Cyware Weekly Threat Intelligence, October 30–November 03, 2023

The Good

• The Forum of Incident Response and Security Teams (FIRST) officially released a new version (v4.0) of CVSS, eight years after the release of CVSS v3.0 in June 2015. The latest version addresses some of the shortcomings in the previous version by providing additional metrics such as Safety (S), Automatable (A), Recovery (R), Value Density (V), Vulnerability Response Effort (RE), and Provider Urgency (U). It also debuts a new nomenclature to enumerate CVSS scores using a combination of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) severity ratings.
• MITRE has announced the release of version 14 of the ATT&CK framework, bringing improvements to ICS, and mobile matrices. The new version covers a total of 760 pieces of software, 143 activity clusters (groups), and 24 campaigns across enterprise, mobile, and ICS. The mobile category has been expanded to include various types of phishing (smishing, quishing, and vishing), with structured detection methods. Additionally, the version has been enhanced to include significant detection analytics by drawing relationships between detection, data sources, and mitigations. 
• The U.S. and a consortium of 49 countries plan to sign an agreement, as part of the International Counter Ransomware Initiative, to not pay ransomware to cybercriminals. This comes as the number of ransomware attacks grows worldwide, with attendee nations pledging to improve information sharing about crypto payment accounts used by the ransomware actors. Additionally, the U.S. DoT will circulate the list of blacklisted digital wallets used by threat actors. 

The Bad

• According to crypto fraud researchers, hackers stole $4.4 million in cryptocurrency on October 25th using private keys and passphrases stored in stolen LastPass databases. Once the hackers gained access to the information, they loaded the wallets on their devices and drained funds. The amount was stolen from over 25 victims affected in a LastPass breach in 2022.
• Mandiant researchers uncovered four active campaigns leveraging the Citrix Bleed vulnerability (CVE-2023-4966) to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region. The flaw affects Citrix NetScaler ADC and Gateway appliances, allowing threat actors to access sensitive information on devices. All four campaigns extensively used csvde.exe, certutil.exe, local.exe, and nbtscan.exe, while two activity clusters were seen using Mimikatz. 
• The aerospace giant, Boeing, confirmed that its systems were compromised by the LockBit ransomware group. While an investigation is underway, the firm disclosed that it has begun notifying customers and suppliers about the incident. Meanwhile, the attackers had given the company until November 2 to pay the ransom or have their sensitive files released publicly.
• A ransomware attack paralyzed 70 local municipalities in western Germany. As a result, most of the administration’s online services, including those of Wermelskirchen and Burscheid, remained unavailable and the administrations of Siegen canceled appointments with citizens.  
• An unprotected Elasticsearch instance belonging to World-in-HD (WiHD), a popular torrent tracker specializing in HD movies, exposed 97,327 accounts, including the email and passwords of users. The exposed data also included service information and hashed passwords for all the users. Threat actors can gain access to this data to perform illicit activities.  
• Data of almost 5,000 Okta employees was accessed in a third-party data breach that occurred on October 12. In a breach notification, the firm revealed that attackers stole a file containing names, Social Security numbers, and medical insurance details of current and former employees.
• The COVID-19 test details of nearly 815 million people were dumped on the dark web and put up for sale by cybercriminals. The data sample, which amounted to over 90 GB, was in the possession of the Indian Council of Medical Research (ICMR). It included names, phone numbers, and addresses of individuals. 
• The BlackCat ransomware gang added healthcare giant Henry Schein to its dark web leak site, claiming that it stole 35 TB of their data, including payroll data and shareholder information. The group asserted that they had re-encrypted the company's devices after a failed negotiation with the victim firm, who nearly completed system restoration. Additionally, they have threatened to release internal payroll and shareholder data on a daily basis.  
• The British Library and the Toronto Public Library suffered major IT outages due to cyberattacks. While the attack at the British Library impacted some of its online services and public Wi-Fi, the attack at the Toronto Public Library disrupted its website, account features, digital collections, and printing services. 

