Cyware Weekly Threat Intelligence, August 29 - September 02, 2022

The Good

• The NSA and the CISA released tips on securing the software supply chain. The guidelines are primarily designed to address threats to the U.S. critical infrastructure and national security systems.   
• The Health-ISAC has released a new whitepaper to provide zero trust security guidance to healthcare CISOs. This is aimed at bolstering the security efforts of healthcare organizations.  
• A new security framework for the U.K telecommunications industry will come into effect in October. Claimed to be one of the strongest regulations in the world, the framework has been developed to protect telecom networks against cyberattacks, data breaches, and software supply chain attacks. 
• The USCYBERCOM and the NSA have come together to renew their efforts to protect electoral procedures from cyberattacks and disinformation. The changes are made for the midterm elections that will be held in November.

The Bad

• More than 16,000 mailboxes associated with an international non-profit were targeted in a phishing attack designed to steal confidential information of users. Threat actors used phishing emails that spoofed the multinational American Express bank brand to trick victims. These emails included a link that redirected recipients to a fake landing page imitating American Express.
• In a new update related to the phishing attack against the PyPi repository, researchers have revealed that a threat actor dubbed JuiceLedger has been successfully compromising a number of legitimate packages to run low-key supply chain attack campaigns. Hundreds of typosquatting packages delivering the JuiceStealer malware have been identified.
• Chile’s CSIRT has disclosed a new double extortion attack against a government agency. The attack is believed to be the work of RedAlert ransomware attackers who targeted both Windows servers and Linux-based VMWare ESXi machines.
• Government officials in Montenegro were the target of an attack carried out by Cuba ransomware. The attackers claim to have stolen a variety of confidential files, including financial documents and source code. The officials have added that there is a ransom demand of $10 million.
• Russian media streaming platform START disclosed a data breach that impacted 7.5 million of its users. The stolen data includes email addresses, phone numbers, and usernames. 
• The FBI has issued a warning about the rising attacks against DeFi platforms. Cybercriminals are primarily leveraging the vulnerabilities in DeFi protocols to steal investors' cryptocurrency. 
• Data of over 2.5 million individuals with student loans from Oklahoma Students Loan Authority (OSLA) and EdFinancial were compromised after hackers breached the systems of Nelnet Servicing. The hacker had exploited a vulnerability to breach the systems.
• DESFA, Greece’s largest natural gas supplier, was hit by a cyberattack that impacted the availability of some of its systems. The Ragnar Locker group claimed responsibility for the attack and added that it had allegedly published more than 350 GB of stolen data.
• New findings reveal that Evil Corp is using Raspberry Robin infrastructure to carry out its attacks. This comes to light after Microsoft disclosed a Raspberry Robin infection delivering FAKEUPDATES malware (aka SocGholish). 
• A security researcher spotted a huge Chinese database containing 800 million records of faces and vehicle license plates, left exposed on the internet. The database belonged to a company called Xinai Electronics.
• The Lexington government, Kentucky, along with the FBI and Secret Service, is investigating a theft of $4 million in federal rent assistance and housing funds, conducted by intercepting the city's internal wire transfer processes.

New Threats

• A new Golang-based malware campaign was identified leveraging deep field images from NASA’s James Webb Space Telescope to deploy malware on infected devices. The campaign dubbed GO#WEBBFUSCATOR involved sending phishing emails that contained a Microsoft Office attachment named Geos-Rates.docx.
• Check Point researchers shared details of a new campaign that distributed Nitrokod cryptominer. So far, the campaign has targeted 111,000 users in 11 countries. The crypto miner is used to mine Monero.
• Developers behind Prynt Stealer info-stealing malware have created a secret backdoor that ends up in every derivative copy and variant of WorldWind and DarkEye malware families. The backdoor sends copies of victims’ exfiltrated data gathered by other threat actors to a private Telegram chat handled by the authors of the Prynt Stealer builder. 
• Snake keylogger was spotted in a new malspam campaign disguised as a business portfolio from a Qatari-based IT services provider. The attack originated from IP addresses in Vietnam and has already reached thousands of inboxes. 
• A cross-platform ransomware, dubbed BianLian, emerged in the threat landscape. Written in the Go language, the ransomware has claimed around 15 organizations as of September 1 as its victims. The initial access to victim networks is achieved by exploiting the ProxyShell flaw.
• Researchers at AT&T have released details about a sophisticated cryptomining campaign in which 100 different malware loaders were leveraged to deploy miners and backdoors on the infected systems. These loaders were sent via phishing emails that used Mexican governmental documents, social security numbers, and tax returns as lures. 
• Cisco Talos identified three distinct campaigns, between March and June, delivering an array of malware, including ModernLoader and RedLine infostealer. Threat actors had used PowerShell, .NET assemblies, as well as HTA and VBS files to spread across a targeted network. 
• McAfee threat analysts discovered five Google Chrome extensions that track users’ browsing activities. The extensions have been, collectively, downloaded over 1.4 million times. The extensions claim to offer various functions such as enabling users to watch Netflix shows together, website coupons, and taking screenshots of a website. 
• A new, highly evasive JavaScript skimmer used by Magecart threat actors is under investigation. The skimmer is being used to target Magneto e-commerce websites.