Go to listing page

Cyware Weekly Threat Intelligence, January 16-20, 2023

Cyware Weekly Threat Intelligence, January 16-20, 2023

Share Blog Post

The Good

Building a credible cyber defense posture is important owing to the surge in sophistication in the cyber threat landscape. Keeping this in view, the NIST plans to reveal an updated version of its Cybersecurity Framework (CSF) that will focus on more collaboration and better defense approaches across all economic sectors. The Nordic countries are also working on building a common cybersecurity strategy to enhance their intelligence-sharing capabilities. 

  • The NIST has announced its intent to revise its Cybersecurity Framework document to foster more collaboration and expand cyber defense inclusivity across all economic sectors. The new version, CSF 2.0, is likely to go public by March 3 and will include changes to the recommended cybersecurity best practices, and sector-specific needs. 
  • Norway will develop a common cybersecurity strategy for the Nordic countries that include Denmark, Finland, Iceland, Sweden, Greenland, the Faroe Islands, and the Åland Islands. The strategy will serve to enhance intelligence sharing between these countries as part of their efforts to improve their common military strategies.
  • Avast has released a free decryptor for the BianLian ransomware to help victims to recover their locked files without paying the hackers. The decryptor comes about half a year after increased activity from the ransomware over the summer of 2022. 

The Bad

This week, PayPal and Norton LifeLock fell victim to multiple credential-stuffing attacks that collectively impacted the personal information of over 1 million customers. So, secure your accounts with MFA before it’s too late! Meanwhile, T-Mobile disclosed a new data breach that impacted its 37 million users. This is the eighth time that the firm has suffered a security breach in less than five years.
  • PayPal disclosed that the login credentials of 35,000 US customers were accessed in an unauthorized manner in a credential-stuffing attack spree between December 6 and 8, 2022. While there has been evidence of unauthorized transactions, threat actors may have accessed personal information such as names, social security numbers, addresses, and dates of birth of customers. 
  • In a data breach at T-Mobile, the personal details of around 37 million users have been exposed. These include names, billing addresses, phone numbers, and dates of birth of users. However, payment card details and other financial information were not exposed. 
  • Costa Rica’s Ministry of Public Works and Transport (MOPT) suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by Conti ransomware. Cybersecurity experts were called in to address the situation. 
  • Around 300 U.K. stores of Yum! Brands were closed for one day following a ransomware attack. The attackers took company data but there is no evidence of customer data being stolen. The company has alerted law enforcement agencies and hired cybersecurity professionals to conduct an investigation. 
  • Canadian alcohol retail giant LCBO suffered a Magecart skimming attack twice since December. While the first infection occurred on December 28, the second infection began on January 5 and lasted until January 10. 
  • Mailchimp disclosed a data breach that affected its 133 customer accounts. A social engineering attack tricked employees and contractors into handing over their login credentials. Reports suggest that one of the compromised accounts belonged to WooCommerce.  
  • Researchers uncovered a new Payzero scam that can enable scammers to abuse Web3 technology and steal digital assets such as NFT tokens from victims. Here, the scammers typically pay nothing to the victims for their digital assets and simply trick them into allowing the transfer of token ownership via fake smart contracts.
  • Hackers are setting up fake websites for popular free and open-source software to promote malicious downloads through advertisements in Google search results. At least one prominent user in the cryptocurrency scene has fallen victim to the campaign. 
  • Researchers discovered three malicious PyPI packages, named colorslib, httpslib, libhttps, to infect compromised machines with information-stealing malware in a new supply chain attack. The packages were uploaded by a threat actor using the alias Lolip0p.  
  • A data breach at a third-service provider resulted in the compromise of the personal information of roughly 18,000 Nissan customers in North America. The car manufacturer learned about the attack in June 2022. The compromised information includes birth dates and NMAC account numbers.  
  • Two specialty medical care firms, one in Texas and another in Pennsylvania, reported separate ransomware attacks that affected nearly 600,000 individuals. Both attacks occurred in 2022. 
  • Nearly one million active and inactive Norton LifeLock accounts have been targeted in multiple credential-stuffing attacks. The attacks started on December 1, with a large number of failed login attempts observed on December 12. The company took several actions to secure the accounts.

New Threats

There has been a significant increase in the abuse of Google Ads to deliver malware. One such campaign spotted lately was used to distribute Vidar Stealer and IcedID trojan. In another update, a new variant of the Turian backdoor, which includes additional obfuscation techniques, was used by Vixen Panda APT to target government organizations in Iran. A long-term campaign associated with Roaming Mantis has also been found using a new attack technique to ensnare more Android users. 
  • A new Android malware dubbed Hook is being sold on underground forums for $5000/month. The malware is promoted by the creators of Ermac and can help threat actors steal credentials from over 460 banking and crypto apps via overlaid login pages. Researchers claim that the malware borrows its source code from Ermac.
  • A China-linked threat actor exploited a recently disclosed Fortinet FortiOS SSL-VPN vulnerability (CVE-2022-42475) to deploy a backdoor called Boldmove. Both Windows and Linux variants of the malware can be used to enable lateral movement and the tunneling of commands to the C2 server. 
  • The Roaming Mantis attack campaign has been found implementing a new DNS changer to control infected Android devices and steal sensitive information. The changes were done to deploy the Wroba Android malware (a.k.a Moqhao, XLoader) to steal user credentials. 
  • Vixen Panda is using a new Turian backdoor variant to target Iranian government organizations. The latest version includes additional obfuscation techniques, a modified network protocol, and a new C2 decryption algorithm.   
  • Earth Bogle APT has been found distributing NjRAT malware to target victims in the Middle East and North Africa. The attackers are leveraging Discord, Facebook, OneDrive, and other platforms to spread the malware. The campaign has been active since mid-2022.  
  • In another latest update, threat actors are leveraging Google Ads to deploy Vidar Stealer and IcedID trojan on victims’ systems. The campaign has been active since November 2022 and uses fake websites of Audacity, Blender, and GIMP to target users. 
  • More than 4400 internet-exposed servers running vulnerable versions of Sophos Firewall can be exploited to execute malicious code. The vulnerability, tracked as CVE-2022-3236, received a patch in September last year. 
  • Bitdefender security analysts stumbled across a malware threat campaign dropping EyeSpy spyware. The campaign started in May 2022 and has been targeting 20Speed VPN users through trojanized installers. Users in Iran, the U.S., and Germany are targeted by the spyware.


t mobile usa
vixen panda
norton lifelock
turian backdoor
bianlian ransomware
vidar stealer
credential stuffing attacks
nissan customers

Posted on: January 20, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.