Keeping this in mind, the NSA, along with the CISA and ODNI, issued a joint report to provide mitigation strategies that address potential threats to 5G network slicing. In another significant achievement, the DoJ took action against 48 DDoS-for-hire service platforms that were used to launch DDoS attacks worldwide.
 
  • The U.S. DoJ seized 48 DDoS-for-hire service platforms that allowed anyone to easily launch DDoS attacks. Along with the takedown of stressor/booster sites that included RoyalStresser[.]com, SecurityTeam[.]io, Astrostress[.]com, Booter[.]sx, Ipstressor[.]com, and TrueSecurityServices[.]io, enforcement agencies also arrested six individuals operating these sites.
  • The NSA, the CISA, and the Office of the Director of National Intelligence (ODNI) published a joint report to highlight the most plausible threats and mitigation advice associated with 5G network slicing implementations. The mitigation measures include defense and prevention strategies to be implemented by 5G network operators, integrators, and providers.  
  • The NSA’s JFAC Hardware Assurance Lab publicly released four cybersecurity technical reports to help the Department of Defense protect FPGA-based systems from adversary attacks.  
  • The Cyber Security Agency of Singapore (CSA) pushed the need to beef up the cybersecurity of OT systems. The CSA noted that as the threat landscape is constantly evolving, every critical information infrastructure (CII) sector should continuously adapt and transform its processes. 


The Bad

Owing to the vast troves of patient data stored, healthcare entities remain vulnerable to ransomware attacks. This week, the HHS issued an advisory to help healthcare providers understand the attack scope and mitigation measures for LockBit 3.0 ransomware. In another update, the operators behind LockBit added the California Department of Finance to its list of victims. Furthermore, Uber reported a security breach that occurred due to an intrusion at a third-party vendor. This is the second data breach that the firm has suffered this year and is likely to have impacted the data of over 70,000 employees.
 
  • This week, the HHS issued an advisory to warn healthcare organizations about LockBit 3.0 attacks. This advisory comes days after the advisory on Royal ransomware attacks against the healthcare sector was released. The latest publication noted that the malware should be considered a threat to the HPH sector due to its historical nature of victimizing the healthcare community. 
  • The California Department of Finance confirmed that it suffered a security breach, hours after the LockBit ransomware gang listed the agency as a victim on its dark web leak site. The gang has given time until Christmas eve to avoid the publishing of more than 500GB of stolen files.
  • A successful phishing attack dubbed Meta-Phish resulted in the loss of PII, login credentials, and Facebook profile links. The phishing email redirects victims to an actual Facebook post that contains a link to an external phishing page. 
  • A hospital in California’s Riverside County reported a data breach that impacted its patients’ sensitive information such as Social Security numbers and medical information. According to the notice, the hackers had unauthorized access to the data between October 29 and November 10. 
  • An unprotected database belonging to Vevor, a California-based online retailer, had leaked over 601.84 GB of data. The database was marked as ‘production’ and contained various types of PII such as first and last names, partial credit card numbers, transaction IDs, refund information, and home address of users. 
  • Attackers behind Play ransomware claimed responsibility for recent attacks on the Belgium city of Antwerp. Due to the attack, the city’s IT, email, and phone services were disrupted. 
  • The details of more than 70,000 Uber employees have reportedly been leaked online, marking another data breach for the company this year. The incident occurred after a threat actor targeted a third-party software provider, Teqtivity, used by Uber for IT asset management services.
  • Australian telecommunications giant TPG revealed that emails of 15,000 iiNet and Westnet business customers were breached as hackers looked for cryptocurrency and other financial information. Investigation into the incident is underway. However, the breach did not affect mobile or broadband services. 
  • Members of the North Korean Kimsuky cyberespionage group have been found impersonating think tank members to reach out to political and foreign affairs analysts. The campaign first started in January and has proven to be successful over time. 
  • A subgroup of the Cobalt Mirage threat group targeted a variety of U.S. organizations using a new custom malware named Drokbk. The attackers compromised a VMware Horizon server using Log4j vulnerabilities. 



New Threats

Researchers have laid bare recent cyberespionage activities associated with the infamous Charming Kitten APT. It has been found that six subgroups of the APT were involved in 60 attack campaigns launched across different sectors. Meanwhile, the trend of Golang-based malware continues to flourish in the threat landscape. This week, researchers discovered two new Golang malware—GoTrim and Chaos RAT—that enabled their operators to launch a wide range of attacks. 

  • A hacking group named MirrorFace was found using a credential stealer named MirrorStealer to target Japanese politicians. The hackers deployed the infostealer along with the LODEINFO backdoor malware, which communicated with a C2 server known to belong to APT10 infrastructure. 
  • Threat actors uploaded over 144,000 malicious packages in open-source repositories such as NPM, PyPi, and NuGet. These packages were uploaded using a particular naming scheme that hinted at the use of automation. They linked to over 65,000 phishing pages that promoted fake apps, prize-winning surveys, gift cards, giveaways, and more. 
  • Proofpoint tracked six subgroups of the Charming Kitten APT using different infrastructures, and techniques. The group has been associated with the 60 attack campaigns this year, with primary targets including government officials, politicians, medical researchers, and critical infrastructure. 
  • Qualys researchers revealed that threat actors such as Turla, Wizard Spider, and Leviathan are actively adopting the Empire C2 framework to launch malicious payloads. These payloads are primarily used against Windows systems. 
  • FortiGuard Labs encountered a Golang-based botnet named GoTrim that utilizes a bot network to perform distributed brute-force attacks against WordPress and OpenCart sites. The botnet campaign began in September and is still ongoing.
  • Trend Micro reported a new Go-based malware strain named Chaos RAT used in recent cryptomining attacks against Linux servers. The malware appears to have been open-sourced on GitHub. 
  • Hackers were found using HTML smuggling attack techniques to distribute QBot malware onto Windows systems. The malware was encoded in SVG images embedded in HTML email attachments. 
  • The cyberespionage group Cloud Atlas has ramped up its activities across Russia, Belarus, and Moldova since the beginning of this year. The primary purpose of the group is to pilfer confidential and intellectual information from targets. The group uses template injection attacks that abuse features in Microsoft Word to deliver malicious payloads to victims. 
  • Microsoft tracked a cluster of activity associated with a newly discovered cross-platform botnet dubbed MCCrash. Linked to DEV-1028, the botnet is known for launching DDoS attacks against private Minecraft servers, with a majority of infections recorded in Russia. 
  • A malicious stalkerware app called Xnspy was found stealing and leaking data from tens of thousands of iPhones and Android devices. Once installed, the app silently pilfered call records, browsing history, location data, text messages, and photos from victims’ phones.

 Tags

ddos for hire service platforms
mccrash botnet
play ransomware
log4j vulnerabilities
kimsuky cyberespionage group
meta phish
html smuggling attack technique
california department of finance
vmware horizon server
cobalt mirage threat group

Posted on: December 16, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite