Cyware Weekly Threat Intelligence - July 15–19
Weekly Threat Briefing • Jul 19, 2024
We use cookies to improve your experience. Do you accept?
Weekly Threat Briefing • Jul 19, 2024
In a concerted blitz against the shadowy underworld of cryptocurrency phishing scams, law enforcement agencies and crypto exchanges from six nations united under the banner of Operation Spincaster. This initiative has unearthed a staggering 7,000 leads, exposing compromised wallets and a jaw-dropping $162 million in financial hemorrhage. Simultaneously, researchers unleashed a decisive counterstrike against the nefarious Konfety ad fraud scheme. Google Play Protect now identifies and neutralizes these Evil Twin apps.
Law enforcement agencies and crypto exchanges from six countries are collaborating in an effort called Operation Spincaster to combat cryptocurrency approval phishing scams. This initiative, led by blockchain intelligence firm Chainalysis, has identified 7,000 leads related to compromised wallets and $162 million in losses. The operation has resulted in the closure of attacker-controlled accounts, recovery of funds, and preventative actions against future scams.
HUMAN's Satori team disrupted the Konfety scheme involving an advertising SDK called CaramelAds and an "evil twin" evasion method. The actors maintained non-malicious apps on the Google Play Store using the CaramelAds SDK to appear owned by different developers. HUMAN flagged high-confidence traffic from these apps and implemented countermeasures to protect customers, prompting the threat actors to switch targets. Google Play Protect identifies and disables "Evil Twin" apps. Partners with HUMAN for mitigation and detection are fully protected from Konfety's impacts.
Interpol's Operation Jackal III, a three-month global operation, resulted in the arrest of 300 individuals with links to West African cyber fraud. The operation, which involved law enforcement agencies across 21 countries, targeted organized crime groups, particularly the notorious Nigeria-based Black Axe gang, involved in online financial fraud. Authorities were able to seize $3 million in assets and block 720 bank accounts during the operation.
The cybercriminal syndicate known as Revolver Rabbit has unleashed a staggering onslaught, registering over 500,000 domain names through the cunning use of RDGAs. Their sinister aim? To orchestrate sweeping infostealer campaigns that imperil both Windows and macOS systems. Parallel to this digital mayhem, armed with an arsenal of tools, the China-based hacking collective APT41 infiltrated firms across multiple industries and siphoned data with surgical precision. Meanwhile, the cybercrime group Scattered Spider pivoted to employing the RansomHub and Qilin ransomware variants in its nefarious activities.
The cybercriminal gang Revolver Rabbit has registered over 500,000 domain names using Registered Domain Generation Algorithms (RDGAs) to conduct infostealer campaigns targeting Windows and macOS systems. The threat actor is distributing the XLoader info-stealing malware, controlling more than 500,000 .BOND top-level domains to create decoy and live C2 servers for the malware. This massive domain registration campaign has cost the gang over $1 million in registration fees.
Mandiant documented a sustained cyber campaign by the China-based hacker group APT41, targeting organizations in shipping and logistics, media, technology, and automotive sectors. The threat actor infiltrated networks and used various tools for data exfiltration, including ANTSWORD, BLUEBEAM, DUSTPAN, DUSTTRAP, SQLULDR2, and PINEGROVE. The group's victims were located in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. They also had a history of targeting the video game industry and were observed using non-public malware for espionage operations.
The cybercrime group Scattered Spider is now using the RansomHub and Qilin ransomware variants in its attacks. This shift demonstrates how newer ransomware families like RansomHub and Qilin are gaining prominence as ALPHV/BlackCat and LockBit decline. Microsoft has described Scattered Spider as one of the most threatening cybercrime groups currently in operation.
The CISA warned organizations to urgently patch a critical vulnerability in the GeoServer software that is being actively exploited in the wild. Tracked as CVE-2024-36401, it is a remote code execution flaw that allows unauthenticated attackers to execute code remotely through crafted input against a default GeoServer installation. It is caused by the unsafe evaluation of property names as XPath expressions in the GeoTools library API used by GeoServer. The CISA has added this vulnerability to its KEV catalog.
The SEXi ransomware operation, known for targeting VMware ESXi and Windows servers, has rebranded as APT Inc. and continues to use the leaked Babuk and LockBit 3.0 encryptors in recent attacks. It has targeted organizations such as IxMetro Powerhost, encrypting servers and demanding large ransom amounts. Victims are assigned random names and are directed to contact the threat actors using Session, an encrypted messaging application. Ransom demands vary from tens of thousands to millions.
Cofense warned about a sophisticated phishing tactic that appears to be an official communication from a company’s HR department, with a subject line that creates a sense of urgency for employees to review a revised employee handbook. The email contains a link that redirects the victim to a page mimicking a legitimate document hosting site, where they are prompted to click a PROCEED button. Clicking the PROCEED button takes the victim to a fake Microsoft login page, where their username and password are captured by the threat actors.
The Play ransomware syndicate has taken a concerning leap forward, crafting a new Linux variant that ruthlessly targets VMWare ESXi environments. In a separate and alarming revelation, a critical vulnerability has been unearthed in Splunk Enterprise on Windows. This security flaw allows malicious actors to access files outside the designated directory via a cleverly crafted GET request, and it requires no prior authentication. Meanwhile, threat actors have co-opted legitimate tools such as RDPWrapper and Tailscale to stealthily gain unauthorized access and control over victims' systems.