Cyware Weekly Threat Intelligence, March 04–March 08, 2024

The Good

• The NSA and the CISA released five joint cybersecurity bulletins focusing on best practices to secure data in cloud environments. The recommendations include implementing IAM solutions, encryptions, data encryption, network segmentation, and mitigating risks from MSPs. The guidance also includes tips for securing cloud services and emphasizes the importance of understanding shared security responsibilities.
• The NSA released guidance on implementing a zero-trust security framework to limit adversary movement within internal networks. This approach assumes that a threat already exists and requires strict controls for accessing resources, such as data flow mapping, segmentation, and software-defined networking. The framework consists of seven pillars, and the agency has just released guidance for the network and environment component. 
• GitHub is implementing push protection as the default for all public repositories to prevent accidental leakage of secrets like API keys and tokens. The feature scans code commits for secrets and alerts developers if any are found. It has detected over 1 million leaked secrets this year alone. The feature supports over 200 token types and patterns from 180 service providers.
• The U.S. Coast Guard is enhancing its cybersecurity capabilities and expanding its Cyber Command operations to address growing cyber threats in maritime transportation systems. Additionally, the Coast Guard is implementing specific cyber risk management actions for cranes manufactured by Chinese companies and is planning to establish new cybersecurity standards for U.S. ports and vessels.

The Bad

• A ransomware attack on Swiss technology company Xplain resulted in the leak of 65,000 sensitive government documents, impacting key administrative units and containing personal data and classified information. Most of the leaked files belong to the Federal Department of Justice and Police, with a smaller impact on the Federal Department of Defence.
• The Jersey Financial Services Commission experienced a data breach, allowing unauthorized access to non-public names and addresses. The breach was due to a misconfiguration in a third party-supplied Registry system. The leak did not link individuals to registered entities or roles, and the organization is working with authorities and conducting thorough investigations to improve the system's design.
• Belgian brewery Duvel Moortgat was targeted in a ransomware attack, leading to the suspension of production. The attack prompted an immediate halt to production. While the company is well-stocked to handle the disruption, there is uncertainty about when production will resume. The Stormous ransomware group added the company to its leak site and allegedly stole 88GB of data. 
• School District 67 (Okanagan-Skaha) in Penticton and Summerland notified parents of a cyberattack that compromised personal information, including student files, report cards, and possibly health data. The district shut down online services, contacted the police, and initiated an investigation. Concerned individuals are advised to contact the district and take precautionary measures such as changing passwords and monitoring online activity.
• Fidelity Investments Life Insurance disclosed that attackers acquired information about 28,268 customers in a ransomware attack on Infosys’ US subsidiary, Infosys Mccamish Systems. The information includes names, SSNs, states of residence, bank accounts, routing numbers, dates of birth, and credit card numbers of individuals. While the LockBit group had previously claimed responsibility for attacks, it remains unclear as to how attackers gained access to the network and how much data was stolen.  
• A data breach at Mr. Green Gaming affected the personal information, such as dates of birth, email addresses, geographic locations, addresses, and usernames, of around 27,000 users. The incident came to light after the information was circulated on the dark web. The breach was attributed to the unauthorized access of an inactive administrator account.
• Canada’s financial intelligence agency FINTRAC was forced to pull off its corporate systems following a cyber incident that occurred over the weekend. While the nature of the incident is not disclosed, the agency revealed that its intelligence or classified systems were unaffected.
• Muscatine Power and Water, a utility company in Iowa, disclosed that the information of nearly 37,000 people was affected in a January ransomware attack. The hackers had gained unauthorized access to SSNs and CPNI of individuals after infiltrating its corporate network environment.
• Chunghwa Telecom in Taiwan experienced a data breach, allegedly orchestrated by cybercriminals backed by the Chinese government. The breach resulted in the theft of 1.7TB of government-related information, which was subsequently offered for sale on the dark web. While the Defense Ministry confirmed the breach, it assured that no confidential information was compromised. 
• American Express informed customers about a data breach involving a third-party service provider used by its travel services division. While the breach did not compromise American Express's systems, it resulted in unauthorized access to customers' credit card account numbers, names, and expiration dates. The exact scope of the breach, including the number of affected customers and the timing, remains unclear.

New Threats

• A cyberespionage campaign targeted Tibetans through a strategic web compromise and trojanized software, utilizing the Monlam Festival as a focal point for attacks, revealed ESET. The Evasive Panda APT group, with Chinese alignment, was identified as the likely perpetrator based on the use of MgBot and the newly discovered Nightdoor backdoor.
• A new threat, dubbed Python Infostealer, was observed targeting Facebook Messenger users and pilfering their credentials. This malware operates stealthily by leveraging legitimate platforms like GitHub and GitLab for its C2 infrastructure. The infection begins with innocuous Messenger messages containing archived files, initiating a two-stage infection process. The stealer comes in three variants, aiming to harvest and exfiltrate user credentials to platforms like Discord, GitHub, and Telegram.
• Cisco disclosed critical vulnerabilities, CVE-2024-20335 and CVE-2024-20336, in the web-based management interface of its Small Business 100, 300, and 500 Series Wireless Access Points. These flaws could permit authenticated remote attackers to execute command injections and buffer overflow attacks, potentially leading to full compromise of the devices. Since no patches will be provided, users are urged to replace affected devices and transition to newer models.
• Zscaler researchers shared details of a new campaign that leveraged online meeting platforms, such as Skype, Google Meet, and Zoom, to spread RATs. While SpyNote is distributed on Android platforms, NjRAT and DCRat are deployed on Windows systems. The ultimate goal of the attack was to steal confidential information, keystrokes, and files from targeted devices.
• A new malware dubbed WogRAT was found using the online notepad platform, aNotepad, as a covert channel to target Windows and Linux systems. The Linux version of the malware, which comes in ELF form, shares similarities with the Windows variant. However, it distinguishes itself by utilizing Tiny Shell for routing operations and additional encryption in its communication with the C2 server. The malware has been targeting users in Japan, Singapore, China, Hong Kong, and other Asian countries.
• Cado Security Labs identified four new Golang malware that targeted misconfigured servers and exploited an n-day vulnerability (CVE-2022-26134) in Confluence to conduct RCE attacks and infect new hosts. Once initial access was achieved, a series of shell scripts and Linux attack techniques were used to deliver a cryptocurrency miner.
• Researchers warned about a new banking trojan, named CHAVECLOAK, that uses Smishing, phishing emails, and compromised websites to infect Brazilian banking users. The malware targets Windows devices and accesses online banking platforms to steal banking credentials and financial information. In one such campaign, the attackers used phishing emails disguised as legitimate bank communications to trick users into downloading the malware.
• The North Korean APT group Kimsuky was found exploiting ConnectWise ScreenConnect flaws (CVE-2024-1708 and CVE-2024-1709) to deploy a new ToddleShark malware on targeted systems. The malware, believed to be a variant of BabyShark and ReconShark backdoors, is capable of gathering a wide range of system information such as hostname, user accounts, network configurations, installed security software, and current network connections.
• Insikt Group unearthed a new infrastructure used by the operators of the Predator spyware in 11 countries. By analyzing the domains facilitating the spyware's delivery, potential Predator customers were identified in countries like Saudi Arabia, Egypt, and Kazakhstan. Predator grants access to sensitive data and leave minimal traces. The sophisticated spyware is distributed through spoofed websites and an anonymization network, making attribution challenging.