Go to listing page

Cyware Weekly Threat Intelligence, May 22–26, 2023

Cyware Weekly Threat Intelligence, May 22–26, 2023

Share Blog Post

The Good

This week witnessed a new round of significant developments in the cybersecurity world. Cyber agencies unveiled an updated version of the #StopRansomware guide that was first released in 2020. This comes in the wake of escalating ransomware attacks across multiple sectors. In other news, the FTC proposed amendments to the Health Breach Notification Rule, owing to an increase in the use of health apps and connected devices. 
  • The FTC proposed changes to the Health Breach Notification Rule, owing to an increase in the use of health apps and connected devices, many of which are not covered by HIPAA. The proposed amendments are aimed at enhancing patient data privacy and preventing organizations from improperly disclosing users’ data without their knowledge. 
  • Google announced the launch of the 0.1 Beta version of Graph for Understanding Artifact Composition (GUAC) for organizations to enhance security against software supply chain attacks. The graph gives organizations actionable insights into their software supply chain security posture by aggregating software security metadata from different sources.  
  • The CISA, along with the Joint Ransomware Task Force, has updated the #StopRansomware guide to help organizations reduce the impact of ransomware attacks. This latest version of the guide is a response to the new tactics and techniques adopted by ransomware attackers in the last three years. It includes best security practices that are aligned with the CPGs developed by the CISA and the NIST. 

The Bad

Although organizations and governments are trying their best to stay ahead of threat actors, the number of attacks doesn’t seem to be getting any lower. While the Black Basta group was held responsible for attacks on a German arms company, the BlackByte group claimed the city of Augusta as its latest victim. In separate news, a Brazilian cybercrime group infiltrated over 30 Portuguese organizations to steal users’ personal and financial information.

  • Microsoft and the NSA revealed that a stealthy China-based group, called Volt Typhoon, managed to infiltrate critical infrastructure organizations in the U.S. and Guam using living-off-the-land techniques. The attackers also used a network of compromised SOHO routers to proxy and hide connections from infected networks inside residential internet traffic. The targeted organizations were in the communications, manufacturing, transportation, maritime, and education sectors, among others.
  • More than 1.5 million WordPress sites using the Beautiful Cookie Consent Banner plugin have been targeted in an ongoing attack campaign that enabled attackers to gain unauthorized access to sensitive information and launch malware attacks. The attackers exploited the XSS vulnerability in the plugin to infiltrate the sites.
  • A Brazilian cybercrime group targeted more than 30 Portuguese financial institutions, including government organizations and private institutions in a campaign dubbed Operation Magalenha. The attacks were aimed at stealing credentials and PII data from users associated with these organizations. 
  • A phishing campaign impersonating OpenAI was found stealing users’ business email account credentials. The email requested recipients to verify their email addresses to continue using their personal ChatGPT. To further deceive the victims, threat actors manipulated the sender’s domain address to make it appear as if the email originated from the organization’s IT support. 
  • Apria Healthcare, a manufacturer of medical equipment for home, notified that the personal data of almost 1.9 million patients and employees may have been impacted by data breaches that occurred over a series of months in 2019 and 2021. The impacted data included medical, health insurance, financial information, and in some cases, Social Security numbers of individuals. 
  • An unprotected database belonging to SuperVPN exposed 133 GB of sensitive data that included email addresses, IP addresses, and geolocation info of users. The database also revealed secret keys, Unique App User ID numbers, and UUID numbers, which can be used to identify other useful information.
  • The FBI warned U.S. citizens and individuals who travel or live abroad of the risk of false job advertisements. Scammers contact victims, primarily in Asia, in employment fraud schemes on social media and online employment sites. Upon job seekers’ arrival in a foreign country, criminal actors use multiple means to coerce them into committing cryptocurrency investment scams.
  • German arms manufacturer Rheinmetall confirmed that the Black Basta ransomware group was responsible for a cyberattack detected in April, which affected the company's civilian business. According to officials, the attack affected only the company’s civilian business.
  • The Cuba ransomware group claimed responsibility for the cyberattack on The Philadelphia Inquirer, publicly releasing financial documents, account movements, balance sheets, tax documents, compensation details, and source code allegedly attributed to the newspaper. Meanwhile, the firm has denied the data leak claims in a fresh update.
  • BlackByte ransomware group added the city of Augusta, Georgia, to its list of victims and has demanded $50 million in ransom to prevent the release of stolen data. Meanwhile, the city is investigating whether any data was stolen in the intrusion.  

