Cyware Weekly Threat Intelligence, March 18–March 22, 2024

The Good

• The U.S. House of Representatives unanimously passed a bill to prevent data brokers from selling Americans' sensitive data to foreign adversaries, particularly China. The bill complements other legislation targeting TikTok's Chinese ownership. While privacy advocates see this as progress, they urge for a more comprehensive data privacy bill to be passed.
• The NCSC issued a comprehensive cybersecurity guideline to help organizations in critical infrastructure sectors make informed decisions while migrating their SCADA systems to the cloud. It highlights the benefits and challenges of cloud-hosted SCADA, emphasizing the need for a risk-based decision, with a focus on cyber security. The guidance, furthermore, explains how moving SCADA to the cloud fundamentally alters management, security, connectivity, and access control. It outlines key sections including understanding business drivers and cloud opportunities, evaluating organizational readiness, and assessing technology suitability for migration to the cloud.
• German police seized the infrastructure of the darknet marketplace Nemesis, taking down its website. The operation was a result of collaboration between law enforcement in the U.S., Lithuania, and Germany. The marketplace, involved in the sale of illegal goods and cybercrime services, had over 150,000 users and 1,100 sellers. Authorities also confiscated cryptocurrency assets and are investigating the operators for drug trafficking and running a criminal trading platform.
• The White House has proposed a 10% increase in cybersecurity funds for federal civilian agencies in the 2025 budget. This would bring the total federal civilian cyber spend to $12.33 billion. The funding aims to secure federal networks, combat cyber threats, and improve information sharing between the government and private sector. The Department of Homeland Security and other key agencies would receive funding to enhance data privacy and financial security enforcement. The proposal aligns with the National Cybersecurity Strategy and includes measures to strengthen defenses against cyber threats and improve the federal government's cybersecurity posture.

The Bad

• The Rhysida ransomware group claimed responsibility for the cyberattack on U.S. luxury yacht dealer MarineMax. Rhysida is holding a seven-day auction to sell the stolen data, offering a potential plan B payout if the victim refuses to pay, a method not commonly utilized by other ransomware groups. The data is related to accounts and finances, potentially valuable due to the high-net-worth clientele of MarineMax.
• New Zealand-based MediaWorks is investigating an alleged security incident after a digital adversary asserted to have stolen the data of just over 2.4 million individuals. The company has not yet publicly confirmed the breach but stated that the claims are related to data from website competition entries. The stolen data reportedly includes personally identifying information such as names, addresses, dates of birth, SSNs, and contact details. Financial details and passwords are believed to be unaffected.
• Multiple state and local governments, including Jacksonville Beach and Pensacola in Florida, reported cyberattacks resulting in unauthorized access to personal information such as names and SSNs. The Jacksonville Beach incident impacted 48,949 people, while the Pensacola attack impacted 26,499 people.
• Cybercriminals compromised the official contact email for the Belgian Grand Prix event, enticing fans with a fraudulent €50 (~$54) gift voucher offer. While the extent of the breach remains unclear, affected individuals are urged to remain vigilant and contact the event's secretariat for assistance. Importantly, the incident did not compromise the security of the official website or ticketing system.
• An Iran-affiliated hacking group, claiming association with 'Anonymous', announced breaching Israel's Shimon Peres Negev Nuclear Research Center in solidarity with Gaza. The attackers purportedly leaked documents, denouncing civilian harm. However, a social media post hinted at risks, advocating Dimona and Yeruham evacuations. Despite accessing IT networks, evidence of breaching operational technology remains elusive, given nuclear facilities' robust safety measures.
• A report highlighted that Smokeloader malware was used as a major tool employed by Russia-linked cybercriminals for financial hacks in Ukraine. Between May and November 2023, 23 Smokeloader campaigns targeted various Ukrainian entities, including financial and government institutions. The hackers, identified as UAC-0006 by CERT-UA, aimed to steal tens of millions of hryvnias. Using phishing campaigns with compromised email addresses, they tricked victims into opening malicious attachments.
• A hacking attempt against Pokémon Company prompted proactive password resets for affected individuals. The company confirmed that no breach has occurred, and only a small fraction (0.1%) of accounts were compromised. It is assumed to be a credential-stuffing attack by adversaries. Notably, Pokémon Company does not currently offer two-factor authentication.
• California-based Crinetics Pharmaceuticals is allegedly under attack by the LockBit ransomware group. LockBit members have demanded a $4 million ransom from the firm and have been given a deadline of March 23. According to a spokesperson from the firm, experts detected “suspicious activity in an employee’s account and disabled it on the same day.”
• Documentation startup Mintlify suffered a data breach, exposing the GitHub tokens of 91 customers due to a vulnerability in its systems. These tokens allowed access to users' source code repositories. Mintlify is reportedly working with GitHub to assess any unauthorized access to private repositories.
• A significant data leak stemmed from misconfigured Google Firebase instances, starting with hacking Chattr, an AI hiring system used by various US organizations. Exploiting a weakness in Chattr's Firebase implementation, researchers identified 900 websites exposing data on 125 million users, including names, emails, phone numbers, passwords, and billing information.
• Nevada-based Nations Direct Mortgage disclosed a breach that affected over 83,000 customers. The inquiry established that an unauthorized third party gained access to and potentially extracted data belonging to specific individuals nationwide. The third party may have obtained personal information such as names, addresses, Social Security numbers, and unique Nations Direct loan numbers.

