Cyware Weekly Threat Intelligence, October 24 - 28, 2022

The Good

• The White House announced the addition of the chemical sector under the Industrial Control Systems (ICS) initiative. It is the fourth sector to be added to the initiative after electricity, pipeline, and water. As part of ongoing efforts to reduce cyber risk in critical infrastructure, the administrators will focus on this particular sector to analyze best practices from other sectors and create a cybersecurity action plan over the next 100 days.
• The new cybersecurity regulations unveiled by the Transportation Security Administration (TSA) were put into effect on October 24. The rules, which will last for one year, now mandate railroad companies to deploy network segmentation policies. Additionally, carriers will also have to deploy threat detection systems and timely patches for OS, applications, drivers, and firmware.  
• The U.S. Government Accountability Office (GAO) has made recommendations to enhance the cybersecurity of K-12 schools. The recommendations have been made after reviewing the state of security in the schools, especially against ransomware attacks. 

The Bad

• Research by Dragos revealed that 25 of the 48 threat groups tracked were found targeting industrial organizations in the third quarter of 2022. The list included several new ransomware groups such as Sparta Blog, Bianlian, Donuts, Onyx, and Yanluowang. A majority of the victim organizations were in North America and Europe.
• Ticketing services agency See Tickets disclosed a web skimming attack that lasted for over six months. This resulted in the compromise of the payment cards and personal details of users. The agency ascertained that the affected information includes those who purchased event tickets between June 2019 and January 2022. 
• Mandiant researchers uncovered a new campaign, named DRAGONBRIDGE, that aggressively targeted U.S. politicians and allies. Claimed to be the work of APT41, the campaign was executed by altering news articles and promoting the same across different social media forums.
• Attackers are leveraging legitimate tools such as Weave Scope in a new typosquatting attack to steal access keys and tokens of Amazon Elastic Compute Cloud (EC2) workloads. Researchers claim that the attackers’ entry via an exposed Docker REST API server is similar to the TeamTNT threat actor group. 
• The U.K’s largest car dealership Pendragon was hacked and heckled by the LockBit ransomware gang who demanded a ransom of $60 million in Bitcoin to prevent the release of sensitive data on the dark web. The firm has refused to pay the ransom and taken steps to protect its remaining systems. 
• The Snatch ransomware gang claimed to be behind the attack on the Kenosha Unified School District in Wisconsin. The attack occurred on September 25, with officials noting that the school district has since restored systems it took down as a precaution. 
• Researchers shared details of a ransomware attack on a Jordan-based company. The attack was carried out by an LV ransomware affiliate that used the double extortion tactic to blackmail victims. 
• Microsoft disclosed that the Vice Society ransomware group has been switching payloads in attacks targeting the education sector across the U.S. and worldwide. Since September, the attackers are using a payload that adds the .locked file extension to encrypted files.
• Twilio disclosed a new data breach that occurred in June. The attackers had used social engineering to trick an employee into handing over their credentials in a voice phishing attack. The stolen credentials were then used to access contact information for a limited number of customers. 
• Cisco warned customers of two security vulnerabilities in the AnyConnect Secure Mobility Client being exploited in the wild. The flaws, tracked as CVE-2020-3433 and CVE-2020-3153, can enable attackers to perform DLL hijacking attacks.  

New Threats

• Checkmarx researchers demonstrated a new attack technique dubbed RepoJacking that could allow attackers to launch supply chain attacks through GitHub. The technique involves the hijacking of a renamed repository’s traffic by breaking GitHub’s redirection mechanism and routing the traffic to a malicious repository controlled by the attackers. 
• A new QakBot malware campaign targeting Korean users was unearthed by researchers. The campaign used hijacked emails to send malicious ISO files, a process to bypass behavior detection. 
• The Hungarian National Cyber Security Center issued a warning about a phishing attack that impersonated the Hungarian government. It informed the recipients that their new credentials were available in an attachment, which eventually dropped Warzone RAT in the background.
• The North Korea-based Kimsuky threat actor group has been spotted using three new Android malware—FastFire, FastViewer, and FastSpy—to target users in South Korea. The malware are disguised as utility tools on Google Play Store.  
• A new campaign called Kiss-a-dog targeted vulnerable Docker and Kubernetes infrastructure to mine Monero cryptocurrency. The campaign relied on tools and techniques associated with the TeamTNT group.
• An automated and large-scale campaign abused free-tier cloud accounts associated with GitHub, Heroku, and Buddy CI/CD services to mine a wide range of crypto coins such as Tidecoin, Onyx, Sugarchain, Sprint, Yenten, Arionum, MintMe, and Bitweb. Launched by a threat actor named Purpleurchin, the campaign employed a custom Stratum mining protocol relay to evade network scanners. 
• In a new report, Microsoft confirmed that systems infected with the Raspberry Robin USB worm were used as entry points for hands-on-keyboard ransomware attacks, specifically linked to Clop ransomware. The Raspberry Robin malware is created by the EvilCorp gang, the same group that developed the Dridex trojan, Locky, and BitPaymer ransomware.
• The Korean Internet & Security Agency (KISA) published a security notice about a phishing attack that exploited KakaoTalk’s data centers to distribute the Amadey bot. The malware was disguised as a KakaoTalk installation file that was distributed via email.