Cyware Weekly Threat Intelligence - September 16–20

Weekly Threat Briefing • Sep 20, 2024

The Good

German law enforcement has dealt a double blow to cybercriminals, first by dismantling infrastructure used by the Vanir Locker ransomware group. In a separate operation, they took down 47 cryptocurrency exchanges used for illegal money laundering, redirecting users to an Operation Final Exchange page that exposes the platforms’ deceptive activities. The CISA and the FBI are calling on software manufacturers to rethink their approach, issuing a Secure by Design Alert to tackle the widespread occurrence of cross-site scripting (XSS) vulnerabilities.

German law enforcement has taken down infrastructure used by a ransomware group deploying the Vanir Locker malware in a small number of attacks. They seized control of a leak site used by the hackers, preventing data stolen from affected companies from being published. Simultaneously, they also seized 47 cryptocurrency exchange services in the country used for illegal money laundering by cybercriminals. These platforms allowed anonymous cryptocurrency transactions, creating a low-risk environment for criminals. The warning page of Operation Final Exchange now redirects visitors to inform them of the deception by the exchange operators. The exchanges with the most users and transactions have been listed.
A global law enforcement operation called Operation Kaerb dismantled a criminal network that used the iServer platform to carry out automated phishing attacks, targeting 483,000 victims worldwide. The operation involved authorities from several countries and resulted in the arrest of 17 suspects, including the administrator of the phishing platform.
The CISA and the FBI issued a Secure by Design Alert to address the prevalence of cross-site scripting (XSS) vulnerabilities in software. They emphasize the need for manufacturers to prioritize customer security, embrace transparency, and build organizational structures to prevent XSS vulnerabilities. The alert provides principles and action items for software manufacturers to eliminate entire classes of vulnerabilities during the design and development phases. It also encourages manufacturers to take the Secure by Design Pledge and stay informed on best practices.
The FBI and cybersecurity researchers have disrupted a massive Chinese botnet called Raptor Train that targeted critical infrastructure in the US and other countries. The botnet infected over 260,000 networking devices, including routers, modems, IP cameras, and NVR devices, and was used to target entities in military, government, education, and IT sectors. It operated as a complex, multi-tiered network with an enterprise-grade control system and was linked to state-sponsored Chinese hackers. The FBI executed operations to take control of the botnet infrastructure. Steps to protect against Raptor Train include checking for large outbound data transfers and regularly updating and replacing vulnerable devices.

The Bad

Microsoft flagged Vanilla Tempest as the latest ransomware affiliate preying on the U.S. healthcare sector. In a recent attack, the Storm-0494 group used the INC ransomware, along with leveraging malware like Gootloader and Supper to breach networks. GitHub users are under fire as cybercriminals weaponize the platform, spreading Lumma Stealer through fake vulnerability issues and phishing email alerts. The Russian Key Group is deploying Chaos ransomware to encrypt files and steal data, leaving victims with little hope of recovery. Using Telegram channels to demand ransom payments, the group disables system recovery and leaves files scrambled.