New Threats

• A threat group, dubbed Fluffy Wolf, employed phishing emails with accounting report lures to distribute malware, including Meta Stealer, targeting Russian organizations. Despite its low technical sophistication, the group's campaign underscores the ease of leveraging readily available malware and legitimate tools like Remote Utilities. Organizations were urged to enhance their cyber defenses, including managed email security services and threat intelligence platforms.
• Microsoft issued a patch for a vulnerability, tracked as CVE-2024-2891, affecting Xbox Gaming Services. Initially dismissed as a non-security issue, it allowed local attackers with low privileges to escalate permissions to System. Microsoft acknowledged the severity of the issue and began working on a fix following public exposure. The patch, included in app package versions 19.87.13001.0 and later, is automatically distributed to users with enabled automatic updates.
• Small business owners and self-employed individuals are being targeted by a tax scam, prompting them to apply for an IRS Employer Identification Number (EIN) through a fraudulent email. Scammers likely obtained email addresses from data brokers, seeking extensive personal information, including SSNs. There are telltale signs of the scam, such as errors in website setup. Recipients are advised to exercise caution, refrain from clicking links, and report suspicious activity to the IRS.
• A new evasive Azorult campaign has been spotted targeting the healthcare sector wherein attackers leverage HTML smuggling via Google Sites to deliver a malicious JSON payload from an external source. The attack is disguised within fake Google Docs pages, bypassing scanners with CAPTCHA, and utilizing PowerShell scripts for payload delivery. The payload can steal sensitive data including login credentials, crypto wallet information, and browser data.
• SentinelOne researchers have identified a new variant of the data-wiping malware AcidRain, named AcidPour, specifically tailored to target Linux x86 devices. This ELF binary, distinct from previous iterations, is designed to erase content from RAID arrays and Unsorted Block Image (UBI) file systems. While the exact targets remain unclear, SentinelOne has alerted Ukrainian agencies, highlighting the ongoing threat of wiper malware.
• Security researchers reported AsukaStealer, a C++-based malware available being promoted on the dark web. Appears to be the predecessor of ObserverStealer, the malware boasts various capabilities such as deploying payloads, configuring FileGrabber settings, and delivering logs via Telegram. The comparison indicates similarities in their codebase and configuration retrieval methods, with AsukaStealer opting to decrypt data on the server to reduce its digital footprint.
• Cybersecurity researchers from G-Data discovered a campaign dubbed gitgub, utilizing at least 13 GitHub repositories to host cracked software to distribute the RisePro info-stealer. The campaign employed a common download link, leading to layered archives unpacked using provided passwords. The final stage unpacked the RisePro loader injecting its payload into system processes, collecting sensitive data, and exfiltrating it to Telegram channels.
• The ShadowSyndicate ransomware group was found actively scanning for servers vulnerable to CVE-2024-23334, a directory traversal flaw in the aiohttp Python library. Although a patch was released, exploitation attempts persist, with a recent PoC exploit on GitHub and YouTube tutorials. Cyble's threat analysts have detected exploitation attempts originating from IPs linked to ShadowSyndicate, suggesting potential breaches. Over 44,000 internet-exposed aiohttp instances globally.