Cyware Weekly Threat Intelligence, June 27 - July 01, 2022

The Good

• The U.S. House of Representatives has passed a new ICS cybersecurity bill in the wake of increased threats from Russian cyberattacks. Called ‘Industrial Control Systems Cybersecurity Training Act’, the bill aims at strengthening the security of Industrial Control Systems by amending the Homeland Security Act of 2002 that would authorize the Cybersecurity and Infrastructure Security Agency (CISA) to establish a free cybersecurity training initiative focusing on ICS.
• NIST has released new macOS security guidelines for organizations. Derived from the macOS Security Compliance Project (mSCP), the guidelines are intended for system administrators, security professionals, policy authors, privacy officers, and auditors involved in securing macOS systems. The guidelines include actionable recommendations for properly configuring and managing macOS endpoint devices.
• The State Department Bureau of Intelligence and Research (INR) has released a new framework that emphasizes securing modern IT infrastructure, software, hardware, and systems by creating a proactive culture to find and fix vulnerabilities. The strategy also focuses on the need to deploy real-time threat-based security functions. 
• A cybercrime group was detained by Ukraine’s cyber police for running more than 400 phishing sites. Most of the phishing sites mimicked EU websites offering financial assistance to Ukrainians. Officials said the gang stole an estimated 100 million hryvnias from their victims, worth around $3.4 million.

The Bad

• CrowdStrike discovered a new ransomware attack that exploited a zero-day bug in the Mitel Service Appliance component of MiVoice Connect. The flaw was exploited to gain initial access to the network. 
• A new phishing technique demonstrated by researchers can enable threat actors to abuse Microsoft Edge WebView2 applications to bypass MFA authentication. Dubbed WebView2-Cookie-Stealer, it can allow attackers to steal victims’ credentials and cookies from the Chrome browser. 
• The U.K. division of ready meal distributor Apetito is still in the recovery phase owing to a cyberattack. The attack occurred during the weekend, following which its delivery operation was disrupted.
• Multiple low-volume targeted attack campaigns launched against customers in the UK and Europe have been linked to the Evilnum threat actor group. The campaigns have been active since January and are launched via spear-phishing emails.
• The website of Napa Valley college is still inaccessible as the ransomware attack incident enters the second week. The institute is working on restoring the website and affected systems.
• A DDoS attack knocked out multiple private and public websites in Norway. While the attack did not cause any significant damage, authorities claimed that it was an act of hackers from Russia.  
• The website of the Nebraska Department of Labor suffered an outage following a cyberattack. There is no evidence of compromised user data.
• The notorious Lazarus APT is suspected to be behind the recent $100 million altcoin theft from Harmony Horizon Bridge. The firm suffered a breach last week, where the attackers extracted tokens stored in the bridge to steal the money.
• OpenSea disclosed a new phishing attack that affected a portion of its customers. The attackers used stolen email addresses to launch the attack. Domains that were likely used in the attack include opensea.org, opensea.xyz, and opeansae.io. 
• Researchers uncovered a new ShadowPad attack campaign targeting unpatched Microsoft Exchange servers in different Asian countries. The campaign, which dates back to 2021, targeted the ICS of telecommunications companies in Pakistan and Afghanistan and a logistics and transport organization in Malaysia.
• Microsoft’s latest investigation shows that there is an uptick in toll fraud malware. Such types of malware are prevalent against Android phones and can trick users to subscribe to premium services without their knowledge or consent.  
• AMD is looking into a ransomware attack after the RansomHouse Extortion group claimed to have stolen around 450 GB of data from the firm. The stolen data includes network files, system information, as well as AMD passwords. 

New Threats

• A new version of Raccoon Stealer is being distributed on multiple underground forums. The malware is written in C/C++ using WinApi and borrows many of its capabilities from the original version. 
• A newly discovered RAT named ZuoRAT was used as part of a sophisticated campaign targeting North American and European networks. The RAT hijacked SOHO routers to pivot into the local network and gain access to additional systems.
• Scammers are using deepfakes and stolen personally identifiable information to apply to remote tech jobs, according to the FBI. For some of the positions, scammers had access to customer PII, financial data, corporate IT databases, or proprietary information.
• Threat actors are using Microsoft Office files as bait to distribute the new AstraLocker 2.0 ransomware. The malware borrows its code from Babuk ransomware and uses several anti-analysis techniques to bypass security solutions.
• CISA has issued a new advisory about the active exploitation of the PwnKit vulnerability. The flaw impacts Linux systems and can be abused to execute malicious commands on systems.
• Threat actors are shifting to Bumblebee loader, as a replacement for TrickBot and BazarLoader, to distribute ransomware. In one such incident, the loader was used to deploy Conti, Quantum, and Mountlocker ransomware. 
• Cybercriminals leveraged Facebook Messenger chatbots in an attempt to steal the credentials of managers of Facebook pages. The chatbots allowed threat actors to impersonate the company's support team and convince the managers in sharing their credentials. 
• The XFiles info-stealer malware is leveraging the Follina vulnerability to spread across systems. The infection chain starts with a phishing email that contains a malicious document. The malware is capable of pilfering cookies, passwords, and history stored in web browsers. It also targets cryptocurrency wallets. 
• Microsoft has spotted a new activity of 8220 cybercriminal gang that exploits the recently discovered Atlassian Confluence vulnerability to install cryptocurrency miners on Linux servers. The gang also deploys an IRC bot alongside the miner in the campaign.
• A new information stealer named YTStealer targeted YouTube content creators to steal their authentication cookies. The malware is distributed via fake installers that also drop RedLine Stealer and Vidar.
• The LockBit ransomware operation has released LockBit 3.0, introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options. The operators are reportedly offering rewards ranging between $1,000 and $1 million to those who submit bug reports.
• CISA, the FBI, FinCEN, and the US Treasury have released a security advisory on the MedusaLocker ransomware. The advisory said that the ransomware was observed to be active in May and relied on Windows RDP services to gain initial access to the network.
• A new IIS backdoor trojan named SessionManager was discovered this week. A variant of OwlProxy backdoor, SessionManager has been used against NGOs, government, military, and industrial organizations in Africa, South America, Asia, Europe, Russia, and the Middle East, starting from at least March 2021. 
• Trend Micro has released details of new tactics employed by Black Basta affiliates. The tactics involve the use of QakBot trojan and PrintNightmare vulnerability to gain initial access and expand their access respectively.
• A new infostealer named RecordStealer is being used in the wild. The malware disguises itself as a software crack package or a software installer. It is used to harvest data from browsers, and cryptocurrency wallets.
• A researcher has published a technical write-up on a technique named call stack spoofing that can be used to confuse EDR products and hide malicious operations.