Cyware Weekly Threat Intelligence, September 05 - 09, 2022

The Good

• With the help of blockchain analysts and FBI agents, the U.S government has seized $30 million worth of cryptocurrency stolen by the North Korean threat group Lazarus. The amount was stolen from blockchain-based play-to-earn game Axie Infinity earlier this year.
• The European Union is working on a set of new cybersecurity rules for IoT vendors that are expected to come into effect by 2024. Some of the rules mandate frequent testing of devices for vulnerabilities, encryption of confidential data, and application of security updates regularly. Companies failing to comply with the rules may risk fines of 2.5% of their annual turnover or €15 million (~$15.07 million). 
• The NSA has published requirements for quantum-resistant algorithms that will need to be implemented by vendors and operators of national security systems. The process will be followed in order to secure the classified information that is critical for military and intelligence activities.

The Bad

• Threat actors were found leveraging hacked Facebook business pages to spread RedLine Stealer. These accounts belonged to a Brazilian ISP, Mexican sporting goods store, a mountain tourism site in Slovakia, and a computer repair shop in the Philippines. The malware is available on dark web forums for about $100 to $150. 
• The FBI, CISA, and MS-ISAC have warned about the rising Vice Society ransomware attacks against the education sector. The attack is initiated by escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims’ network accounts to prevent the victim from remediating.
• Classified NATO documents belonging to the Armed Forces General Staff agency of Portugal (EMGFA) are put on sale on the dark web. The stolen documents were spotted by the U.S. Information Services after which it alerted the Portuguese authorities by informing the U.S. embassy in Lisbon. 
• Around 20,000 accounts associated with The North Face outdoor apparel brand were compromised in a credential stuffing attack. These accounts included personal information, such as full names, billing addresses, shipping addresses, telephone numbers, and XPLR Pass reward records of users.
• More than 85% of financial institutions in Central and Western Africa were repeatedly targeted in a newly discovered DangerousSavanna campaign. The threat actors behind this campaign used spear-phishing emails as a means of initial infection. Some of the hacking tools used in the campaign include Metasploit, PoshC2, DWservice, and AsyncRAT. 
• Internet users downloading pirated versions of the House of the Dragon series are at high risk of malware infection. Cybercriminals are leveraging the widely popular series to deploy malware onto infected systems.
• A ransomware attack against the Savannah College of Art and Design (SCAD) resulted in the compromise of the sensitive information of hundreds of current and former students. AvosLocker claimed responsibility for the attack.
• A hacker claimed to have pilfered 2 billion TikTok records, including 760 GB of user data. While security analysts confirmed the breach, the social media platform denied any such incident.
• Local governments and high-profile organizations in Asia are being targeted by a new espionage gang, named Worok, which has been active since 2020. The group uses ProxyShell exploits for initial access.
• Researchers at Mandiant and Microsoft have linked a series of cyber espionage attacks targeted against the Albanian government. Microsoft reported four different Iranian APTs—DEV-0842, DEV-0861, DEV0166, and DEV-0133—were involved in attacks that were believed to be active since 2021.  
• Nearly 5 million attack attempts targeting a zero-day flaw in the BackupBuddy plugin were observed this week. The flaw could allow attackers to download arbitrary files from affected sites which can include sensitive data. 

New Threats

• The TA505 threat actor group has been linked to a TeslaGun software control panel that is designed to manage the ServHelper backdoor. The panel allows its operators to see victims’ data including SYSID/ID/IP, Country/State/City, First Time Connected/Last Time Connected, and Comments.
• SharkBot Android trojan disguised as fake updates for antivirus was used to infect users across the U.S., Spain, Poland, Austria, Germany, and Australia in a new campaign. The apps were distributed through Google Play Store. 
• Researchers identified a new targeted attack that leveraged a previously undiscovered trojan to target Farsi-speaking code developers. The source code of the malware is available on GitHub and includes roughly 50 different functionalities.
• A new version of Bumblebee malware loader is spotted in the wild. It features a new infection method that uses the PowerSploit post-exploitation framework for stealthy reflective injection of a DLL payload into memory.
• QNAP NAS devices are again under attack by DeadBolt ransomware. The attackers are exploiting a zero-day vulnerability in Photo Station. Meanwhile, the company has issued patches for the flaw to prevent exploitation.
• Lazarus APT is using a new malware dubbed MagicRAT to target the U.S energy sector. The malware is designed to steal data from infected devices. In a few cases, the malware was distributed by exploiting vulnerabilities in VMWare Horizon servers. Other malware, such as VSingle and YamaBot, are also being used in the campaign.
• Moobot, a variant of Mirai botnet, was found targeting old and new vulnerabilities affecting D-Link routers. One of these vulnerabilities dates back to 2015. 
• A new malware named Shikitega has been found targeting endpoints and IoT devices that are running the Linux operating system. The malware exploits system vulnerabilities to gain high privileges and deploy cryptominers. 
• Attackers behind Qyick, Agenda, BlackCat, Black Basta, and PLAY ransomware strains are leveraging a new Intermittent encryption approach to accelerate the process of encryption and evade detection on victims’ systems. The tactic is being intensively advertised to attract buyers and affiliates.
• Intel471 researchers found a new ransomware gang that goes by the name of Monti. It appears to use a ransomware strain similar to Conti, the source code of which was leaked earlier this year.