Go to listing page

Cyware Weekly Threat Intelligence, February 28–March 04, 2022

Cyware Weekly Threat Intelligence, February 28–March 04, 2022

Share Blog Post

The Good

There is a lot going on in the world right now, but we also have some good things to look forward to. A group of MIT researchers took a big step toward securing sensitive data. They fabricated an IC chip that protects against power side-channel attacks and is tiny enough to fit inside a smartwatch, tablet, or smartphone. Meanwhile, MITRE launched the Engage framework to help defenders conduct cyber adversary engagement, deception, and denial activities.

  • A group of researchers at MIT built an integrated circuit chip that can defend against power side-channel attacks while using much less energy than a common security technique. The integrated circuit conducts machine learning on the edge so that less power is consumed without compromising security.
  • Facebook has blocked multiple accounts and phishing domains, associated with the Belarusian-linked hacking group Ghostwriter (aka UNC1151), designed to target Ukrainian officials and military personnel. Additionally, it confirmed a spear-phishing campaign by the group that tricked Ukrainian military personnel into sharing their personal information.
  • European police detained 17 cybercriminals from France and Spain that were involved in distributing counterfeit ID documents for migrant smugglers over the dark web.
  • MITRE launched the first official version of Engage, a framework for conducting cyber adversary engagement, deception, and denial activities. This framework will help CISOs, security analysts, and vendors to implement defense strategies by taking cues from adversary behavior observed in the real world.
  • Singapore is all set out to build a new digital intelligence center to fortify the nation’s defenses against cyber threats. Dubbed Digital and Intelligence Service (DIS), the unit will work under the Singapore Armed Forces and tackle online attacks. 

The Bad

Attacks against Ukrainian entities are getting worse. The week witnessed multiple attacks, notable among them is a massive attack wave against Ukrainian academic institutions and a DDoS attack using DanaBot against the Ukrainian Ministry of Defense. In other news, two ransomware gangs—Karma and Conti—targeted the same healthcare provider in back-to-back attacks.

  • A phishing campaign compromised the email accounts of Ukrainian armed services to spread Lua-based SunSeed malware. The campaign appears to target European government personnel who are involved in managing the logistics of refugees from Ukraine. Lately, the campaign has been upgraded to target NATO entities and is tentatively linked with the Ghostwriter hacking group.
  • A large-scale phishing campaign, leveraging over 200 phishing sites, has tricked users into making fake investments for buying e-bikes or registering for dealerships. The fraudulent operation abuses Google Ads and SEO to draw in victims. The campaign has caused financial damages of up to $1,000,000 and a majority of the affected are Indians.
  • Satellite communication giant Viasat was hit by a cyberattack that caused an internet outage across Europe. The firm has notified law enforcement agencies and government partners who are currently investigating the incident. Reports suggest that the attack began on February 24 and is ongoing.
  • A dual ransomware attack affected a Canada-based healthcare organization in December 2021. The attack was launched by the Karma ransomware gang first and later by the Conti ransomware gang. The attackers had managed to intrude into the victim’s network by exploiting the ProxyShell vulnerability.
  • A spate of phishing emails is being used against Microsoft account users to pilfer their credentials. The attackers are capitalizing on the Ukrainian crisis to spread terror among the recipients. The email asks the victims to log into their accounts as an unusual sign-on activity from Russia has been detected. The subject line of the email includes ‘Report the user.’
  • More than 30 WordPress-hosted Ukrainian university websites were hacked in a targeted attack. The threat actors support Russia and are identified as the ‘Monday Group.’ In 24 hours, more than 100,000 attacks were launched on Ukrainian education institutions.
  • A threat actor launched a DDoS attack using DanaBot against the Ukrainian Ministry of Defense’s webmail server. The attack was launched to deliver a second-stage malware payload leveraging the download and executing the command.
  • Scammers are weaponizing the Russia-Ukraine conflict to target users in well-crafted phishing campaigns. The phishing emails include different subject lines to dupe victims into sharing their crypto wallet credentials or making payments in the form of cryptocurrency. In one of the campaigns, emails spoofing the login page of popular German Bitcoin marketplace bitcoin.de had targeted employees at European financial service providers. In another campaign, the email spoofed the Ukraine Red Cross Society to lure recipients into cryptocurrency donations to a private wallet.
  • Researchers have disclosed details of a now-patched security vulnerability in GitLab that could potentially allow attackers to recover user information. Tracked as CVE-2021-4191, the flaw affects several versions of GitLab Community Edition and Enterprise Edition. The CVSS score of the flaw is 5.3. It has been patched with the release of versions 14.8.7, 14.7.4, and 14.6.5.
  • The New York State Office of the Attorney General warned victims of the August 2021 T-Mobile data breach after some of the stolen information ended up for sale on the dark web. This increases the risk of identity theft.
  • In a new update, Lapsus$ ransomware attackers have shared NVIDIA’s DLSS source code on their website. Additionally, the credentials of more than 71,000 employees have been leaked online. The data breach at the U.S. chipmaker occurred last month.
  • A hacker group, going by the moniker v0g3lsec, allegedly compromised a website connected to Russia’s Space Research Institute and posted the screenshot for the same.

New Threats

TeaBot is back in business and in the news. The operators came up with a newer version of it which is propagated via apps on Google Play Store, once again. Attacks against Ukrainian entities saw two new malware in disparate attacks - HermeticRansom and IsaacWiper. While we are on the topic of malware, Microsoft unveiled FoxBlade, another new malware that was used to perform DDoS attacks against Ukraine. 

  • A new version of TeaBot is now targeting over 400 applications that include banks, crypto exchanges, and digital insurances. The attacks, driven via spam text messages, are being targeted against users in Russia, Hong Kong, and the U.S.
  • Researchers have demystified a newly found Golang ransomware dubbed HermeticRansom. Also known as PartyTicket, the ransomware encrypts specific files and appends them with .encryptedJB extension. It uses AES and RSA-OAEP algorithms to encrypt files and later drops an HTML ransom note on the victim’s desktop.
  • ESET researchers uncovered a third new data wiper malware, dubbed IssacWiper, that was used against hundreds of machines located in Ukraine. According to the researchers, the malware has been active since February 24 and includes both a wiper and a worm component to spread HermeticWiper in local networks.
  • Researchers detected a series of new TCP reflection/amplification attacks that leverage a new technique to knock websites offline. The amplification attack abuses vulnerable middleboxes, such as firewalls via TCP to magnify denial of service attacks. Middlebox devices from the likes of Cisco, Fortinet, SonicWall, and Palo Alto Networks are vulnerable to this new attack method.
  • A new stealthy backdoor named Daxin has been associated with a China-based hacking group. The malware is designed to give an attacker low-level root privileges on a compromised system. The malware was last used in November 2021 to target critical infrastructure in multiple countries.
  • Microsoft revealed that a new malware, dubbed FoxBlade, was used on several networks based in Eastern Europe. The malware was also used in destructive attacks against Ukraine right before the Russian invasion. It is capable of launching DDoS attacks on systems.
  • A new version of an info-stealing malware called Jester Stealer has been observed to be active since January. The new malware version, tracked as, is available for sale in underground cybercrime forums. Jester Stealer can pilfer data from web browsers, email clients, crypto wallets, and password managers.
  • Iran-linked UNC3313 threat actor group was found deploying two new custom backdoors, tracked as GRAMDOOR and STARWHALE. These backdoors were used in the attack against an unnamed government entity in the Middle East in November 2021.


daxin backdoor
jester stealer
foxblade malware
lapsus ransomware
tcp middlebox reflection
mitre engage framework
sunseed malware

Posted on: March 04, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.