Cyware Weekly Threat Intelligence, February 12–16, 2024

The Good

• Korean researchers identified a security hole in Rhysida ransomware's encryption process, which helped create a decryptor. Rhysida, linked to double extortion tactics, encrypts files using a 4096-bit RSA key and ChaCha20 algorithm. Analyzing its encryption routine, the experts found that the ransomware's PRNG relies on execution time, allowing them to decipher the order of file encryption.
• The DOJ, in collaboration with international agencies, reportedly shut down domains selling the Warzone RAT malware. The sophisticated RAT allowed cybercriminals to conduct various malicious activities, including stealing information and spying on victims. Two suspects were arrested in Malta and Nigeria for their involvement in distributing the malware.
• The FCC will soon require telecommunications and voice over IP providers to report data breaches to authorities within seven business days of discovery. Phone carriers must also notify customers of breaches in a timely manner. The new rule expands the definition of a breach and is intended to align with state and federal data breach laws.
• The U.S. government disrupted a botnet of small office and home office routers used by the Russia-linked APT28 to conceal cyberespionage activities targeting various organizations. The botnet, known as MooBot, exploited vulnerable Ubiquiti routers using default credentials to conduct spear-phishing campaigns and steal credentials.

The Bad

• The Minnesota-based internet provider U.S. Internet Corp., through its Securence division, inadvertently exposed over a decade's worth of internal emails and those of thousands of clients online in plain text. The company's CEO attributed the exposure to an incorrect configuration in the Ansible playbook for their IMAP servers, but has not provided details on the duration of the exposure or taken sufficient responsibility for the incident.
• The U.K’s Southern Water confirmed that between 5% and 10% of its customers had their personal details stolen in a Black Basta ransomware attack. The stolen data included sensitive information such as names, dates of birth, national insurance numbers, bank account details, and payment reference numbers, prompting the company to offer credit monitoring services to affected individuals.
• The DNSC announced that the Backmydata ransomware attack on the Hipocrate Information System impacted 26 hospitals across Romania, instead of 18. Another 74 hospitals connected to the system have been cut off from the internet. The attackers demanded a 3.5 Bitcoin ransom and claimed to have stolen confidential data, prompting hospitals to isolate impacted systems, save ransom notes, and investigate the point of entry.
• Cybercriminals utilized a stolen private key to mint and steal over $290 million in PLA tokens from the PlayDapp ecosystem, a blockchain-based platform facilitating NFT trading within games. It has now suspended trading, frozen hacker wallets, and advised users to be cautious. Despite efforts to mitigate the breach, stolen tokens are being laundered, impacting market value.
• Proofpoint researchers uncovered an active campaign targeting Microsoft Azure environments, banking on credential phishing and cloud account takeover techniques. The threat actors target diverse roles, including senior executives, to access accounts associated with valuable resources across organizational functions. Attackers employ a complex operational infrastructure, including proxies and hijacked domains, to evade detection.
• Oklahoma's largest not-for-profit healthcare network Integris Health disclosed that it suffered a cyberattack last year, compromising the personal information of nearly 2.4 million individuals. Despite no network interruptions, threat actors accessed sensitive data, including full names, dates of birth, contact details, demographic information, and SSNs. The breach reportedly led to extortion emails sent to patients.
• EclecticIQ analysts noted a surge in DarkGate loader usage. DarkGate is in high demand by financially motivated groups like TA577 and Ducktail, and has been used against targets in Europe and the U.S. Exploiting legitimate services such as Google's DoubleClick and cloud storage, DarkGate is advertised as a Malware-as-a-Service (MaaS) on cybercrime forums. Recent phishing attempts targeted institutions like Bank Deutsches Kraftfahrzeuggewerbe using automotive-themed lures.
• Nearly 33 million of France's population was impacted by a significant security breach at healthcare payment servicers Viamedis and Almerys. The breach, disclosed by CNIL, compromised data dates of birth, SSNs, and insurance details. Although banking and medical data remained untouched, the breach marks France's largest cybersecurity incident. Viamedis fell victim to a phishing attack targeting healthcare professionals, while Almerys' breach method remains undisclosed.
• An unsecured database belonging to Nevada software startup Dexiga (developer of the My WinStar app for the WinStar casino resort) exposed customers' personal information, including names, phone numbers, emails, and addresses. Dexiga claimed the database contained publicly available information, but researchers said that sensitive data was also exposed. 
• The notorious IntelBroker group claimed responsibility for leaking a partial database of Facebook Marketplace, containing the sensitive personal information of approximately 200,000 users. The breach, allegedly orchestrated by a cybercriminal using the alias "algoatson," targeted a contractor managing Facebook's cloud services in October 2023. While passwords were not exposed, the leaked data includes full names, Facebook IDs, phone numbers, and physical IDs.
• Willis Lease Finance Corporation disclosed a cybersecurity incident after Black Basta listed it as a victim on its leak site. The company detected a potential breach on January 31. While systems were taken offline and no unauthorized activity has been identified since February 2, the extent of data compromise is still under assessment. Black Basta claims to have stolen 910GB of company data, including customer information, HR documents, and passport scans.
• Fulton County, Georgia, came under attack by the LockBit ransomware group, triggering widespread IT outages affecting phone, court, and tax systems. While initial investigations didn’t identify any citizen or employee data theft, LockBit threatens to publish confidential documents unless a ransom is paid by February 16. Fulton County Chair Robb Pitt confirmed disruptions in the property tax system and facing water billing issues due to the attack.
• The Defense Intelligence Agency of the U.S. DOD informed approximately 20,600 individuals of a data incident, compromising their sensitive emails due to a misconfigured government cloud email server hosted by Microsoft. The breach occurred between February 3 and February 20, 2023. The exposed emails contained sensitive personnel information, including data related to U.S. Special Operations Command.
• Medusa and LockBit ransomware groups may have the Venezuela electoral system under their control for some time. The breach allegedly targeted Smartmatic and other entities, raising alarms about the security of the country's electoral infrastructure. Screenshots circulating on the dark web and social media, purportedly from Smartmatic, hint at compromised voting information.
• Bank of America alerted customers of a data breach at Infosys McCamish Systems, impacting names, addresses, SSNs, and financial data. Approximately 57,000 individuals were directly affected. The breach occurred in November 2023, attributed to the LockBit ransomware gang. This adds to a series of recent cybersecurity incidents affecting Bank of America's partners, highlighting ongoing security challenges.
• Check Point Harmony Email researchers underscored a surge in cyberattacks leveraging fake voicemails, with over 1,000 incidents detected in the last 14 days. Scammers exploit corporate phone systems linked to email servers, embedding malicious links in voicemail playbacks to harvest credentials. Attackers send QR codes with conditional routing, impersonating reputable brands like payment processor Square.

