Cyware Weekly Threat Intelligence, August 08 - 12, 2022

The Good

• The HC3 released an advisory in the wake of rising malware attacks against IoT devices in healthcare. The department has provided numerous tips and tactics to improve security while highlighting the most common types of attacks on these devices.
• A coalition of cybersecurity and technology leaders has announced the release of the Open Cybersecurity Schema Framework (OCSF) project. The project aims at reducing the burden on security teams by simplifying the process of ingestion and normalization of threat data. 
• The RTF introduced the ‘Blueprint for Ransomware Defense.’ It includes a set of actionable measures for SMEs to protect against and respond to ransomware and other common cyberattacks. 

The Bad

• Managed Service Provider (MSP) Advanced confirmed a ransomware attack on its seven software solutions. This has impacted the connectivity with the U.K’s National Health Service (NHS) and other firms using the solutions, especially emergency services. 
• Attackers are spoofing Coinbase accounts in a new phishing campaign to steal users’ credentials and their funds. These spoofed accounts are distributed via emails to trick users.
• In May, an automotive supplier was the victim of a triple ransomware attack, making it difficult to recover its encrypted files. Attackers behind three ransomware— LockBit, Hive, and BlackCat—had exploited the misconfigured RDP to spread across the networks.  
• Palo Alto Networks is working on a vulnerability that was exploited to launch reflected DDoS attacks. The flaw, tracked as CVE-2022-0028, affects firewalls from multiple vendors.
• The sophisticated scam-as-a-service operation dubbed Classiscam has now expanded to Europe. Active for more than a year, the scam especially targets people using marketplaces and services relating to property rentals, hotel bookings, online bank transfers, online retail, ride-sharing, and package deliveries. 
• Cisco shared insights into a recent cyberattack that was carried out by compromising an employee’s credentials. This enabled an attacker to conduct a series of sophisticated voice phishing attacks and gain access to critical internal systems. Both Lapsus$ and Yanluowang ransomware gangs are believed to be behind the attack.  
• 7-Eleven was forced to close its outlets in Denmark after suffering a cyberattack. The convenience store chain could not use the cash register or accept payments.
• Communications giant Twilio confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials. The accessed data included addresses, payment details, IP addresses, and proof of identity of 125 customers.
• Kaspersky has linked a series of attack campaigns with the TA428 threat actor group. These attacks were primarily aimed at organizations in Asia and Eastern Europe and involved the use of a variety of malware i.e nccTrojan, Logtu, Cotx, DNSep, and CotSam. 
• Email marketing firm Klaviyo disclosed a data breach after threat actors gained access to internal systems and downloaded marketing lists for cryptocurrency customers. The attack was carried out by compromising an employee’s account.  
• A large-scale phishing campaign is abusing Google sites and the Microsoft Azure Web app to create fake websites for Coinbase, MetaMask, Kraken, and Gemini. These fake websites are being used as channels to target people’s wallets and their assets.
• Best Buy was targeted in an impersonation attack, enabling threat actors to steal users’ credentials. Phishing emails were used to spread the fake website. 

New Threats

• A group of researchers demonstrated a new attack method, dubbed (Scheduler Queue Usage via Interference Probing) SQUIP, that could allow attackers to steal sensitive information from modern processors. The attack impacts products from AMD, Ryzen, Athlon, and EPYC. 
• Another attack method named AEPIC Leak has also been found to impact Intel CPU. This exists due to an architectural bug and can allow attackers to obtain potentially sensitive information.  
• The group behind CopperStealer malware is leveraging a malicious Chromium-based browser extension to steal cryptocurrency and users’ wallet account information. The malicious extension is distributed via fake crack websites that is in the wild since July. 
• A new class of HTTP request smuggling attacks can enable threat actors to compromise multiple popular websites. Named browser-powered desync, the attack can be used to compromise Amazon sites and those using the AWS Application Load Balancer, Cisco ASA WebVPN, Akamai, Varnish Cache servers, and Apache HTTP Server 2.4.52.
• A new variant of SOVA Android trojan has been spotted in the wild. The malware variant includes two-factor authentication, cookie stealing, and injection capabilities. It is being used against multiple Philippine banks. 
• The FBI and the CISA released a joint advisory about Zeppelin ransomware. The ransomware has been active since 2019 and has targeted multiple organizations in the healthcare, manufacturing, educational, and technology sectors.
• Researchers have shared technical details on Dracarys spyware that was used by the Bitter APT group for targeting users in New Zealand, India, Pakistan, and the U.K. The malware is being distributed via a trojanized version of the Signal messaging app.
• Andariel, a subgroup of Lazarus, uses Maui ransomware and DTrack spyware, to carry out financially targeted attacks on companies. Reports suggest that multiple organizations located in India, Vietnam, and Russia were the target of such attacks in 2021.
• DoNot Team APT reportedly has added new modules to its Windows spyware framework aka YTY, Jaca. The new modules are a browser stealer component and a new shellcode loader component that analyzes a new DLL variant of the reverse shell.
• DeathStalker APT has upgraded the capabilities of VileRAT to perform more sophisticated attacks on foreign exchange and cryptocurrency trading companies. Researchers have observed multiple samples of the malware in the wild, with the latest sample identified in June.