Go to listing page

Cyware Weekly Threat Intelligence, January 17–21, 2022

Cyware Weekly Threat Intelligence, January 17–21, 2022

Share Blog Post

The Good

We have a bunch of good news this week to pair with your morning coffee. Governments across the world are relentlessly working on improving the cybersecurity postures of their nations. In one such development, the U.S. NSA has now gained greater authority to defend national security systems. On the same page, the U.K's NCSC issued guidance for companies to make it easier for their customers to differentiate between phishing and legitimate texts of calls.

  • In the wake of proliferating SMS-phishing scams targeting bank customers, the Singapore Police, the Monetary Authority of Singapore (MAS), and the Association of Banks in Singapore (ABS) announced measures to further secure digital banking. Banks are expected to work in tandem with MAS, the police, and the Infocomm Media Development Authority to tackle the constant barrage of scams. 
  • The Nigerian Police Force, along with the INTERPOL, detained 11 members of the SilverTerrier group that has successfully pulled off more than 50,000 BEC scams worldwide.
  • The NCSC issued guidelines for organizations to follow while communicating with customers via phone calls or texts. The guidance aims to make it harder for scammers to trick the public by making it easier to distinguish between fraudulent and legitimate communications. 
  • The European Union kicked off a six-week cyber exercise to test its cyber-defense responsiveness by simulating an attack on a fictitious Finnish power company.
  • Pennsylvania Senate passed two bills aimed at controlling cybersecurity breaches. While one requires the state to form a strategy to prevent and mitigate ransomware attacks, the other one mandates state agencies, local government agencies, and school districts to inform victims within seven days of identifying a breach incident. 
  • Russia’s FSB claimed to have arrested 14 members belonging to the infamous REvil ransomware group. It has also seized around $5.5 million and a few premium cars. 
  • NATO entered an agreement with Ukraine to bolster cyber cooperation, including providing Ukraine access to NATO’s malware information sharing platform. The agreement would also enable NATO to collaborate with Ukraine in modernizing the latter’s IT and communications services while identifying domains where personnel training is required. 
  • The White House published a memo that grants the NSA greater authority to protect national security systems. The memo also enables the agency to issue emergency and binding directives to take discrete action against emerging cyber risks and threats.

The Bad

Why do threat actors decide to attack humanitarian agencies and services? We do not have a proper answer yet. The Red Cross became the victim of such an unfortunate attack that resulted in the theft of the personal information of hundreds of thousands of people. This week was rife with state-backed threat activity as the UNC1151 group defaced more than 70 Ukrainian government websites. A cyberespionage campaign was revealed targeting ICS vendors, universities, and other organizations related to renewable energy. The campaign began in 2019 and is still ongoing.

  • The International Committee of the Red Cross (ICRC) was hit by an advanced cyberattack that compromised the personal data of over 515,000 highly vulnerable people. The data came from at least 60 Red Cross and Red Crescent National Societies located across the world. ICRC stated that the data stolen has not been leaked yet; the perpetrator remains unidentified.
  • Marketing giant RR Donnelly (RRD) underwent a Conti ransomware attack that disrupted the IT systems, making its customers unable to receive printed documents required for vendor payments, disbursement checks, and motor vehicle documentation. The attackers claimed responsibility and leaked 2.5GB of the stolen data.
  • The reclusive Earth Lusca threat actor, reportedly linked to the Winti group, was found targeting organizations worldwide for financial benefits. The list of victims includes governmental and educational institutions in Hong Kong, COVID-19 research organizations, and the media, among others. It mainly conducts spear-phishing and watering hole attacks.
  • A large-scale cyberespionage campaign, active since at least 2019, is targeting renewable energy and industrial technology organizations. Threat actors behind the campaign used legitimate websites, DNS scans, and public sandbox submissions to steal login credentials of the employees. The targeted organizations include Schneider Electric, Honeywell, Huawei, Telekom Romania, University of Wisconsin, Utah State University, and Taiwan Forestry Research Institute, among others.
  • Non-profit organization Goodwill notified its users about a security breach that affected their personal information. The cybercriminals gained unauthorized access by exploiting a vulnerability in the website. The compromised information includes full names, email addresses, phone numbers, and mailing addresses.
  • Dozens of Ukrainian government websites were defaced by the APT group UNC1151. The defaced websites were displayed with messages written in Russian, Ukrainian, and Polish languages. The campaign abused compromised Content Management Systems (CMS) to disseminate fake news.
  • Citizen Labs unearthed critical flaws in MY2022, the official app for Beijing 2022 Winter Olympics. The flaw can allow attackers to sidestep encryption for users’ audio and file transfers. In addition to that, health custom forms containing users’ passport details, travel and medical history, and demographic details are at risk.
  • The central bank of the Republic of Indonesia confirmed sustaining a ransomware attack that disrupted its operations. Experts suspect that the attack was conducted by Conti although Bank Indonesia did not confirm it. The bank claimed that the attack did not compromise any sensitive data and public services.

New Threats

QNAP NAS devices are once again under attack by the QLocker ransomware in a new campaign. More Ukrainian organizations are under attack by a new malware, dubbed WhisperGate, that pretends to be a ransomware but is a data wiper in reality. The week also brought us a new cryptocurrency scam that abuses the Amazon brand to trick potential investors into giving up their money.

  • MoonBounce, a new firmware bootkit, is found quite active in the wild. The bootkit is being used by the APT41 threat actor group in targeted attacks. It hides in a computer’s Unified Extensible Firmware Interface (UEFI) firmware, making it hard for proprietary security products to spot.
  • Researchers tracked a new ransomware family, named White Rabbit, that targeted a local U.S. bank in December 2021. The new malware borrows some of its features from Egregor ransomware and researchers suspect a connection to the FIN8 APT gang. The ransomware uses a double extortion strategy to threaten its victims.
  • A new variant of SFile ransomware was spotted targeting Linux systems worldwide. The ransomware variant uses RSA and AES algorithms to encrypt files. One of the strains had targeted the FreeBSD platform in an attack against a partially owned state-owned company in China.
  • A new wave of Qlocker ransomware campaigns has been found targeting QNAP NAS devices worldwide since January 6. After encrypting files, it drops ransom notes titled !!!READ_ME.txt on infected devices. The victims are prompted to visit a Tor site for more information on how to make the payment to regain access to their files.
  • Microsoft shared details about new destructive malware attacks targeting multiple organizations in Ukraine. Researchers identified a new malware dubbed WhisperGate that destroys victims’ information by first overwriting the MBR disk and then displaying a fake ransom note.
  • Bitdefender found a new crypto-malware, dubbed BHUNT, that can steal from multiple cryptocurrency wallets, while also extracting passwords saved in browsers and data from the clipboard. It uses encrypted configuration scripts downloaded from open Pastebin pages and is also capable of stealing cookies and other sensitive data stored in Firefox and Chrome browsers.
  • The INKY team spotted a new phishing campaign aimed at stealing credentials of aspiring vendors by inviting them to bid on multiple fake projects with the U.S. Department of Labor (DoL). The phishing emails claimed to be from a senior DoL employee inviting victims to submit bids for ongoing government projects.
  • A new crypto scam is exploiting the Amazon brand to lure potential investors into handing over Bitcoins. The campaign posted fake social media news in cryptocurrency-related groups. Clicking on the post redirected victims to a fake CNBC Decoded website that had an article about soon-to-be-released Amazon crypto token. Another lure includes a fake referral program that offers rewards if users refer others. The majority of the victims are located in the Americas and Asia.


qlocker ransomware
red cross
sfile ransomware
white rabbit
rr donnelly
earth lusca

Posted on: January 21, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.