Go to listing page

Cyware Weekly Threat Intelligence, January 10–14, 2022

Cyware Weekly Threat Intelligence, January 10–14, 2022

Share Blog Post

The Good

Good are the days when threat actors end up making mistakes that benefit the cybersecurity landscape. In one such mistake, Patchwork APT infected itself with its own malware, leading researchers to find out details about the group and its operations. In another development, the U.S. Senate passed two cybersecurity-bills - the Supply Chain Security Training Act and the State and Local Government Cybersecurity Act. 

  • An APT actor named Patchwork accidentally exposed its tools and infrastructure after it infected its own machine with a new variant of the BADNEWS backdoor. The group was using the malware to target faculty members and researchers associated with defense, molecular medicine, and biological science.
  • The U.S. Cyber Command announced a partnership with 84 colleges and universities from 34 states and the District of Columbia to bridge the cybersecurity talent gap in the U.S. military. The partners include nine minority-serving institutions, 13 community colleges, 69 universities, four military war and staff colleges, and four military service academies. 
  • The U.S. Senate passed two cybersecurity-related bills to address cyber risks in the supply chain security and offer new federal resources to state and local governments affected by threat actors. The Supply Chain Security Training Act focuses on implementing a training program for federal procurement employees. This would prepare them to conduct supply chain risk management activities and mitigate the risks. 
  • Ukrainian officials arrested five members of a ransomware gang responsible for conducting attacks against at least 50 organizations across the Americas and Europe. As per the Ukrainian Cyber Police, the group amassed almost $1 million from the attacks. The raids were conducted with the collaboration of the U.K and the U.S. law enforcement. 


The Bad

Attackers are still exploiting Log4j vulnerabilities in any way they can. Clarins suffered a data breach due to failure to patch the flaws on time, once again indicating how important it is to implement patches before one falls prey to cyberattacks. Cybercriminals are using social engineering tactics to take over accounts of players associated with the EA video game FIFA 22. A ransomware attack forced a prison in New Mexico to go into unplanned lockdown. The attack also resulted in the shutdown of several crucial systems, including that of the local government. 

  • The FBI warned against a cybercrime group that mailed out USB thumb drives in an attempt to infect users with ransomware. Dubbed BadUSB, the attacks leveraged the name of the U.S. Department of Health and Human Services and Amazon to trick users with COVID-19-related warnings and gift cards, respectively. It is believed that the Fin7 threat actor group is responsible for the attacks and the malicious drives were being shipped on LILYGO-branded devices and targeted organizations in the transport, insurance, and defense sectors.
  • Around 39 million patient records leaked from Bangkok-based Siriraj Hospital have been offered for sale on a dark web forum. These records contain names, addresses, Thai IDs, phone numbers, gender details, and dates of birth of users. Some of the data also belongs to the Siriraj Piyamaharajkarun Hospital, containing records of VIP patients.
  • A malicious dnSpy app was found targeting developers and cybersecurity researchers, last week. The threat actors’ goal was to steal cryptocurrency miners, and launch RATs. The attack had used multiple SEO techniques to promote the malicious apps.
  • French cosmetic company Clarins was hit by a data breach that affected the personal information of Singapore customers. The incident occurred as the company failed to patch the Log4Shell vulnerabilities on time. The data affected include names, addresses, email, phone numbers, and loyalty program status of customers. 
  • The Medical Review Institute of America (MRIoA) notified some 134,000 individuals about a data breach that affected their personal information. The incident was discovered on November 9, 2021. The compromised data included names, gender, email addresses, phone numbers, birth dates, social security numbers, and financial information of users. 
  • Tech giant Panasonic revealed that cybercriminals hijacked one of their servers and accessed sensitive information of job applicants. The hackers illegally accessed a server in Japan on June 22, 2021 and ended on November 3, 2021. The data stolen also included details of personnel and business partners and business-related details. 
  • The Commission on Elections, the Philippines, suffered a breach and lost nearly 60GB of data to hackers, just four months before the national elections. The files exfiltrated by the attackers include usernames and PINs of vote counting machines, network diagrams, list of privileged users, IP addresses, passwords, domain addresses and policies, and QR code capture of canvassers with login and passwords. 
  • Around 50 top-notch FIFA Ultimate Team traders were the subjects of a cyberattack, in which the attackers made off with the victims’ FIFA points and coins. Electronic Arts (EA) blamed the attack on human error that resulted in the loss of access to accounts and thousands of dollars of in-game currency for the victims. 
  • A ransomware attack led to an unplanned lockdown of the Metropolitan Detention Center, Bernalillo County, New Mexico. The attack impacted the local government systems, including the ones used to manage the prison. It is suspected that the attack corrupted several databases, including an incident tracker.


New Threats 

The AvosLocker ransomware is making headlines, yet again, with a revamped arsenal. The ransomware now has a new module that encrypts Linux systems. So, beware! As already mentioned above, there is no respite in Log4Shell attacks as the Charming Kitten gang attempted to abuse the flaw to deploy a new modular backdoor. In other news, hackers were observed disseminating different strains of RATs by abusing public cloud infrastructure. 

  • Researchers were finally able to associate the Abcbot botnet with a cryptocurrency-mining attack that occurred in December 2020. The infrastructure of the emerging DDoS botnet resembles the Xanthe cryptocurrency mining botnet, following which researchers claim that the Abcbot borrows its code and features from Xanthe.
  • A new attack campaign is leveraging a new version of FluBot malware posing as a fake Flash Player APK to target Polish users. The malware is distributed via a message that contains a link to a video. Upon clicking, the recipients are redirected to a page offering the fake software that delivers the malware.
  • A new Linux version of the AvosLocker ransomware that targets VMware ESXi servers has been spotted by researchers. Once launched on a Linux system, the ransomware terminates all ESXi machines on the server. Later it begins the encryption process and appends the .avoslinux extension to the encrypted files. 
  • The Charming Kitten threat actor group attempted to exploit one of the Log4Shell vulnerabilities (CVE-2021-44228) to distribute a new PowerShell-based modular backdoor dubbed CharmPower. The attackers chose JNDI Exploit kits to send a well-crafted request to the victim’s publicly facing resource as part of the infection chain. 
  • A new multi-platform backdoor, named SysJoker, that targets Windows, Mac, and Linux has been discovered by researchers. The malware was first discovered in December 2021 during an active attack against a leading educational institution. It masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive.
  • A new attack campaign that leveraged the COVID Omicron variant as a lure was found distributing the RedLine Stealer. Based on the researchers’ telemetry, the campaign has infected users across 12 countries. The malware harvests credentials and cookies from different browsers, as well as other system information.
  • Researchers discovered that threat actors are actively incorporating public cloud services from Amazon and Microsoft into their malicious campaigns to deliver a variety of RATs. The malware distributed are Nanocore, Netwire, and AsyncRAT, which are used to siphon sensitive information from compromised systems.
  • Microsoft patched a wormable critical flaw that affects the latest desktop and server Windows versions, including Windows Server 2022 and Windows 11. Tracked as CVE-2022-21907, the vulnerability was discovered in the HTTP Protocol Stack. Upon successful exploitation, the attackers can remotely execute arbitrary code in low complexity attacks without the use of any user interaction. 
 

 Tags

log4shell vulnerability
badusb
flubot
abcbot botnet
avoslocker
patchwork apt
medical review institute of america mrioa
clarins
redline stealer
charming kitten apt
panasonic
siriraj hospital
sysjoker
xanthe
dnspy

Posted on: January 14, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.