Cyware Weekly Threat Intelligence, January 30–February 03, 2023

The Good

• The CISA is establishing a new office to tackle supply chain security issues. The task force will be composed of the federal government and industry representatives from the information and communications technology sector. With this initiative, the industry and partners can put updated federal guidance and policies into practice.
• Singapore has started labeling SMS messages sent from organizations that are not registered with the local ID registry as ‘likely scam.’ The mandate will better safeguard users against potential scams. This will also facilitate tracking the origin of scam messages sent to mobile users. 
• Singapore and European Union (EU) signed a partnership agreement to drive collaboration across multiple digital platforms. These include digital payments, trusted data flows, 5G, artificial intelligence (AI), and digital identities. The agreement also mentions improving and maintaining cybersecurity standards across these platforms.

The Bad

• Proofpoint researchers uncovered a malicious OAuth app campaign that leveraged Microsoft's "verified publisher" status to meet some of its OAuth app distribution requirements. The victims mainly appear to be U.K.-based organizations and individuals, including marketing and financial personnel and high-profile users. 
• Users looking for password managers were targeted in a malvertising campaign that leveraged Google Ads. The users were redirected to fake sponsored sites exhibited on the top results in an attempt to steal their login credentials. 
• British car retailer Arnold Clark was targeted by the Play ransomware group that stole personal data such as names, contact details, dates of birth, vehicle information, and bank account details of customers. The investigation is ongoing to understand the precise extent and nature of the compromised data.  
• North Korean Lazarus hacking group has been associated with the new ‘No Pineapple!’ cyberespionage campaign that targeted organizations in research, healthcare, chemical engineering, energy, and defense sectors. The attackers stole around 100GB of data from one of the victims.  
• Google Fi informed its customers that their personal details were impacted by a data breach, which is believed to be connected to a recent leak at T-Mobile. The exposed data included phone numbers, SIM card serial numbers, account status, account activation data, and mobile service plan details. 
• A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen used in recent attacks targeting medical institutions in the United States and Europe. Although its origins are unknown, the operation has distinctive ties with Russian hacking groups, such as Killnet, Mirai, Venom, and Anonymous Russia.
• The Vice Society ransomware group claimed to have stolen sensitive data from the Guildford County School, the U.K. Post attack, the gang posted several files containing sensitive information belonging to teachers and students. Meanwhile, the school is yet to determine the full extent of the attack.
• The U.K-based Planet Ice suffered a data breach that exposed the personal details of over 240,000 customers. The breach occurred after hackers gained unauthorized access to its Ice Account system. 
• The LockBit ransomware gang claimed responsibility for the cyberattack on ION Group. On January 31, the firm disclosed the incident by revealing that the incident impacted ION Cleared Derivatives, a division of ION Markets.
• More than 350 BEC campaigns impersonating 151 organizations have been identified since April 2021. These campaigns were launched by a financially motivated threat actor, called Firebrick Ostrich, who utilized 212 malicious domains in the process. 
• Trend Micro researchers also observed a BEC campaign that is believed to have been running since April 2022. Linked to the Water Dybbuk threat actor, the campaign used a malicious JavaScript attachment that redirected users to a fraudulent Microsoft phishing page. 

New Threats

• A new variant of the LockBit ransomware dubbed LockBit Green is capable of targeting cloud-based services. The variant resembles Conti ransomware v3. It uses a random extension rather than the standard .lockbit extension and the ransom note is identical to the one used by the LockBit Black variant.
• This week, three new variants of Prilex PoS malware designed to pilfer credit card information were observed. Tracked as 06.03.8080, 06.03.8070, and 06.03.8072, the versions have been modified with the ability to restrict NFC-based contactless payment transactions.
• CheckPoint observed that over the last six years, the TrickGate packer was used to deploy some of the most wanted malware such as Cerber, TrickBot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, and AgentTesla. The malware packer underwent changes periodically, enabling the operators to stay under the radar for years.
• Researchers shared technical details of a new Sh1mmer exploit that could allow attackers to gain root-level access to ChromeOS. Expanded as Shady Hacking 1nstrument Makes Machine Enrollment Retreat, the exploit could be used to bypass administrator restrictions and unenroll enterprise-managed Chromebooks.
• The sophisticated HeadCrab botnet has infected at least 1,200 Redis servers for cryptomining. Primarily based on Redis processes, the HeadCrab botnet boosts numerous options and capabilities. Upon execution, it creates new Redis commands to enable its operators to perform multiple malicious activities.
• A threat actor named InTheBox is promoting over 1800 phishing forms for Android on Russian cybercrime forums. These phishing forms are designed to steal credentials and sensitive data from banking, cryptocurrency exchanges, and e-commerce apps. 
• The ASEC analysis team recently discovered the distribution of the TZW ransomware in South Korea. The malware disguises itself as a normal program file related to boot information to spread across systems. 
• The Russian Sandworm APT was attributed to a series of new data-wiping malware attacks against Ukrainian entities. The malware, dubbed SwiftSlicer and Nikowiper, are capable of overwriting important files on targeted systems, thus, destroying Windows domains.
• Malvertising attacks are being used to distribute .NET loaders dubbed MalVirt. The loaders include different anti-analysis techniques, notably KoiVM virtualization, and are used to deploy Formbook infostealer malware in the later stage of the campaign that is still ongoing. 
• Android users in Southeast Asia are being targeted in a campaign that is active since July 2022. The campaign distributes a banking trojan called TgToxic which is capable of stealing victims’ assets from banking applications, cryptocurrency wallets, and other financial apps. The victims are targeted via phishing emails and SMSes that carry malicious links. 
• Users of the GoAnywhere MFT software were warned of a zero-day remote code execution vulnerability that could allow malicious actors to target systems directly from the Internet. While there are no security patches available currently, users have been asked to follow recommendations to prevent exploitation.