Go to listing page

Cyware Weekly Threat Intelligence, January 31–February 04, 2022

Cyware Weekly Threat Intelligence, January 31–February 04, 2022

Share Blog Post

The Good

As cyberattacks across the world continue to rise, our governments are fighting back hard. The DHS has created a first-ever cyber review board that brings together security experts from all fields to deal with major cyber incidents. In the same vein, a European Union agency proposed to create a systemic cyber event coordination framework to deal better with critical cross-border cyber incidents impacting the financial sector.

  • The DHS announced the creation of a new Cyber Safety Review Board to gather all security experts from private and public sectors to review and analyze cybersecurity incidents. This board comes as a part of the executive order signed by the U.S. President last year. The board’s first task would focus on Log4j vulnerabilities.  
  • The European Systemic Risk Board (ESRB) planned a new systemic cyber event coordination framework that would enable relevant authorities in the EU to collaborate better while responding to cross-border cyber events affecting the financial sector. The European Supervisory Authorities (ESAs) have been urged to create a plan for the development of a Pan-European systemic cyber coordination framework. 
  • E-commerce retailer Target open-sourced its proprietary scanner, named Merry Maker, for detecting payment card skimming attacks. The scanner supports YARA rules, IOCs, and unknown domain rules, and detects codes that steal payment card data. 


The Bad

Crypto theft is getting worse by the day. Relentless cybercriminals exploited a vulnerability in the Wormhole crypto platform and made away with 120,000 Wrapped Ethereums, causing the company to temporarily shut down operations. The British Council exposed the data of thousands of students, owing to an unsecured Azure database. This incident, once again, displays how important it is to secure cloud databases. As the CISA warns about potential cyber risks to athletes during the Beijing Winter Olympics, researchers discovered that the internal IT network of the National Games of China was breached by some unknown hackers.

  • A vulnerability in the Wormhole cryptocurrency platform allowed a threat actor to steal an estimated $322 million worth of Ether cryptocurrency. The attackers exploited the ‘smart contracts’ feature on the platform to hack the portal.
  • The BlackCat ransomware group has been held responsible for the recent cyberattacks on two German oil companies. This ultimately affected hundreds of gas stations across northern Germany. The firms took immediate actions as part of their contingency plans.
  • An unsecured Microsoft Azure blob belonging to the British Council revealed student names, IDs, usernames and email addresses, and other personal information. More than 100,000 files with student records were found exposed online.
  • Cisco Talos researchers uncovered a wave of attacks starting around October 2021, targeting Palestinian organizations and activists through political lures with an aim to infect them with a malware dubbed Micropsia. The attacks are part of a broader campaign, dating back to 2017, connected to a group known as Arid Viper.
  • Researchers from Binarly discovered 23 vulnerabilities in UEFI firmware made by InsydeH2O. Most of these flaws stem from the System Management Mode (SMM) that provides system-wide functions such as power management and hardware control. The firmware is used by multiple computer vendors such as Fujitsu, Intel, AMD, Lenovo, Dell, ASUS, HP, Siemens, Microsoft, and Acer.
  • Business services provider Morley Companies Inc. has disclosed a data breach as a result of a ransomware attack that occurred in August 2021. The incident affected the data of more than 500,000 individuals, including Morley’s employees, contractors, and clients. The compromised data included full names, social security numbers, dates of birth, medical diagnostics, and treatment information of individuals.
  • A targeted spear-phishing campaign called Operation EmailThief exploited an XSS zero-day vulnerability in Zimbra to target several government and media organizations in Europe. Launched by a threat actor named TEMP_Heretic, the campaign was executed in December 2021 in two phases. The initial phase aimed at reconnaissance and leveraged specially designed phishing emails.
  • CISA has issued a warning about multiple vulnerabilities affecting the Airspan Networks Mimosa equipment. Successful exploitation of these vulnerabilities can allow attackers to gain user data, compromise Mimosa’s AWS cloud EC2 instance and S3 buckets, and conduct remote code execution on all cloud-connected Mimosa devices. Some of these flaws have earned CVSS score ratings of 10.
  • Avast disclosed that an anonymous hacker group had accessed the internal IT network of the 2021 National Games of China about 12 days prior to the beginning of the event. After gaining access, the threat actor attempted to move across the network via brute-forcing services and exploits, in an automated manner. 


