Cyware Weekly Threat Intelligence, June 06-10, 2022

The Good

• The U.S. law enforcement agencies announced the takedown of the SSNDOB marketplace that was used for trading the personal information of millions of Americans. The market had generated over $19 million in revenue by selling the personal details of approximately 24 million individuals. 
• Microsoft has successfully disrupted multiple cyber operations associated with Bohrium and Polonium threat actor groups. In the case of Bohrium, the tech giant took down 41 domains that were to establish a C2 infrastructure for deploying malicious tools. On the other hand, more than 20 malicious OneDrive apps used in Polonium's attacks were suspended.
• Researchers have designed a new privacy framework, dubbed Peekaboo, that can help address the data-sharing concerns across IoT devices. The framework operates on the principle of data minimization, which refers to the practice of limiting the collection of data on a need basis. 

The Bad

• Tenafly Public Schools had to go back to paper, pencils, and overhead projectors following a ransomware attack. Additionally, this led to the cancellation of exams for all of the district’s high school students.
• The Vice Society ransomware group has claimed responsibility for the recent cyberattack on the city of Palermo in Italy. The attack occurred last week and all internet-relying services remain unavailable.
• MyEasyDocs, an India-based online document verification platform, exposed 30GB of data owing to a misconfigured Azure server. This included both personal and financial information of over 50,000 students from India and Israel. 
• A large-scale phishing operation tricked a million users on Facebook and Messenger into sharing their credentials and seeing advertisements. The campaign operators used these stolen accounts to send further phishing messages to their friends, generating significant revenue via online advertising commissions. 
• Avast researchers exposed a crypto stealing campaign—FakeCrack— that leveraged Google search results for pirated copies of the CCleaner Pro Windows optimization program to infect as many victims as possible.
• Malicious hackers again managed to steal 32 NFTs (worth more than $250,000) from Bored Ape Yacht Club (BAYC) by compromising the Discord account of one of its community managers. The threat actors used this compromised account to send a phishing link, which was later used to gain access to BAYC owners’ cryptocurrency wallets. Among the NFTs compromised in the hack were 1 Bored Ape, 2 Mutant Apes, 5 Otherdeeds, and 1 Bored Kennel. 
• An unprotected Elasticsearch database had exposed 5GB of personal data belonging to over 30,000 students. The unprotected database apparently belongs to account holders of Transact Campus, which works with higher education institutions in the U.S.  
• Malwarebytes Labs identified a new malvertising campaign that leads to a fake Firefox update. The template seems to be inspired by the one propagated by the SocGhoulish threat actors.
• A security incident at Shields Health Care Group resulted in the exposure of the data of two million patients from 60 healthcare providers. This is the largest healthcare data breach reported this year.
• Maiar—a decentralized exchange (DEX)—went offline temporarily after hackers hacked into the platform by exploiting a flaw. This enabled them to steal an estimated $113 million from the exchange. 
• The CISA, along with the NSA and the FBI, issued a joint advisory to warn organizations about the rising cyberespionage attacks by Chinese threat actors. The attacks are going on since 2020 and are aimed primarily at the telecommunications sector. 

New Threats

• A new ransomware named WannaFriendMe is taking an unusual approach to extort its victims. It impersonates the Ryuk ransomware and offers decryptors on the Roblox gaming platform using the service's in-game Robux currency. 
• Smilodon credit skimming malware has shifted its focus from WooCommerce stores to WordPress e-commerce sites to earn more profits. The malware can pilfer credit card numbers, expiration dates, security codes, billing addresses, names, and other sensitive information from the checkout pages of targeted sites.
• McAfee observed a spike in phishing campaigns that distribute the Ursnif trojan. The phishing emails invoke a sense of urgency or fear among the recipients to open malicious documents that cause the download of the malware.
• A new pro-Russian hacking group dubbed Cyber Spetsnaz has been identified leveraging current geopolitical tensions between Ukraine and Russia to conduct cyberattacks. So far, the group has targeted five Italian logistic terminals—Sech, Trieste, TDT, Yilport, and VTP—along with several financial institutions.
• A newly discovered SVCReady malware has been in action since April. It is being delivered via Microsoft Word. The malware supports anti-analysis features and is capable of exfiltrating information and taking screenshots.
• The Black Basta ransomware group has joined hands with QBot to gain initial access to corporate environments. While QBot is usually used for initial access, however, Black Basta is leveraged to spread laterally across a victim's network.
• In another update, a Linux version of the Black Basta is being used in the wild to target VMware ESXi servers. This variant uses the ChaCha20 algorithm for encryption and multithreading to speed up encryption.
• The QBot was used in multiple phishing campaigns exploiting the critical Follina vulnerability. The attacks were aimed at government agencies in the U.S and Europe. According to Broadcom, the flaw was also exploited in different cyberespionage campaigns to launch AsyncRAT and other malware. 
• Sentinel One has uncovered a series of activities associated with a new threat actor group called Aoqin Dragon. Some of these activities are ongoing and a few of them are found to have begun in 2013. The group is believed to have targeted organizations in government, education, and telecommunications sectors in Southeast Asia and Australia.
• Researchers have unwrapped the details of a new stealthy malware dubbed Symbiote. The malware is used predominantly to target the financial sector in Latin America, including banks like Banco do Brasil and Caixa.
• Operators have updated the capabilities of Emotet to siphon credit card information stored in the Chrome web browser. This behavior change comes after increasing activity during April and a switch to 64-bit modules.
• A new version of Cuba ransomware was found targeting two organizations in Asia. The updates are aimed at optimizing its execution, minimizing unintended system behavior, and providing technical support for victims to negotiate the ransom.
• Russian hackers are increasingly targeting the phones of Ukrainian officials via advanced spy software, dubbed zero click hack, which requires no interaction with the victim.
• Several botnets, such as Kinsing, Hezb, and Dark.IoT, are actively exploiting unpatched Atlassian Confluence Server and Data Center installs to deploy backdoors and cryptominers. Federal agencies have urged customers to patch the flaw to stay protected. 
• The DeadBolt ransomware has evolved its extortion scheme as it continues to target NAS devices from QNAP and Asustor. It is putting pressure on vendors to pay ransom for a master decryption key that would theoretically work for all victims.