Cyware Weekly Threat Intelligence, May 30 - June 03, 2022

The Good

• In a major takedown, an international law enforcement operation involving authorities from 11 countries took action against the notorious FluBot malware that infected smartphone users across the world. Europol revealed that the malware’s infrastructure is now under the control of law enforcement, putting a stop to the destructive spiral.
• The U.S Department of Justice announced that they have seized three domains—weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com—that were used by cybercriminals to trade stolen data and facilitate DDoS attacks for hire. 
• INTERPOL announced the arrest of three suspected global scammers in Nigeria for using RATs, such as Agent Tesla, to facilitate malware-enabled cyber fraud. The scammers used the trojans to reroute financial transactions, stealing confidential online connection details from corporate organizations, including oil and gas companies in South East Asia, the Middle East, and North Africa.
• The Monetary Authority of Singapore (MAS) and Association of Banks in Singapore (ABS) unveiled a kill switch to prevent online scams. The latest security measure will be in effect from October 31.

The Bad

• The city of Portland, Oregon, is investigating a sophisticated cyber scam that resulted in the loss of $1.4 million in April. Preliminary evidence suggests that the attacker gained unauthorized access to a City of Portland email account to conduct this scam.
• Kaspersky revealed that the SideWinder APT has launched more than 1,000 attacks since April 2020. The threat actor leveraged over 400 domains and subdomains, with additional stealth mechanisms, to launch attacks. In a different incident, the attackers had developed a custom tool—SideWinder.AntiBot.Script—to launch phishing attacks against private and public sector entities in Pakistan.
• The FBI has warned the public again about the fraudulent schemes seeking donations or other financial assistance related to the crisis in Ukraine. Criminal actors are taking advantage of the ongoing crisis by posing as Ukrainian entities needing humanitarian aid or developing fundraising efforts. 
• A phishing attack at Spirit Super, an Australian pension provider, impacted the personal data of 50,000 individuals. However, the compromised data did not include dates of birth, bank account details, and government ID numbers.
• A U.K food bank was scammed of $63,000 by scammers in two distinct attacks. While the initial attack leveraged a fake NHS test and Trace message, the second one involved a call by a fake bank.
• The Mirror Protocol suffered a loss of more than $2 million after attackers exploited an issue affecting its price-setting software. The amount was drained out from the mBTC, mETH, mDOT, and mGLXY pools. 
• In an attempt to evade sanctions imposed by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC), Evil Corp has now shifted to deploying LockBit ransomware. Previously, the group deployed the Dridex malware. 
• A Mexico-based production plant belonging to Foxconn fell victim to a ransomware attack. The LockBit gang claimed responsibility for the attack. Foxconn assured that the impact on its overall operations is minimal, and the recovery will unfold according to a pre-determined plan.
• Secureworks spotted a new campaign targeting vulnerable Elasticsearch databases to replace their indexes with a ransom note. The attackers asked for a ransom of $280,000 although no payment has been made yet.
• After being out of commission from November 2021 to February 2022, the Cl0p ransomware group is back, as per the latest report from NCC Group. By adding 21 new victims to its leak site in April, the gang was the fourth most active in the month.
• BlackCat ransomware group claimed its attack against Regina Public Schools in the Canadian province of Saskatchewan. The threat actors, reportedly, stole 500GB of files containing tax reports, health information, passports, and Social Security numbers.
• The team at Zscaler unearthed a new Browser-in-the-Browser (BITB) attack that threatens victims with a sextortion demand or their sensitive information would go public. To make the scam look legitimate, attackers impersonate the Government of India and ask victims to pay up if they wish to avoid imprisonment.
• The Costa Rican Social Security Fund (CCSS) was hacked in a major cyberattack. The incident forced the agency to shut its digital record-keeping system down, which impacted nearly 1,200 hospitals and clinics. Patients were advised to cooperate as there could be a delay in carrying out procedures during this situation of emergency.

New Threats

• A China-based hacking group, known as LuoYu, replaced legitimate app updates with installers for WinDealer information stealer malware to target mobile users. For this purpose, the threat actors had leveraged popular Asian apps such as QQ, WeChat, and WangWang. 
• Researchers observed a new version of XLoader malware that is capable of obscuring its C2 infrastructure. Dubbed v2.6, the malware variant makes use of probability theory to hide its command and control servers. 
• A new extortion group named RansomHouse was born to extort victims by exploiting vulnerabilities to steal their data. The attackers market themselves as penetration testers and bug bounty hunters to hide their identity. Like other ransomware groups, they have a Telegram account and a leak site to communicate with victims.
• Critical industries must prepare themselves for a new wave of ransomware attacks specifically targeting OT rather than just IT. Researchers have published a PoC for a new type of ransomware attack that uses IoT for access, IT for traversal, and OT for detonation. It is called R4IoT and is described as the next generation of ransomware.
• Symantec found that the Clipminer botnet operators have made a profit of almost $1.7 million since January 2021. From a total of 4,375 unique crypto wallet addresses, 3,677 are used just for three different Bitcoin address formats.
• The FBI, the CISA, the FinCEN, and the Department of Treasury published a joint cybersecurity advisory to warn about the activities of the Karakurt data extortion group. The advisory revealed that paying ransom won’t stop the attackers from selling the stolen data.
• A malware campaign, dubbed SMSFactory, is propagating the TrojanSMS malware across the U.S., Brazil, France, Russia, Turkey, and Ukraine, among others. The attackers are sending premium texts and calling premium-rate phone numbers.
• Multiple vulnerabilities found in an Android mobile framework by MCE Systems could allow attackers to perform command injection and privilege escalation attacks. The vulnerable apps have been downloaded over a million times on Google Play Store.
• China-linked TA413 APT leveraged the recently discovered Windows zero-day vulnerability, identified as CVE-2022-30190 or Follina, to target the International Tibetan community. The SANS Institute also found a document abusing the same flaw. The file’s name was written in a Chinese dialect.