Cyware Weekly Threat Intelligence, October 17-21, 2022

The Good

• Dutch police and other law enforcement agencies managed to trick DeadBolt ransomware operators into releasing 150 decryption keys for free. The basis for the trick was that it was possible to cancel an unconfirmed Bitcoin transaction before payment went through. This process of canceling the transaction was repeated 150 times, tricking operators into giving out their decryption keys.   
• The Albanese government will pursue very substantial cybersecurity laws, including penalties, in the wake of the massive Optus data breach The government will also check the cybersecurity requirements of large telecommunications providers to evaluate their security posture.
• The CISA urged organizations and users to adopt multi-factor authentication (MFA) to stay safe online. The agency mentions that MFA is crucial for enhancing the overall cybersecurity posture. 
• Singapore has created a new task force named Counter Ransomware Task Force to help businesses and educational institutions defend themselves against ransomware attacks. The team includes representatives from the Ministry of Communications and Information, the Ministry of Defence, the Ministry of Home Affairs, the Monetary Authority of Singapore, and the country's armed forces and police force. 

The Bad

• Operation CuckooBees campaign is back in action and being used against organizations in Hong Kong. Researchers found the Spyder Loader malware deployed on victims’ systems that were infected for more than a year.
• Pennsylvania healthcare provider Keyston Health disclosed a data breach that impacted the personal information of over 230,000 patients. The incident occurred between July and August after threat actors gained unauthorized access to files within systems. The compromised data includes names, social security numbers, and clinical details of patients.
• Australian insurance firm Medibank confirmed that the cyberattack that disrupted its online services was actually a ransomware attack. The attack occurred last week, following which the firm immediately shut down parts of its systems to reduce the impact. Currently, the operations are back to normal and the firm is yet to ascertain the scope of the attack. 
• The FBI had issued a warning of potential fraud schemes that target individuals seeking the federal student loan forgiveness program. The scammers leveraged websites, emails, text messages, and phone calls and purported to offer entrance into the program to target people. Consequently, they collected personal information that can be used for future cybercrimes. 
• In a new update, Group-IB revealed that the Deadbolt ransomware is targeting NAS devices to monetize its operations. Some of the targeted victims include SMBs, schools, and individual home users. 
• A China-based APT group called DiceyF has been linked to a string of attacks aimed at online casinos in Southeast Asia. Possible goals of these attacks include pilfering intellectual property and performing cyberespionage activities. Indications are that this activity is a follow-on campaign launched by Earth Berberoka and DRBControl. 
• Microsoft suffered a data breach that exposed the sensitive information of some of its customers. The data breach occurred due to a misconfigured Microsoft server. The server was secured after it became aware of it. 
• Verizon notified some prepaid customers that their accounts were compromised in a SIM swapping attack. The incident occurred between October 6 and October 10 after a third party accessed the last four digits of the credit card used to make automatic payments. 
• Nearly two million .git folders containing vital project information were exposed to the public. The information included remote repository addresses, commit history logs, and other essential metadata. 
• The lesser-known OldGremlin ransomware attackers reportedly have expanded their operations using toolkits that target Linux machines. Among these toolkits is a GO variant of TinyCrypt ransomware that also targets Windows systems. In 2022, the gang has launched five campaigns so far, with ransom demands going up to $16.9 million. 
• Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, disclosed a data breach that affected the personal information of around 300,000 patients. The incident was caused by the improper use of Meta Pixel on AAH's websites, where patients enter their sensitive personal and medical information.
• A threat actor stole $9 million worth of cryptocurrency from DeFi platform Moola Market, only to return 93% of the funds within hours of the hack. The hacker exploited a vulnerability in the platform to steal the fund. 

New Threats

• New Clicker Android malware was found infecting 20 million users by sneaking into Google Play Store as utility apps. The targeted utility apps are Flashlight, QR readers, Camera Unit Converters, and Task Managers. The malware is designed to generate revenue for attackers by displaying fraudulent ads.
• A threat actor is selling a new UEFI bootkit that comes with an anti-virtual machine (anti-VM), anti-debug, and code obfuscation features to block malware analysis attempts. Named BlackLotus, the malware is linked to APT41 threat actors and can be used to load unsigned drivers for launching BYOVD attacks.
• Over 17,000 Fortinet devices vulnerable to a zero-day flaw are exposed online. Confirming that the flaw is currently being exploited in the wild, the firm has urged organizations to use updated versions. The vulnerability is tracked as CVE-2022-40684 and impacts FortiOS/FortiProxy versions 7.0.7 or 7.2.2. An attacker can exploit the vulnerability to log into vulnerable devices. 
• A new version of FurBall Android malware is being used to spy on Iranian users. Domestic Kitten APT has been attributed to the attack that leveraged a translation app for propagation. 
• The Black Basta ransomware has evolved to include numerous evasions and anti-analysis techniques. Since May, the ransomware has targeted over 89 high-profile organizations across the U.S., Germany, the U.K, Austria, Canada, Switzerland, Denmark, and France.
• A new variant of the Ursnif trojan has laid the ground for potential ransomware and data extortion operations. The attack chain includes the use of recruitment and invoice-related email lures as an initial intrusion vector. 
• Microsoft spotted a new ransomware strain, named Prestige, that was deployed last week in a campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland. The attacks overlap with previous victims of the FoxBlade (HermeticWiper) data-wiping malware.
• Ransom Cartel is likely the evolution of the defunct REvil ransomware, according to Palo Alto Networks researchers who found connections between the TTPs used by the attackers. One of these similarities is the algorithms used to encrypt files. 
• Trustwave researchers have discovered a new Emotet botnet campaign that pushes password-protected attachments in either ZIP or ISO formats to infect users. These attachments are used to deliver Quasar RAT, Coinminer, and more.