New Threats

• North Korean hackers suspected to be associated with the Lazarus group were observed targeting blockchain engineers in an unnamed cryptocurrency exchange platform with a new macOS malware named KANDYKORN. The malware comes with a variety of capabilities to monitor victims’ systems, avoid detection, run additional malware, exfiltrate data, and terminate processes.
• A pro-Hamas hacking group targeted Israeli entities with a new wiper named BiBi Linux Wiper. Written in C/C++, the malware is an x64 ELF executable and can potentially destroy an entire operating system when runs with root permissions. To expedite the infection process, this threat leverages multiple threads and employs a queue to synchronize their operations.
• An Iranian espionage group, tracked as Scarred Manticore, was caught using a new malware framework named LionTail. The attackers were linked to OilRig and employed web shells, shellcodes, and legitimate tools to perform various operations. LionTail appears to be the evolution of FoxShell and allows attackers to customize the implants with enhanced stealth. 
• Cybersecurity analysts at ASEC recently discovered a cyberespionage campaign leveraging Hangul Word Processor (HWP) software to target National Defense and press sectors. The attackers weaponized the software to send documents related to national defense, education, and broadcasting. 
• The Russia-based Turla APT deployed a new version of the Kazuar backdoor that supports over 40 commands to perform a wide range of malicious activity. Some of these commands can enable attackers to pilfer credentials, manipulate files, and execute arbitrary commands. Written in .NET, the malware is used as a second-stage payload to evade detection.  
• A supply chain attack campaign, which has been active since August, is being used to deploy malware on developers’ machines. The malware is distributed via malicious packages published on the NuGet repository. Additionally, threat actors have been observed updating tactics, such as exploiting NuGet’s MSBuild integrations feature, to stay under the radar and trick developers into downloading malware onto their systems.
• There has been a rise in the availability of malware ‘meal kits’ for less than $100 to fuel a surge in campaigns using RATs. The sneaky kit provides low-skill attackers the ability to sidestep detection and infect unsuspecting users’ systems with RATs. According to researchers, the toolkit was observed in two separate campaigns that deployed Vjw0rm and Parallax trojans.  
• Cybercriminals were found actively exploiting Google Search Ads to deploy Bonanza malware. By disguising malicious links as legitimate ads, attackers tricked users into clicking on them, ultimately leading to malware downloads or phishing attempts. People searching for PyCharm software, and wedding plans were primarily targeted in the attacks. 
• A new threat actor named Prolific Puma was discovered running an on-demand URL-shortening service for malware gangs as part of a novel Cybercrime-as-a-Service offering. The primary purpose of the service is to provide shortened URLs that get blacklisted by security firms instead of a customer's actual infrastructure. The service has been in operation since January 2020 and is primarily used in smishing attacks.
• Threat actors have been found actively scanning GitHub repositories for leaked AWS IAM credentials in a campaign dubbed EleKtra-Leak. The campaign has been active since December 2020 and enables attackers to gain access to AWS infrastructure and perform crypto-mining operations. The payloads are delivered via a Google Drive URL to evade detection.
• The Iranian nation-state actor known as MuddyWater was linked to a new spear-phishing campaign targeting two Israeli entities. As part of the attack, the attackers deployed a legitimate remote administration tool from N-able called Advanced Monitoring Agent. The content of the email lured the victims into downloading an archive hosted at a.storyblok[.]com.
• Security firm Phylum has uncovered 48 malicious packages in the npm repository. These counterfeit packages, attributed to an npm user named hktalent, deploy a reverse shell on compromised systems post-installation. These packages triggered an installation hook in the package.json file, executing JavaScript code to establish a reverse shell connection to rsh.51pwn[.]com. This would provide attackers with unauthorized access to compromised systems, potentially leading to further exploitation and data breaches.