Microsoft has identified Vanilla Tempest, a ransomware affiliate, targeting U. S. healthcare organizations in INC ransomware attacks. Vanilla Tempest used INC ransomware in an attack on the U. S. healthcare sector, gaining access through the Storm-0494 threat actor and deploying malware like Gootloader and Supper. While the specific victim was not named, a similar attack affected Michigan's McLaren Health Care hospitals last month, causing disruptions to patient information databases and services. The threat actor conducts lateral movement through RDP and leverages the Windows Management Instrumentation Provider Host to deploy the INC ransomware payload.
A threat campaign has been found using GitHub to distribute Lumma Stealer. Malicious actors create fake security vulnerability issues on open source repositories, prompting users to visit a fake GitHub Scanner domain that distributes Windows malware. The campaign also sends convincing email alerts from legitimate GitHub servers, tricking users into accessing the malicious domain. The malware steals sensitive information and targets GitHub users, potentially aiming to compromise source code and conduct supply chain attacks.
The Russian ransomware group Key Group has been spotted using the .NET-based Chaos ransomware to encrypt files, steal data, and demand ransom via Telegram. The ransomware infects by encrypting files with a random extension and disabling system recovery, sparing certain files. A ransom message is displayed upon completion of encryption, directing victims to two URLs for payment. It is cautioned not to engage with the attackers as data recovery is unreliable, increasing the risk of permanent data loss even after payment.
North Korean hackers are targeting cryptocurrency users on LinkedIn using the RustDoor malware. The attacks involve pretending to be recruiters for legitimate decentralized cryptocurrency exchanges like STON.fi, aiming to infiltrate networks under the guise of interviews or coding assignments. RustDoor is a macOS malware designed to steal information and operate as a backdoor with two different command-and-control servers.
Cryptocurrency exchange Binance alerted users to a surge in clipper malware attacks targeting cryptocurrency holders. This malware, known as ClipBankers, can intercept clipboard data and replace cryptocurrency wallet addresses with those controlled by attackers. Binance issued a warning on September 13, after noticing a significant rise in malicious activity, causing financial losses for affected individuals.
Cyble uncovered a sophisticated cyber campaign targeting attendees of the U.S.-Taiwan Defense Industry Conference. The attack involves a deceptive ZIP archive disguised as a conference registration form, which, when opened, executes covert actions to establish persistence and download additional malicious content. The attackers use advanced in-memory execution techniques to evade traditional detection methods and exfiltrate sensitive data.
Cyble uncovered a sophisticated cyber campaign targeting attendees of the U.S.-Taiwan Defense Industry Conference. The attack involves a deceptive ZIP archive disguised as a conference registration form, which, when opened, executes covert actions to establish persistence and download additional malicious content. The attackers use advanced in-memory execution techniques to evade traditional detection methods and exfiltrate sensitive data.
A malware campaign was found locking users in their browser's kiosk mode to trick them into entering their Google credentials. This information-stealing malware, called StealC, then captures and sends the stolen credentials back to the attacker. The attack technique, discovered by OALABS researchers, has been observed since at least August 22, 2024, and is primarily associated with Amadey malware.

New Threats

Earth Baxia exploited a GeoServer vulnerability in spear-phishing attacks, targeting government networks in Taiwan and the APAC region. Using tools like GrimResource and EAGLEDOOR, they compromised energy and telecom sector firms across South Korea, Vietnam, and Thailand. UNC2970 used fake job offers in energy and aerospace to deliver the MISTPEN backdoor through a trojanized SumatraPDF, gaining access to critical infrastructure with phishing lures. The CISA urged immediate patching of an Apache HugeGraph-Server flaw after reports of active exploitation.

Earth Baxia targeted a government organization in Taiwan and potentially other countries in the APAC region, using spear-phishing emails and the GeoServer vulnerability CVE-2024-36401. The threat actor utilized GrimResource and AppDomainManager injection to deploy additional payloads, including customized Cobalt Strike components and a new backdoor named EAGLEDOOR. The threat actor's activities were primarily targeted at government agencies, telecommunication businesses, and the energy industry in countries such as the Philippines, South Korea, Vietnam, Taiwan, and Thailand.
A North Korea-linked cyber-espionage group, UNC2970, used phishing lures to target victims in critical infrastructure verticals. The attackers posed as job openings from prominent companies in the energy and aerospace industries. They delivered malicious files containing a backdoor, MISTPEN, via a trojanized version of SumatraPDF. The backdoor was capable of downloading and executing PE files and communicated with Microsoft Graph URLs.
The CISA added a critical remote code execution flaw (CVE-2024-27348) in Apache HugeGraph-Server to its KEV catalog. Apache released a fix in version 1. 3. 0, urging users to upgrade, use Java 11, enable Auth system, and activate "Whitelist-IP/port" for RESTful-API security. Active exploitation of CVE-2024-27348 has been reported, requiring federal agencies and critical infrastructure to apply mitigations before October 9. The CISA also added other flaws to the KEV catalog, including vulnerabilities in Microsoft SQL Server (CVE-2020-0618), Windows Task Scheduler (CVE-2019-1069), Oracle JDeveloper (CVE-2022-21445), and Oracle WebLogic Server (CVE-2020-14644).
Varonis Threat Labs discovered a vulnerability in Salesforce's public link feature, which could be exploited by threat actors to access sensitive data. The vulnerability was related to the undocumented Salesforce Aura API and SOQL subqueries, allowing for a blind SOQL injection attack to retrieve customer information, including PII. Salesforce patched the vulnerability in February. The vulnerability affected virtually any public link generated by Salesforce, posing a widespread risk to data exposure.
Apple's Vision Pro headset was affected by a security flaw named GAZEploit, allowing attackers to infer virtual keyboard inputs. The vulnerability, CVE-2024-40865, was patched in visionOS 1.3. Researchers found that analyzing eye movements on a virtual avatar could reveal text entered on the keyboard, compromising user privacy. Threat actors could exploit this to extract sensitive information like passwords, using supervised learning models to differentiate typing sessions from other VR activities.
Microsoft recently patched a Windows MSHTML spoofing vulnerability, identified as CVE-2024-43461, which had been exploited by the Void Banshee APT hacking group. Void Banshee utilized the flaw in zero-day attacks to deploy information-stealing malware. The vulnerability allowed attackers to hide the .hta file extension as a PDF, making it more likely to be opened by users. Despite a security update, the file may still confuse users into opening it as a PDF.

