Cyware Weekly Threat Intelligence, March 20–24, 2023

The Good

• The DHS’ Science and Technology Directorate and the Republic of Korea’s Ministry of National Defense Acquisition Program Administration signed a memorandum to boost their security capabilities against cyber and other threats. As per the agreement, both nations will work side-by-side and share technical information, along with emerging technologies to protect citizens from sophisticated cyber threats.
• The CISA has released a new open-source incident response tool called ‘Untitled Goose Tool’ that can help organizations to detect signs of malicious activity in Microsoft cloud environments. The tool comes with several authentication and data collection methods that can be used to run a full investigation on Azure AD, Azure, and Microsoft 365 environments.
• This week the U.K government issued several new strategies to improve the overall cybersecurity posture of the nation. In one instance, the NHS provided new guidelines for cyber resilience in the country’s healthcare sector. On the other hand, the NCSC announced two new services—Cyber Action Plan and Check Your Cyber Security—to help small businesses effectively enhance their cyber risk management.   

The Bad

• Lionsgate streaming platform leaked nearly 37 million subscribers’ IP addresses and data due to an unprotected Elasticsearch database. The entries in the database were old as May 2022 and also contained other information such as the platform’s usage data, search queries entered by users, and titles of URLs.
• Fresh product giant Dole Food Company revealed that the ransomware attack in February compromised the information of an undisclosed number of employees. Furthermore, the incident impacted several operations, which led to a shortage of Dole products on store shelves for over a week.  
• Saks Fifth Avenue has emerged as the newest victim of aggressive Cl0p ransomware attacks that compromised over 130 organizations. Other victims include the City of Toronto, the Pension Protection Fund, and Virgin Group (the U.K). These organizations were impacted by attacks that exploited vulnerable GoAnywhere MFT servers. The ransomware gang claimed the attack by sharing the name of the retail firm on its leak site. 
• On March 20, Ferrari revealed that its Italian subsidiary, Ferrari S.p.A, was the victim of a ransomware attack. The attacker has demanded a ransom to prevent the leak of contact details of clients. At present, the luxury sports cars company claims that there is no evidence of sensitive data being accessed and that there is no impact on its operations. 
• Over 2,400 phishing pages impersonating well-known companies in the logistics, food & beverage, and petroleum industries were used to target Arabic-speaking job seekers. The campaign was active from January 2022 to January 2023 and lured victims with web pages containing descriptions about fake vacancies.
• The LockBit gang has threatened to leak the files and data stolen from the City of Oakland’s systems. The attackers have given a 19-day deadline after which they plan to publish the stolen data. However, the city is yet to issue a statement regarding the claims. 
• The Play ransomware gang took responsibility for the attack on the logistics company Royal Dirkzwager. The gang added the company’s name to its Tor leak site and announced the theft of stolen private and personal information, including employee IDs, passports, and contracts. 
• The personal data of nearly one million users connected with PowderRoom, a beauty content platform in South Korea, is at risk due to a leaky database. The database was publicly available for over a year and included full names, email addresses, Instagram usernames, and home addresses of users. 

New Threats

• In a joint advisory, the German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) warned that the notorious Kimsuky APT is using a malicious Chrome extension and Android apps to intercept and steal victims’ email content. The campaign is aimed at diplomats, journalists, government agencies, university professors, and politicians in South Korea, the U.S., and Europe. 
• A new Kritec skimming malware was used in Magecart attacks to target Magento stores. The malware masqueraded as a legitimate Google Tag Manager to evade detection. Once executed, the stolen credit card details were exfiltrated twice - one via a WebSocket skimmer and the other via a POST request. Apart from abusing Google Tag Manager, Magecart actors were also found hiding malicious code inside the ‘Authorize[.]net’ payment gate module for WooCommerce to steal credit card details.
• Researchers disclosed a campaign where the North Korea-based ScarCruft APT used Microsoft Compiled HTML Help (CHM) files to deploy malware on targeted machines. The latest development illustrates the group’s continuous efforts to refine its tactic to bypass detection. 
• A new Android banking trojan, dubbed Nexus, is being used by several threat actors to target 450 financial applications and conduct fraud. While it is still under development, the trojan provides all the main features to perform ATO attacks against banking portals and cryptocurrency services. The trojan is advertised on various hacking forums for a monthly fee of $3,000. 
• The PoC for vulnerabilities in Netgear’s Orbi 750 series router and extender satellites has been released, indicating that organizations using these products must immediately apply security patches to stay safe. One of these flaws is related to a remote command execution vulnerability. 
• Government agencies and organizations operating in Russia-occupied territories of Ukraine are being targeted with new malware strains, named CommonMagic and PowerMagic. Active since September 2021, the malware are designed to steal data from victims’ devices. They are distributed via phishing emails with a link to a ZIP archive. 
• Threat actors are abusing the legitimate Adobe Acrobat Sign service to distribute the notorious RedLine information stealer. The infection chain starts with a phishing email that asks recipients to verify a report by clicking on the review and sign button. Once the victim clicks on the button, they are redirected to a site that asks them to enter a CAPTCHA that is hard coded. Consequently, the victim downloads the ZIP archive that contains the trojan.
• Attackers have been found impersonating legitimate packages via typosquatting to infect .NET developers with cryptocurrency stealers. These malicious packages are delivered through the NuGet repository, with three of them being downloaded over 150,000 times within a month. The malicious packages are designed to download and execute a PowerShell-based dropper script that configures the compromised system before dropping the second-stage payload.
• The threat group tracked as REF2924 has been found deploying previously unseen malware in its attacks against entities in South and Southeast Asia. The malware, dubbed NAPLISTENER, is an HTTP listener programmed in C# and is designed to evade network-based forms of detection. In addition to NAPLISTENER, the hacking group has also been associated with multiple custom malware tracked as SiestaGraph and Somnirecord, among others. 
• A new variant of BlackGuard stealer has been spotted with capabilities like USB propagation, persistence mechanisms, and targeting additional crypto wallets. While the developers are constantly improving the malware, researchers warn that the new variant is being widely used to launch attacks. 
• A new variant of the FakeGPT Chrome extension titled ‘Chat GPT for Google’ is targeting Facebook users in an attempt to hijack their accounts. The attack is an extension of the FakeGPT campaign that was discovered on March 14. This time, the malicious extension is not pushed using sponsored Facebook posts but rather is distributed by abusing Google Ads.