New Threats

• Turla APT group, a Russian cyber espionage threat group, has been identified as the author of a new backdoor called TinyTurla-NG targeting Polish NGOs supporting Ukraine. The TinyTurla-NG backdoor uses compromised WordPress-based websites as C2 endpoints and deploys PowerShell scripts called TurlaPower-NG for file exfiltration, indicating a strategic effort to steal login credentials and other key material.
• Glupteba, a long-standing and adaptable malware, returned in a 2023 campaign featuring a previously unseen UEFI bootkit. This sophisticated malware, known for its modular design and multifunctional capabilities, leveraged pay-per-install (PPI) services for widespread distribution. The campaign targeted organizations globally through web-based distribution and phishing attacks, embedding Glupteba within complex infection chains alongside other malware families.
• French and Spanish-speaking victims in Europe are being targeted by JKwerlo, a Go-based ransomware variant. According to experts at Cyble, the ransomware employs meticulously crafted cyberattacks, distributing language-specific HTML files via spam emails to initiate its campaign. JKwerlo infiltrates systems using encoded PowerShell commands, leveraging Dropbox links and lateral movement techniques like PsExec and Rubeus to evade detection.
• Security researchers uncovered a sophisticated new trojan called GoldPickaxe, designed to steal facial biometric data and create deepfake videos to bypass banking logins. Developed by a suspected Chinese-speaking cybercrime group dubbed GoldFactory, the malware targets victims in Thailand and Vietnam. Once activated, the trojan intercepts SMS messages, proxies traffic, and prompts victims to record videos, enabling cybercriminals to perform unauthorized access to victims' bank accounts.
• Despite a major takedown by U.S. law enforcement, new samples of Qakbot botnet have been observed in the wild. Spotted around mid-December, the strains feature improved encryption and evasion techniques. Security analysts discovered a small-scale campaign directed at the hospitality sector, using a PDF file allegedly from the U.S. Internal Revenue Service.
• Security researchers discovered a new variant of Android malware called MoqHao, which automatically executes upon installation without user interaction. Associated with the Chinese cluster Roaming Mantis, the malware targets Android users in France, Germany, India, Japan, and South Korea. The latest iteration of MoqHao employs smishing techniques with hidden links and prompts victims to grant risky permissions silently.
• A new macOS malware dubbed RustDoor, written in Rust, is being distributed disguised as a Visual Studio update. The malware provides backdoor access to compromised systems and is linked to infrastructure associated with the BlackCat ransomware gang. RustDoor communicates with C2 servers and has persistence mechanisms to ensure it survives system reboots. Bitdefender researchers have identified three variants of RustDoor and provided indicators of compromise for detection.
• Proofpoint research revealed the resurgence of Bumblebee malware after a four-month hiatus, featuring a notably different attack strategy. The campaign, observed in February 2024, employs social engineering tactics, sending emails with OneDrive URLs posing as voicemail notifications. While the threat actor behind the new campaign remains unidentified, similarities suggest potential ties to TA579 group activities.
• Microsoft's Patch Tuesday for February included fixes for 73 vulnerabilities, with two zero-days under active exploitation. The flaws, CVE-2024-21351 and CVE-2024-21412, allow bypassing of security features SmartScreen and Internet Shortcut Files, potentially leading to code execution. Trend Micro links CVE-2024-21412 exploitation to Water Hydra, which installs the DarkMe malware on infected systems. Additionally, five critical flaws in Windows Hyper-V, Microsoft Exchange Server, and Outlook are patched.
• A severe flaw dubbed KeyTrap in the DNSSEC specification has been discovered by researchers at the German National Research Center for Applied Cybersecurity (ATHENE), rendering vulnerable DNSSEC-validating DNS resolvers susceptible to denial-of-service attacks. The flaw, which lasted for over 20 years, allowed threat actors to exploit a design flaw in DNSSEC to exhaust the processing capacity of vulnerable DNS servers with a single packet, effectively disabling them and disrupting internet connectivity for users relying on affected services.