Related Threat Briefings

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.

Nov 15, 2024

Cyware Weekly Threat Intelligence - November 11–15

As cyber threats to critical infrastructure surge, the TSA has proposed formal rules for pipeline and railroad operators, while the World Economic Forum introduced a new framework to enhance public-private collaboration against cybercrime. These efforts highlight the urgency of uniting resources and governance to fortify cybersecurity resilience on all fronts. This week, several emerging threats highlighted the diversity of attack tactics. The new Glove Stealer exploits browser encryption to pilfer cookies and crypto wallets, whereas the Lazarus group’s RustyAttr trojan targets macOS users using the Tauri framework. A Chinese threat actor, SilkSpecter, was found scamming online shoppers via 4,695 fake domains, impersonating popular brands to steal credit card details during Black Friday hunts. This week, several emerging threats highlighted the diversity of attack tactics. The new Glove Stealer exploits browser encryption to pilfer cookies and crypto wallets, whereas the Lazarus group’s RustyAttr trojan targets macOS users using the Tauri framework. A Chinese threat actor, SilkSpecter, was found scamming online shoppers via 4,695 fake domains, impersonating popular brands to steal credit card details during Black Friday hunts.

Sep 13, 2024

Cyware Weekly Threat Intelligence - September 09–13

The Good The U.K government has elevated data centers to a new level of importance, officially designating them as critical national infrastructure - ensuring these digital fortresses get the protection and support they need during crises. Choo

Sep 6, 2024

Cyware Weekly Threat Intelligence - September 02–06

The Good As cyber threats loom larger than ever, the White House released a comprehensive roadmap to secure the Border Gateway Protocol (BGP), a key component of internet routing. The initiative focuses on implementing Resource Public Key Infra

Aug 30, 2024

Cyware Weekly Threat Intelligence - August 26–30

The Good In response to the rising tide of cyber threats, organizations and governments are stepping up their efforts to protect critical infrastructure and personal data. NASA's Katherine Johnson IV&V Facility expanded its mission to include c

Aug 23, 2024

Cyware Weekly Threat Intelligence - August 19–23

The Good With global cyber threats on the rise, over a dozen cyber authorities have endorsed new guidance to set baseline standards for logging and threat detection. This guidance aims to enhance cybersecurity monitoring, helping to prevent inc

Aug 16, 2024

Cyware Weekly Threat Intelligence - August 12–16

The Good In a landmark move, the UN has unanimously passed its first-ever cybercrime treaty, laying the groundwork for a unified global response to cyber threats. This historic treaty, now headed to the General Assembly for final approval, empo

Aug 9, 2024

Cyware Weekly Threat Intelligence - August 05–09

The Good In a significant international crackdown, authorities from the U.S. and Germany have seized the domain of the online cryptocurrency wallet service, Cryptonator, after it was found to be facilitating illicit activities and failing to im

Aug 5, 2024

Cyware Weekly Threat Intelligence, July 29 - August 02, 2024

The Good In recent cybersecurity developments, significant strides have been made in combating cyber threats and enhancing defenses. The UK’s NCA has successfully dismantled Russian Coms, a major caller ID spoofing platform used by scammers to make

Jul 26, 2024

Cyware Weekly Threat Intelligence - July 22–26

The Good In a decisive strike against cybercrime, Meta has eradicated 63,000 Instagram accounts connected to the Nigerian cybercrime group known as Yahoo Boys. Furthermore, it has purged 1,300 Facebook accounts, 200 Pages, and 5,700 Groups that