New Threats

Coming to new threats, a new Android malware, which is based on AhMyth RAT, targeted over 50,000 users by masquerading as a trojanized recorder app on Google Play Store. The DarkCloud info-stealer was observed in a fresh campaign that also employed Clipbanker to steal the crypto wallet addresses of users. Besides, two new botnets inspired by the Mirai botnet, capable of launching massive DDoS attacks, were also uncovered by researchers. 

  • A threat actor identified as UAC-0063 leveraged a compromised email account to distribute a variety of malware such as LOGPIE, CHERRYSPY, and STILLARCH. The campaign was targeted at a Ukrainian government agency. The primary objective of the attacks, as determined by CERT-UA, is to gather intelligence.
  • Researchers uncovered a new Android malware, called AhRat, based on AhMyth RAT. The malware was distributed via version 1.3.8 of the iRecorder screen recording app on the Google Play Store. It can extract user data, capture screenshots, record private audio, and collect keystrokes. 
  • The DarkCloud info-stealer was back in a new campaign that used spam emails for distribution. Alongside DarkCloud, threat actors also deployed Clipbanker, which steals the crypto wallet addresses of users. The email urges recipients to review the enclosed payment statement sent to the company account.
  • A malware campaign was found impersonating the CapCut video editing tool to spread different stealers. One of these was Offx Stealer that attempted to steal credentials and cookies from web browsers and target data stored in Discord, Telegram, popular cryptocurrency wallet apps (Bytecoin, Atomic, Zcash), and remote access software (AnyDesk and UltraViewer). Another malware associated with the campaign was Redline Stealer.
  • A new ransomware operation dubbed Buhti, built on the leaked source code of the LockBit and Babuk ransomware, has been found targeting Windows and Linux systems. It uses the double extortion tactic to blackmail victims. It is believed that the attackers are exploiting recently disclosed vulnerabilities to distribute ransomware payloads.
  • A newly found Pikabot has been found to be active since early 2023. The malware consists of two components: a loader and a core module. It resembles QakBot and uses an extensive set of anti-analysis techniques. It has been observed distributing Cobalt Strike. 
  • An ongoing threat campaign is infecting YouTube viewers searching for pirated software with a variety of malware such as Vidar stealer, Laplas clipper, and XMrig miner. The primary goal of the campaign is to steal credentials, collect sensitive information, and perform cryptojacking attacks on systems.
  • IZ1H9, a variant of Mirai botnet, leverages multiple vulnerabilities across different vendors to launch DDoS attacks against servers and networking devices running Linux. Some of the targeted vulnerabilities are command injection vulnerabilities in Tenda G103 and LB-Link and a remote code execution vulnerability in DCBI-Netlog-LAB routers. 
  • A new botnet, dubbed Dark Frost, was found targeting the gaming industry. Modeled after Gafgyt, Qbot, Mirai, and other malware strains, the botnet is capable of launching UDP flood attacks up to a range of 629.28 Gbps. The botnet has so far launched DDoS attacks against different gaming companies, game server hosting providers, online streamers, and even other members of the gaming community.
  • Mandiant researchers identified a new strain of OT/ICS malware, named COSMICENERGY, capable of disrupting electrical power grids. The malware contains functionality to interact with IEC-104 devices, which includes remote terminal units for power grid equipment across Europe, the Middle East, and Asia.  
  • The BlackCat ransomware group was found using a signed malicious Windows kernel driver - an enhanced version of the POORTRY malware. The addition will help attackers to evade detection from security software solutions. 
  • A previously unseen ransomware, called Moneybird, was used in targeted attacks against Israeli organizations. The stolen data was eventually leaked by one of the threat actors with the same name, who are believed to be aliases of Iran-based Agrius threat actors. 
  • A newly found malware, named Bandit Stealer, is being used on browsers and cryptocurrency wallets. Written in Golang, the info-stealer includes various anti-evasion techniques and currently focuses on the Windows platform. 


cuba ransomware gang
dark frost
darkcloud info stealer
bandit stealer
mirai botnet
blackbyte group
apria healthcare
black basta group

Posted on: May 26, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite