Cyware Weekly Threat Intelligence, October 31–November 04, 2022

The Good

• The NCSC has started a new project in an effort to boost cybersecurity at the national level. As a part of the project, networked systems throughout the U.K will be scanned at regular intervals to detect vulnerabilities. The idea is to collect data to quantify risk exposure and respond to threats at the earliest.
• The U.S. Department of Energy awarded a sum of $15 million to the National Rural Electric Cooperative Association (NRECA) to help electric cooperatives expand their cybersecurity capabilities for ICS. The amount will be used to improve the detection process and deploy cyber monitoring tools.
• The CISA, alongside the FBI and the MS-ISAC issued a joint advisory to inform organizations about DDoS attacks. It also includes recommendations to reduce the likelihood and impacts of such attacks. 

The Bad

• File-sharing and file synchronization service Dropbox disclosed a phishing attack that enabled a threat actor to compromise the GitHub accounts of one of its employees. The attacker gained access to repositories that stored API keys and the personal information of some of its employees. 
• Ransomware payments had substantially increased in 2021 when compared to 2020, according to a report from Financial Crimes Enforcement Network (FinCEN) unit. A total of $1.2 billion was amassed by the ransomware gangs, with 75% of them located in Russia.
• Researchers identified a flaw in PayPal's invoicing service that allows phishing gangs to send legitimate invoices for products/services that have not been purchased. This, in turn, tricks PayPal into acting on the scammers’ behalf and sending phishing emails to unsuspecting users. 
• According to a new report, access to around 576 corporate networks worldwide for a total cumulative price of $4 million is being sold on underground forums. Cybercriminals purchasing access to these networks can launch credential theft or ransomware attacks. The top targeted organizations include those in the manufacturing and professional services sectors. 
• A French-speaking cybercrime group tracked as OPERA1ER has been wreaking havoc worldwide for four years, between 2019 and 2021. It has been held responsible for 35 intrusions at different organizations across 15 countries, with most of the attacks targeting African banks. The group is suspected to have stolen more than $30 million. 
• Education tech giant Chegg is under fire for failing to report its 40 million users and employees about four data breaches that occurred in the past four years. As per the FTC, the compromised data include Social Security numbers, financial details, dates of birth, and medical information of individuals. 
• Valuable sets of stolen credentials that can be used for credential-stuffing attacks have been put on sale on underground forums. Each database can include millions of credentials and is sold at prices of up to $120,000. The primary reason for the boost in the sale of stolen credentials is due to many websites failing to comply with recommended security policies and storing passwords in plain text. 
• A cybercrime group named Crimson Kingsnake has emerged in a new BEC attack targeting well-known international law firms. The targeted firms include Allen & Overy, Deloitte, Dentons, Herbert Smith Freehills, and Lindsay Hart, among others. The threat actors impersonate lawyers sending invoices for overdue payment of services.
• Deribit, a crypto derivatives platform, confirmed that a hacker stole $28 million from its hot wallets. As a safety measure, the firm temporarily halted the withdrawals and quarantined BTC, ETH, and USDC hot wallets. 
• An ElasticSearch database, belonging to Amazon, was found leaking 215 million records of pseudonymized viewing data. Dubbed Sauron, the database contained Prime Video viewing habits. 

New Threats

• The China-based Cicada hacking group, aka APT10, was observed using a new version of LODEINFO backdoor malware to infect Japanese organizations. The malware was distributed by abusing security software. It uses the XOR algorithm as part of its evasion techniques. The targeted entities include media groups, diplomatic agencies, and think tanks in Japan.
• Akamai researchers said that they tracked 299 unique phishing toolkits being used in the wild in the third quarter of 2022. Some of the top targeted organizations were Adobe and M&T Bank. 
• SocGholish (aka FakeUpdates) malware framework was used in a new campaign targeting U.S. news sites. The attack is attributed to the TA569 threat actor group which delivered the malicious payload to over 250 regional and national newspaper sites. 
• A new clipboard stealer called Clipper, capable of imitating cryptocurrency wallet addresses, is being sold at a price of $549 for a year. Researchers have spotted the use of the malware in the wild, with 55 attacks in a month. It is distributed via Smoke Loader and Raccon Stealer 2.0. 
• A new destructive data-wiping malware called Azov Ransomware has been found infecting computers worldwide. Evidence reveals that the malware is deployed on computers that were previously infected with Smoke Loader. 
• Malwarebytes Labs spotted a new set of malicious apps on the Google Play Store, infected with trojans. The four apps collectively amassed at least a million downloads. Tracked as Bluetooth Auto Connect; Driver: Bluetooth, Wi-Fi, USB; Bluetooth App Sender; and Mobile transfer: smart switch, these apps were used to steal information from devices.
• SentinelLabs researchers linked the Black Basta ransomware operations to the FIN7 cybercrime cartel. The connection is based on the analysis of custom tools, including EDR evasions tools, used by the groups. 
• A relatively new phishing toolkit, dubbed Robin Banks, was discovered in a new large-scale campaign that targeted victims to steal their Microsoft account credentials and financial information pertaining to Citibank. 
• Emotet botnet is back in a new phishing email campaign that uses malicious Excel and Word documents. When users open these documents and enable macros, Emotet is downloaded and gets loaded into memory.
• Threat actors are using a new spyware, named SandStrike, against the Persian-speaking practitioners of the Bahá'í faith. The malware is propagated via a malicious VPN app for Android users.