Go to listing page

Cyware Weekly Threat Intelligence, December 05-09, 2022

Cyware Weekly Threat Intelligence, December 05-09, 2022

Share Blog Post

The Good

With the myriad of cyberattacks coming to light every day, federal authorities are always on their toes to help organizations improve their defensive approaches. In that vein, the GAO has asked the Energy and Transportation departments to assess and patch the risks associated with IoT and OT systems in an attempt to boost critical infrastructure protection. Meanwhile, the Mobile Health App Interactive Tool has been updated by the FTC and the HHS to improve the data security of patients.  
  • The U.S. GAO urged several federal agencies to assess the cybersecurity risks of IoT and OT systems to boost critical infrastructure protection. The GAO pointed out that the DHS, CISA, and NIST have issued guidance, alerts, advisories, and other resources to help organizations mitigate attacks against critical infrastructure. 
  • The Swiss government is planning to include the mandatory reporting of cyberattacks on critical infrastructure in the new Information Security Act. The move comes months after cyberattacks against Swissport flights and the Swiss stock exchange SIX.  
  • The FTC and the HHS updated their Mobile Health App Interactive Tool to improve the data security of patients. The tool is for anyone developing a mobile app to understand the implications of collecting and misusing the PHI of patients. It can also help developers navigate the patchwork of different laws that may be applicable while building mobile apps to ensure that any sensitive health information is protected accordingly. 

The Bad

The education sector remains an active target of ransomware attacks. Different reports discovered a barrage of attacks by Vice Society and Hive ransomware actors against K-12 schools and higher educational institutions across the globe. The cryptocurrency industry was the target of multiple hacking attacks launched by DEV-0139 and the Lazarus group. While DEV-0139 leveraged Telegram chats as a part of the infection chain process, Lazarus used fake cryptocurrency apps to target users.

  • The Canadian branch of Amnesty International suffered a cyberattack by a China-sponsored threat actor. The hack was first detected on October 5 and had left the organization offline for nearly three weeks. 
  • Cloud company Rackspace revealed a cybersecurity incident causing a temporary halt of Hosted Exchange environment. The firm proactively disconnected the platform to reduce the impact of the attack. As per the latest investigation, the firm confirmed that it was a ransomware attack.
  • An influx of attacks against educational institutions by Vice Society and Hive ransomware actors was reported by researchers. While Hive was persistent throughout October and November and leaked the stolen data from two educational institutions, Vice Society targeted at least 33 educational organizations this year.  
  • Followers of Elon Musk on Twitter are being targeted in a fake crypto giveaway scam. The followers were lured with a message that read ‘1000 new followers get 5000 bitcoin’ and a fake URL to the bogus quiz. 
  • A series of attacks against cryptocurrency investment companies were attributed to a group named DEV-0139. The attackers took advantage of Telegram chat and initiated communications with VIPs by posing as different cryptocurrency exchange platforms. As a part of the infection chain, Excel files containing malicious macros were used to launch payloads. 
  • Volexity researchers observed a new cryptocurrency campaign tied to the Lazarus threat actor. The gang used fake cryptocurrency apps, all of them named as BloxHolder, to deploy AppleJeus malware on victims’ systems.
  • The city of Antwerp, Belgium, is struggling to restore its digital services after it was hit by a cyberattack. This disrupted the services used by citizens, schools, daycare centers, and the police. 
  • A new Magecart campaign that impacted at least 44 e-commerce sites was attributed to three threat actor groups tracked as Group X, Group Y, and Group Z. The attackers abused defunct domains, Google Analytics, and Google Tag Manager to inject malicious skimmer codes. 
  • A previously unknown investment scam group named CryptosLabs has reportedly stolen up to $505 million from victims in France, Belgium, and Luxembourg. The group, which has been active since 2018, has targeted over 40 companies in fintech, cryptocurrency, and asset management services. 
  • Google’s TAG shared technical details on the exploitation of Internet Explorer zero-day vulnerability in attacks by the North Korean hacking group APT37. Tracked as CVE-2022-41128, the flaw can enable attackers to execute arbitrary code on a target system.
  • In an update, CommonSpirit Health confirmed that threat actors accessed the personal data of over 623,000 patients in the ransomware attack that occurred in October. The firm also admitted that the data of at least seven hospitals were impacted in the incident. The type of data compromised includes the full name, address, phone number, and date of birth of patients. 
  • The HHS issued a new advisory to alert healthcare organizations about ongoing attacks by the Royal ransomware gang. The ransomware was first observed in September and the ransom demand ranges between $250,000 and $2000,000. 
  • Records stolen from sports goods maker Intersport have been leaked on the dark web. The data was stolen by the Hive ransomware group in November.
  • An influx in direct deposit scams amid the holiday season was reported this week The scam involves a hacker impersonating an employee and asking HR to change their direct deposit information. When payday hits, the payment goes to the hacker’s bank account. 
  • Attackers injected WordPress plugins with a piece of malware that bypassed security checks and redirected the victims to spammy web pages. These web pages were used to push fake captcha scams.
  • Web Explorer - Fast Internet, a browsing app for Android devices, exposed a trove of sensitive data due to a misconfigured Firebase instance. The exposed data includes destination addresses, user country addresses, and other sensitive information. 