New Threats

Iran-based threat actors were pretty active this week as the MuddyWater APT was found conducting cyberespionage activities against Turkish organizations and governmental institutes. The other group—Phosphorous (aka Charming Kitten)—developed a unique backdoor, dubbed PowerLess, with advanced evasive capabilities. This week, we were introduced to a few new malware, among which is the Mars Stealer. It happens to be a redesign but a more powerful version of the Oski malware that disappeared suddenly in the summer of 2020.

  • A new malware dubbed CoinStomp is targeting cloud services to mine cryptocurrencies. Currently, the malware has targeted multiple cloud service providers in Asia. It employs the timestomping attack technique and a number of anti-analysis techniques to evade detection.
  • A new SEO poisoning campaign is being used in the wild to drop BATLOADER and other payloads like Ursnif and Atera Agent malware onto the targeted systems. The attackers target the victims who are on the lookout for downloading productivity tools like TeamViewer, Zoom, or Visual Studio. The attackers use these software installers as part of their SEO poisoning attack in order to redirect users to false sites.
  • The Iranian MuddyWater APT group is targeting Turkish organizations and governmental institutions in a new cyberespionage campaign. The campaign is using malicious Office documents and PDFs pretending to be from the Turkish Health and Interior Ministries. The documents deliver a malicious PowerShell-based downloader that gains a foothold into the network.
  • The relatively new macOS malware UpdateAgent has been upgraded to deliver adware and potentially other malicious payloads. One of the latest features also includes its ability to bypass Apple’s built-in Gatekeeper system.
  • Security researcher Chris Campbell found a new phishing campaign infecting victims with the BazarLoader (BazarBackdoor) trojan through malicious CSV files. The phishing emails pretend to be "Payment Remittance Advice" with links to attacker-controlled sites that download the CSV files.
  • A new malware named Mars Stealer was discovered in the wild. Researchers surmise it to be a redesign of the Oski malware that shut down development abruptly in 2020. Mars Stealer can steal data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.
  • The Iran-based Phosphorous threat actor group has added a new PowerShell backdoor named PowerLess to its arsenal. The malware includes keylogging and info stealing capabilities.  One of the IP addresses serves a domain that is being used as a C2 server for the recently discovered Memento ransomware.
  • Researchers observed a new StrifeWater RAT being used by the Moses APT group. The RAT comes with multiple evasion and screen capturing capabilities. The malware can also create persistence, download additional extensions, and execute system commands.
  • A Chinese threat actor group tracked as Antlion has been using a new custom backdoor called xPack to target organizations in the financial and manufacturing sectors. The campaign has been active for over 18 months and the backdoor allows attackers to run WMI commands remotely. The ultimate goal of the campaign is to exfiltrate data from infected networks.
  • The relatively new Sugar ransomware is being available to cybercriminals as Ransomware-as-a-Service (RaaS). Written in Delphi, the ransomware borrows its code from several other ransomware. It employs a modified version of the RC4 encryption algorithm along with a crypter that is being offered to affiliates as part of the service.
  • Accounting and tax software provider Intuit alerted customers of an impersonation scam attempting to trick victims with fake warnings of suspended accounts. Hackers masquerade as the Intuit Maintenance Team.


 Tags

powerless backdoor
british council
morley
mars stealer
wormhole
bazarloader
sugar ransomware
xpack
oiltanking deutschland gmbh
antlion
airspan networks mimosa
coinstomp
strifewater rat
updateagent
micropsia
muddywater apt
batloader

Posted on: February 04, 2022


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.