Cyware Weekly Threat Intelligence, July 11 - 15, 2022

The Good

• A decryption key for malware deployed by the Hive ransomware gang has been released in response to an uptick in activity from the gang in the past three months. A malware researcher developed and published a decryption tool for the Hive ransomware version 5.0 on GitHub. 
• The U.S. Federal Trade Commission (FTC) has issued a warning that it will take action against tech companies that are illegally using and sharing highly sensitive data of users. The agency aims at using the full scope of its legal authorities to protect consumers’ privacy.
• The German government is shoring up its defense strategies in light of possible new threats from Russia. The new measures involve promoting cyber resilience among small- and medium-sized enterprises. There will also be a centralized platform for the exchange of information on cyberattacks between state and federal structures, based at the Federal Office for Information Security (BSI).

The Bad

• About 4295 ETH (approximately $4.6 million at the time of reporting) was stolen in a phishing attack on the Uniswap cryptocurrency exchange. The attackers exploited the Uniswap V3 protocol on the ETH blockchain to launch the attack.
• The head of the European Central Bank was targeted in a hacking attempt recently. While the investigation is in progress, the bank has confirmed that no information was compromised in the hack.
• Microsoft researchers revealed that a large-scale phishing attack campaign has targeted more than 10,000 organizations since September 2021. The campaign used the Evilginx2 phishing toolkit to construct phishing pages, bypass MFA, and steal credentials and session cookies from Office 365 users.
• Ukraine’s CERT team found a new spear-phishing campaign that was aimed at the Ukrainian government. Launched by the UAC-0056 threat actor group, the campaign infected recipients with Cobalt Strike beacon backdoors. 
• Anubis trojan is back with new C2 servers to control fake portals. These fake portals have been used in a large-scale phishing campaign targeting Brazil and Portugal since March.
• Deakin University, Australia, suffered a data breach in which the attacker hacked a staff member’s credentials and gained unauthorized access. The breach has potentially affected the data of 46,980students. Additionally, 9,997 students were also targeted with malicious SMS messages.
• Zscaler observed a major rise in QBot attacks over the past six months. The attackers used ZIP file extensions, code obfuscation, and multiple URLs among others, to evade detection during the attack process.
• The game publisher behind Dark Souls and Elden Ring, Bandai Namco, was allegedly targeted by the BlackCat ransomware group. A post shared by the group claimed that it will reveal the stolen data soon. 
• A large-scale spear-phishing campaign that distributes AsyncRAT and LimeRAT has been active since 2021. The campaign uses geopolitical themes to target government agencies in Afghanistan, India, Italy, Poland, and the U.S. Once the trojan is installed, it establishes communication with the C2 server to exfiltrate victim data.
• Transparent Tribe APT is using CrimsonRAT and ObliqueRAT to target universities and colleges in India. The campaign has been ongoing since December 2021 and uses spear-phishing emails as the primary attack vector.
• A fake version of WhatsApp is tricking unsuspecting users into sharing their personal information. The victims are promised new features as a lure to install the app. The users are warned to be aware of such tricks and to download the app from legitimate stores.
• Professional Finance Company recently disclosed a ransomware attack that impacted the private data of around 1.9 million people associated with hundreds of U.S. hospitals, medical clinics, and dental firms. The debt collection firm revealed that the criminals were able to access files from more than 650 healthcare providers.
• The Virginia Commonwealth University Health System (VCU) has been found exposing the personal details, including SSNs, lab results, and medical records, of almost 4,500 transplant patients since at least 2006. Researchers cited the poor configuration of the website as a primary reason for the leakage of data.
• The BrianLian ransomware group claimed to have hacked the Mooresville Consolidated School Corp. The incident occurred in June and affected the SSNs, phone numbers, and email records of 4,200 students. 
• A massive attack campaign was found scanning 1.6 million WordPress sites to find a vulnerable plugin, dubbed Kaswara Modern WPBakery Page Builder, that allows uploading of files without authentication.
• BlackCat has increased its ransom demand to $2.5 million. The average time provided for payment is between five and seven days. This puts immense pressure on the victims to pay the ransom and prevent their data from being deleted or leaked.
• LockBit and Karakurt gangs have adopted a new and simple strategy inspired by BlackCat to force victim companies to pay the ransom. The new tactic involves adding a search function on their leak sites that will allow victims to see the stolen details.
• Threat actors are using a phishing kit to abuse the logo and general design of PayPal. With the set-up fake pages, threat actors are stealing credentials that can be later used to steal the victims’ identity and perform money laundering, open cryptocurrency accounts, make fraudulent tax return claims, and much more.  

New Threats

• Older AMD and Intel chips are vulnerable to yet another Spectre-like speculative-execution attack dubbed Retbleed. It works by exploiting two flaws tracked as CVE-2022-29900 and CVE-2022-29901 and can expose secrets within kernel memory.  
• Several variants of ChromeLoader have been found to be active in the wild since January. It works by infecting the settings of Chrome browser to hijack search queries and redirect users to malicious sites. 
• A new Android malware family named Autolycos was discovered in at least eight Android applications, two of which are still available on the Google Play Store. So far, the malware has infected over 3 million users and is capable of harvesting data from mobile devices.
• A new ransomware family dubbed Lilith has emerged in the threat landscape. It has already posted its first victim on a data leak site created to support double-extortion attacks. The ransomware appends the .lilith extension when encrypting files. 
• Mantis botnet launched a record-breaking DDoS attack in June that peaked at 26 million HTTPS requests per second (rps). The botnet targeted 1000 customers associated with Cloudflare to create nearly 5000 bots. 
• Microsoft attributed the Holy Ghost ransomware operation to North Korean hackers. Tracked as DEV-0530, the group has been targeting small businesses worldwide for over a year. As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victim organization’s customers if they refuse to pay.