New Threats

User data in smartphones and mobile devices are at risk more than ever. A new dark web marketplace called InTheBox has surfaced online, offering threat actors over 400 custom webinjects to pilfer information from banking, crypto, and e-commerce apps. A sophisticated service dubbed Zombinder has also been spotted on the darknet, helping implant different malware families on Android and Windows systems. In other news, a Golang botnet has emerged in the threat landscape, targeting flaws in Zyxel firewalls, TOTOLINK routers, F5 BIG-IP, Spring Framework, D-Link DNS-320 NAS, and Hikvision cameras. 

  • The recently discovered Cryptonite ransomware has been discovered in the wild as a wiper malware to target Microsoft Windows users. The malware implements the common functionality of ransomware but it does not offer the decryption key.  
  • Resecurity researchers shared details of a darknet marketplace, called InTheBox, which offers over 400 custom web injects to launch mobile malware attacks. Web injects enable attackers to serve malicious HTML or JavaScript code in the form of an overlay screen and steal information when victims launch banking, crypto, and e-commerce apps.
  • Several potentially serious vulnerabilities discovered in Baseboard Management Controller (BMC) firmware can expose data centers and clouds to cyberattacks. A malicious actor can also exploit these vulnerabilities to remotely control compromised servers, deploy malware, and cause physical damage to the targeted device. 
  • Recorded Future found an overlap in the infrastructure between TAG-53 and Callisto, COLDRIVER, and SEABORGIUM threat groups. One of the common traits includes the use of specific domain registrars, and Let’s Encrypt TLS certificates. The gang is linked to cyberattacks on U.S. military weapons and hardware supplier Global Ordnance.
  • ESET researchers analyzed a supply chain attack attributed to the Agrius APT group. The attackers targeted an Israeli software company to deploy a wiper malware called Fantasy. The malware is built on the foundations of Apostle wiper but does not attempt to masquerade as ransomware.
  • A phishing email, impersonating a well-known Korean airline, was used to harvest user credentials. The email appeared to contain a notice on airline ticket payment and prompted users to click on a phishing page that copied the login page of the airline. 
  • A new Go-based botnet called Zerobot was found exploiting dozens of vulnerabilities in IoT devices to expand its network. The malware is designed to target a wide range of CPU architectures such as i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x.
  • A new version of Danabot malware that uses advanced obfuscation techniques was spotted in the wild. One of these techniques involved the use of IDA Python scripts.  
  • A new threat actor group named Xcatze used a Python-based malware called AndroxGh0st to take over AWS servers and send out massive email spam campaigns. Recently, researchers have observed several variants of this malware in the wild.
  • A new obfuscation service called Zombinder was discovered in a campaign employing several trojans, including Ermac, to target Android and Windows systems. It is used to bind malicious payloads to a legitimate application.
  • A brand new variant of Babuk ransomware was spotted in a major cyberattack. Threat actors have combined Babuk’s leaked source code with open-source evasive software and side-loading techniques to create the variant. 
  • The Formbook malware made a comeback in a campaign that used trojanized OneNote documents. The malware can steal data from various web browsers and other applications. It also has keylogging capabilities.


hive ransomware group
danabot malware
babuk ransomware gang
commonspirit health
royal ransomware gang
cryptonite ransomware
golang botnet

Posted on: December 09, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.