Cyware Weekly Threat Intelligence, June 13 - 17, 2022

The Good

• The Coalition to Reduce Cyber Risk (CR2) along with 37 tech leaders from across eight countries have signed a pledge to improve cybersecurity standards and incorporate them into policies and controls. The adoption of these standards among companies and government agencies is expected to mitigate cyber risks and facilitate economic growth.
• The Cybersecurity Maturity Model Certification (CMMC) 2.0 is in the process of making and will be launched in 2023, revealed CISA officials. The model aims to bring a unified security standard among contractors linked to the US Department of Defense (DoD).
• Malwarebytes took down several IP addresses of scammers associated with a profitable IP2Scam tech support campaign. The campaign, which was active since last year, redirected users to fake warning pages via malicious ads.  
• The House appropriations subcommittee has approved a budget of $2.9 billion for CISA in Homeland Security FY2023 Budget Print. The fund will be used to support the agency’s security, infrastructure security, emergency communications, integrated operations, and risk management.

The Bad

• The Gallium APT group has been linked to a new attack campaign that distributed a new remote access trojan named PingPull. The attacks were aimed at financial and government organizations in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam.
• Check Point researchers uncovered a new Iranian-based spear-phishing attack targeting former Israeli officials, high-ranking military personnel, think tanks, research fellows, and Israeli citizens. The attack hijacked existing email conversations of several trusted parties to trick the recipients. Associated with Phosphorous APT, the ultimate goal of the attack was to pilfer PII and other identity documents. 
• Phishers are using the Monkeypox outbreak as a new lure to trick users into sharing their personal information. They are sending phishing emails to company employees for ‘mandatory monkeypox safety awareness training.’
• AvosLocker and Cerber2021 are among the first few ransomware groups that were found exploiting the recently disclosed RCE vulnerability affecting Atlassian Confluence Server to gain access to corporate networks. They used the POC exploits of the flaw to launch attacks.  
• A misconfigured Travis CI API had leaked thousands of authentication tokens and other security-sensitive secrets. Many of these leaks could allow hackers to access the private accounts of developers on GitHub, Docker, AWS, and other code repositories.
• Ukraine CERT has warned that the Russian hacking group Sandworm is exploiting the Follina vulnerability in a new campaign to target various media organizations in Ukraine. The campaign is carried out via phishing email and has targeted more than 500 recipients. 
• Yuma Regional Medical Center (YRMC) notified over 700,000 patients about a ransomware attack that occurred in April. The investigation determined that attackers gained unauthorized access to the network and stole files containing certain patient information including names, social security information, and health insurance information. 
• Health plan provider Kaiser Permanente also disclosed a data breach that affected the personal and health information of up to 70,000 patients. The incident took place in early April.
• Around 32 GB of sensitive data stored in an unsecured database of the Uganda Securities Exchange (USE) was left exposed on the internet. The leaked data included the full name, address, date of birth, phone number, email address, and bank details of customers from across the globe.. 
• CHI Health disclosed a third-party data breach that affected the personal data of its patients. The data included names, medical codes, phone numbers, email addresses, dates of birth, and gender of patients. Attackers had hacked the vendor, MCG Health LLC, on March 25.  
• Belarusian hacktivist group Cyber Partisans released 1.5 TB of data which they claimed is phone calls between the Belarusian Ministry of Internal Affairs from foreign embassies and consulates inside Belarus.
• Almost 1.3 million patients belonging to the Texas Tech University Health Services Center have been added as victims of the ransomware attack at Eye Care Leaders in December 2021.
• Shoprite Group, a large supermarket chain serving multiple countries across southern Africa suffered a ransomware attack by the group RansomHouse. The data compromise may have affected some customers who engaged in money transfers to and within Eswatini, Namibia, and Zambia.
• An unprotected Elasticsearch server belonging to Malaysia-based StoreHub company had reportedly exposed data of about 1 million customers. The leaked data also included information from thousands of retail stores and restaurants.

New Threats

• A team of academics from US universities has published a research paper detailing a new side-channel attack called Hertzbleed. Tracked as CVE-2022-23823 and CVE-2022-24436, the flaws affect all Intel processors and several processors from AMD. In the worst case, the flaws can allow attackers to extract cryptographic keys from remote servers. 
• Avast has published details about a new kernel rootkit named Syslogk which is inspired by Adore-Ng rootkit. Syslogk is being used to target Linux systems.
• BlackCat group has updated its extortion tactic by publishing stolen victims’ data on the public internet. With this, the group plans to put more pressure on organizations that deny paying the ransom. Furthermore, Microsoft has reported that the attackers, among other ransomware groups, have adopted the RaaS operation to enable cybercriminal groups like DEV-0237 and DEV-0504 to perform more attacks. 
• The PureCrypter malware loader has been updated with several new modules to target more resources. One of these functionalities can enable them to use Telegram as a channel to send malware.  
• Several malicious apps capable of spreading adware and information-stealing malware were found on the Google Play Store. Five of these are still active and have amassed over two million downloads. They are PIP Pic Camera Photo Editor, Wild & Exotic Animal Wallpaper, ZodiHoroscope, PIP Camera 2022, and Magnifier Flashlight. 
• CloudSEK observed a threat actor selling a "battle-tested" reverse proxy, PHP-based phishing app called NakedPages on a cybercrime forum. The phishing kit can be used to phish users of Google and Microsoft Office. 
• A new tool advertised in cybercrime circles can allow threat actors to create fake NFT minting pages that can steal a victim’s NFT ownership and even Ethereum funds. Researchers found that the tool has facilitated threat actors to steal NFTs worth tens of millions of dollars of cryptocurrency. 
• Proofpoint researchers have discovered a dangerous ransomware attack that abuses a functionality in Office 365 or Microsoft 365 to encrypt files stored on SharePoint and OneDrive.
• A WooCommerce credit card skimmer was found leveraging a Telegram bot to pilfer the stolen data and later, sell it on the black market - resulting in fake transactions on victims’ credit cards.
• Hackers have developed a new Android malware strain, dubbed MaliBot. The information-stealing trojan was spotted in the wild targeting online banking and crypto wallet users in Italy and Spain. It is being distributed via counterfeit websites hosting cryptocurrency mining apps such as Mining X or The CryptoApp. 
• Panchan, a new Golang-based P2P botnet, has been targeting the education sector since March 2022. Designed to mine cryptocurrencies, the bot was observed using XMRig and nbhash miners that aren’t extracted to the disk to avoid detection.