Cyware Weekly Threat Intelligence, March 13–17, 2023

The Good

• The CISA unveiled a new program named ‘The Ransomware Vulnerability Warning Pilot’ in an effort to protect critical infrastructure entities from ransomware attacks. Under this program, the law enforcement agency will warn organizations about commonly exploited vulnerabilities in ransomware attacks and provide actionable information to reduce the impact. The effort will be coordinated by the Joint Ransomware Task Force. 
• The NSA this week released the ‘Advancing Zero Trust Maturity throughout the User Pillar’ cybersecurity information sheet to help system operators mature ICAM capabilities. The guidance is aimed at reducing the impact of cyber threats on the nation’s critical infrastructure and Defense Industrial Base (DIB) systems due to immature capabilities in ICAM. 
• The SEC proposed new cyber incident reporting rules for a range of financial organizations. The new rules make it mandatory for some financial organizations to annually test and review the effectiveness of their cybersecurity policies and procedures. In case of an attack, organizations are required to report within 48 hours of detecting the incident.  
• Researchers at Kaspersky got hold of a cache of 258 private keys that enabled them to generate a decryption tool for the MeowCorp ransomware. The ransomware had emerged after the source code for Conti was leaked last year in March and targeted around 257 victims. The decryption key can help hundreds of victims recover their files for free.  

The Bad

• The France-based multinational aviation company, Safran Group, was found leaking sensitive data for over a year due to a misconfigured database. The leaked information included the Laravel app key, JSON web token key, MySQL credentials, and SMTP credentials for the ‘no-reply’ emails. The exposure of the keys and credentials could have enabled attackers to gain access to the website’s backend, employee computers, and other servers. 
• Data security firm Rubrik disclosed that it was the victim of a ransomware attack that targeted a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform. The firm was quick to take action by isolating the impacted IT testing environment.
• Since November 2022, there has been a more than 200% month-on-month increase in the abuse of YouTube to spread stealer malware such as Vidar, RedLine, and Raccoon. The videos pretend to be tutorials on downloading cracked versions of popular software, such as Photoshop, Premiere Pro, Autodesk 3ds Max, and AutoCAD, for free.   
• DeFi platform Euler Finance was hacked for $197 million worth of cryptocurrency assets. The attackers exploited a vulnerability in the donation feature of the platform to exfiltrate legitimate funds and transfer them to an account they controlled.  
• The U.K’s Wymondham College reported a sophisticated cyberattack that disrupted some of its systems. As a result, school officials were prevented from accessing some internal files and resources. While the classes continue to run as usual, the school is working with the NCSC to take appropriate response action. 
• LockBit ransomware gang hacked SpaceX contractor Maximum Industries and stole 3,000 proprietary schematics developed by the space company. The cybercrime crew has threatened to leak or sell the blueprints from March 20 onwards, if their ransom demand is not fulfilled. In another incident, the Staples-owned wholesale distributor of office products, Essendant suffered a network outage following an attack by LockBit gang.  
• Zoll Medical Corporation has begun notifying more than one million individuals of a healthcare data breach that affected their personal information. The potentially compromised information includes names, addresses, Social Security numbers, and birthdates of patients. The investigation is still ongoing and law enforcement authorities have also been notified about the breach.
• Multiple instances of phishing attacks leveraging the recent crisis at the Silicon Valley Bank (SVB) were reported this week. In one incident, the scammers had created dubious websites to trick users into handing over their personal and financial information. In another incident, researchers discovered a significant KYC phishing campaign utilizing SVB branding in a DocuSign-themed template. 
• A convincing Twitter scam that abused the platform’s quote-tweet feature was found targeting bank customers. Scammers impersonated popular banks and responded to the issues or complaints raised by their customers. The quote tweet followed a specific template and urged users to call on the fake helpline number shared in the text.

New Threats

• Cisco Talos identified a new threat actor running several successful espionage campaigns since June 2022. Named YoroTrooper, the attacker is responsible for attacks against a critical European Union healthcare agency and the World Intellectual Property Organization (WIPO). Information stolen during these incidents includes system information and credentials from multiple applications, browser histories, and cookies.  
• Microsoft discovered a new phishing kit, that has been part of several high-volume AiTM phishing attacks. Offered by a threat actor named DEV-1101, the kit was first advertised on a cybercrime forum in May 2022. The kit includes a wide range of readymade phishing pages that mimics several services such as Microsoft Office and Outlook.  
• A fake version of the ChatGPT chrome extension called Quick access to Chat GPT, was found hijacking Facebook accounts and installing backdoors that could give threat actors super-admin permissions to run paid ads and steal cookies of authorized active sessions. 
• In an update on the first-ever detected Dero cryptojacking operation, researchers revealed that threat actors have potentially deployed more than 4,000 miners since February. The operators targeted exposed Kubernetes clusters to spread the mining malware. 
• A new Android trojan named GoatRAT targeted the mobile apps of three Brazilian banks - NuBank, Banco Inter, and PagBank- to steal funds from users' accounts. The trojan uses a four-step process to perform automated transfer once it infects a user’s device. Once the targeted app is identified, it creates a fake banking overlay window above the legitimate application to hide its malicious activity. 
• Researchers shared details of a new Go-based botnet called HinataBot that abuses old vulnerabilities and weak credentials. The botnet appears to share similarities with the Mirai botnet and is still under development.
• A newly discovered .NET malware injector is being used in the wild to deliver a wide range of malware. Tracked as dotRunpeX, the malware rose to prominence between November 2022 and January 2023. The malware leverages the process hollowing technique to hide its presence during the infection process. 
• Threat actors leveraged trojanized versions of Telegram and WhatsApp apps to target Android and Windows users with clipper malware. These malware were designed to enable their operators to steal crypto assets by switching the cryptocurrency wallet address sent by victims in chat messages with the address of the attackers.