Cyware Weekly Threat Intelligence, January 09-13, 2023

The Good

• More than 20 healthcare leaders have joined hands to form the Health 3rd Party Trust (Health3PT) Initiative and Council which aims at introducing new standards, automated workflows, and assurance models to tackle and manage third-party cyber risks. This new initiative will help safeguard sensitive health information stored on different third-party systems and devices. 
• The New York governor has approved an additional $35 million in funding to the state’s $61.9 million cybersecurity budget for 2023. This comes following the rise in cyberattacks across different sectors and the additional fund will be used to protect critical infrastructure across the energy, transportation, and manufacturing sectors. 
• Europol and Eurojust took action against a fake crypto scam that involved a number of different criminal actors operating through call centers. The fraudsters lured victims into investing large amounts of money into fake cryptocurrency schemes. At least $2.2 million was stolen from victims, primarily from Germany, in the scam. 

The Bad

• The Liquor Control Board of Ontario in Canada began an investigation into a cybersecurity incident that knocked out its website and mobile app. The firm said its shops were open to customers as they were unaffected. 
• Access to the websites of the Danish Central Bank and seven private banks in the country were briefly disrupted following a DDoS attack. Attackers redirected unwanted traffic to the targeted servers in a bid to knock them offline. Among the banks affected were Jyske Bank and Sydbank. 
• A new Facebook-themed phishing attack was reported by researchers. Attackers leveraged Facebook copyright infringement notices, and other related artifacts to steal credentials from users. The attack started with a basic email from Facebook stating that the recipient’s account has been suspended.
• A zero-day vulnerability (CVE-2022-42475) in FortiOS SSL-VPN that Fortinet addressed last month was exploited by threat actors to target government organizations. The end goal was to deploy a generic Linux implant to compromise Fortinet’s IPS software and establish connections with a remote server to download additional malware. 
• A cyberattack on Royal Mail has been linked to the LockBit ransomware operation. Reports suggest that the ransomware encrypted devices used for international shipping and caused ransom notes to be printed on printers used for custom dockets. 
• The Hive ransomware group leaked 550 GB of data, including employee and customer PII, stolen from Consulate Health Care. The leaked samples include stolen contracts, agreement documents, and the company’s private info. This also included email addresses, phone numbers, credit card details, Social Security numbers, and medical records of employees. 
• The Dark Pink APT group is currently using spear-phishing emails to launch attacks against government and military organizations in Asia-Pacific. The group has been linked to seven successful attacks between June and December 2022. 
• Social marketplace Trustanduse left data of around 439,000 users including businesses exposed for at least six months. The unsecured data included sensitive information such as usernames, full names, Facebook IDs, phone numbers, and passwords hashed with the BCrypt algorithm. 
• Bay Bridge Administrators started notifying around 250,000 individuals of a September 2022 data breach. The compromised information includes names, addresses, birth dates, Social Security numbers, ID and driver’s license numbers, and medical and health insurance information.
• The Serbian Ministry of the Interior suffered a DDoS attack over the weekend, crippling the IT infrastructure. The government took the required security measures to thwart the attack and protect the data of the Ministry of Internal Affairs. 

New Threats

• A new IceID malware attack enabled threat actors to compromise the Active Directory domain of an unknown target in less than 24 hours. Throughout the attack, the attackers followed a series of commands to execute Cobalt Strike on the compromised host. 
• A cybercrime group tracked as Scattered Spider was observed exploiting an old vulnerability (CVE-2015-2291) in an Intel Ethernet diagnostics driver to target telecom and BPO firms. The attack was launched using phishing and social engineering techniques to obtain victims’ credentials and OTPs.
• For the past two weeks, hackers have been exploiting a critical authentication bypass vulnerability in SugarCRM to infect users with malware that gives full control over the targeted server. The exploit code for the vulnerability is available online since December.  
• New research reveals that the Raspberry Robin worm’s attack infrastructure can be repurposed by other threat actors to deploy their own implants. The malware notably employs infected USB drives as a propagation mechanism and leverages breached QNAP NAS devices as first-level C2 servers. 
• A new round of supply chain attacks deploying the PoweRAT malware on victims’ systems was observed. The attacks leveraged several PyPI packages—EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles—to drop the malware that is capable of stealing browser cookies, passwords, Discord tokens, and Telegram data. 
• Vidar malware has been spotted in an ongoing campaign that leverages 1,300 different domains impersonating official sites of AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, and OBS. Many popular cryptocurrency trading apps are also being mimicked as part of the campaign. 
• Gootkit loader aka Gootloader resurfaced in a new spate of attacks that targeted the Australian healthcare industry. The malware operators leveraged SEO poisoning attacks for initial access. To push the infection to the next phase, the loader abused legitimate applications like VLC Media Player. 
• Researchers discovered a new variant of a prototype pollution flaw that can allow attackers to perform pollution-like attacks on Python programs. Called class pollution, the flaw has been observed in the wild and can be triggered by manipulating the attribute values in Python classes. The exploitation of the flaw can lead to remote code execution and overwriting of secret keys. 
• The Kinsing cryptojacking operation was discovered leveraging weakly configured PostgreSQL containers and vulnerable images to gain initial access to Kubernetes environments. A majority of the targeted images were vulnerable to remote code execution attacks. 
• StrongPity APT was associated with a new campaign that used trojanized versions of the Shagle website to drop malware. These enabled the attackers to record phone calls, track device locations, and collect SMS messages and contact lists.  
• CISA updated its KEV catalog with two new vulnerabilities that are currently being actively exploited. Collectively called the OWASSRF vulnerability (CVE-2023-21674 and CVE-2022-41080), it was used to breach and deploy ransomware on the infrastructure of cloud hosting giant Rackspace last year.  
• Operators of the newly found StrRAT and Ratty RAT are running a new campaign using polyglot files to bypass detection from security tools. Among these files are various combinations of MSI/JAR and CAB/JAR files. 
• A new malware dropper named NeedleDropper appears to have been used in the wild since October 2022. The malware is being sold on underground hacking forums via a classic MaaS offering.