Go to listing page

Cyware Weekly Threat Intelligence, September 05 - 09, 2022

Cyware Weekly Threat Intelligence, September 05 - 09, 2022

Share Blog Post

The Good

In a big win, the U.S. government has managed to recover $30 million worth of cryptocurrency that was stolen by Lazarus from Axie Infinity earlier this year. This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized. In other significant developments, government agencies in the EU are prepping up new cybersecurity rules to counter the rising attacks against IoT devices. The rules are likely to be unveiled next week. 

  • With the help of blockchain analysts and FBI agents, the U.S government has seized $30 million worth of cryptocurrency stolen by the North Korean threat group Lazarus. The amount was stolen from blockchain-based play-to-earn game Axie Infinity earlier this year.
  • The European Union is working on a set of new cybersecurity rules for IoT vendors that are expected to come into effect by 2024. Some of the rules mandate frequent testing of devices for vulnerabilities, encryption of confidential data, and application of security updates regularly. Companies failing to comply with the rules may risk fines of 2.5% of their annual turnover or €15 million (~$15.07 million). 
  • The NSA has published requirements for quantum-resistant algorithms that will need to be implemented by vendors and operators of national security systems. The process will be followed in order to secure the classified information that is critical for military and intelligence activities.

The Bad

The education sector, especially the K-12 institutions, is again on the target list of ransomware attackers. The FBI has issued a warning about the same while highlighting the rising notoriety of Vice Society ransomware. A sophisticated cyberespionage campaign that targeted over 85% of financial institutions across  Central and Western Africa also came under the lens of researchers. The campaign, named DangerousSavanna, leveraged spear-phishing emails, Metasploit, PoshC2, and DWservice to drop malicious payloads on victims’ systems. 
  • Threat actors were found leveraging hacked Facebook business pages to spread RedLine Stealer. These accounts belonged to a Brazilian ISP, Mexican sporting goods store, a mountain tourism site in Slovakia, and a computer repair shop in the Philippines. The malware is available on dark web forums for about $100 to $150. 
  • The FBI, CISA, and MS-ISAC have warned about the rising Vice Society ransomware attacks against the education sector. The attack is initiated by escalating privileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of victims’ network accounts to prevent the victim from remediating.
  • Classified NATO documents belonging to the Armed Forces General Staff agency of Portugal (EMGFA) are put on sale on the dark web. The stolen documents were spotted by the U.S. Information Services after which it alerted the Portuguese authorities by informing the U.S. embassy in Lisbon. 
  • Around 20,000 accounts associated with The North Face outdoor apparel brand were compromised in a credential stuffing attack. These accounts included personal information, such as full names, billing addresses, shipping addresses, telephone numbers, and XPLR Pass reward records of users.
  • More than 85% of financial institutions in Central and Western Africa were repeatedly targeted in a newly discovered DangerousSavanna campaign. The threat actors behind this campaign used spear-phishing emails as a means of initial infection. Some of the hacking tools used in the campaign include Metasploit, PoshC2, DWservice, and AsyncRAT. 
  • Internet users downloading pirated versions of the House of the Dragon series are at high risk of malware infection. Cybercriminals are leveraging the widely popular series to deploy malware onto infected systems.
  • A ransomware attack against the Savannah College of Art and Design (SCAD) resulted in the compromise of the sensitive information of hundreds of current and former students. AvosLocker claimed responsibility for the attack.
  • A hacker claimed to have pilfered 2 billion TikTok records, including 760 GB of user data. While security analysts confirmed the breach, the social media platform denied any such incident.
  • Local governments and high-profile organizations in Asia are being targeted by a new espionage gang, named Worok, which has been active since 2020. The group uses ProxyShell exploits for initial access.
  • Researchers at Mandiant and Microsoft have linked a series of cyber espionage attacks targeted against the Albanian government. Microsoft reported four different Iranian APTs—DEV-0842, DEV-0861, DEV0166, and DEV-0133—were involved in attacks that were believed to be active since 2021.  
  • Nearly 5 million attack attempts targeting a zero-day flaw in the BackupBuddy plugin were observed this week. The flaw could allow attackers to download arbitrary files from affected sites which can include sensitive data. 

New Threats

Despite the setback from the cryptocurrency theft, Lazarus APT remains undeterred and has found a new way to infect victims’ networks. The gang is deploying a new RAT dubbed MagicRAT by exploiting vulnerabilities in VMWare Horizon platforms. There’s an update on a new encryption tactic adopted by several ransomware gangs. Called Intermittent encryption, the tactic is believed to speed up the encryption process and help the attackers evade detection.

  • The TA505 threat actor group has been linked to a TeslaGun software control panel that is designed to manage the ServHelper backdoor. The panel allows its operators to see victims’ data including SYSID/ID/IP, Country/State/City, First Time Connected/Last Time Connected, and Comments.
  • SharkBot Android trojan disguised as fake updates for antivirus was used to infect users across the U.S., Spain, Poland, Austria, Germany, and Australia in a new campaign. The apps were distributed through Google Play Store. 
  • Researchers identified a new targeted attack that leveraged a previously undiscovered trojan to target Farsi-speaking code developers. The source code of the malware is available on GitHub and includes roughly 50 different functionalities.
  • A new version of Bumblebee malware loader is spotted in the wild. It features a new infection method that uses the PowerSploit post-exploitation framework for stealthy reflective injection of a DLL payload into memory.
  • QNAP NAS devices are again under attack by DeadBolt ransomware. The attackers are exploiting a zero-day vulnerability in Photo Station. Meanwhile, the company has issued patches for the flaw to prevent exploitation.
  • Lazarus APT is using a new malware dubbed MagicRAT to target the U.S energy sector. The malware is designed to steal data from infected devices. In a few cases, the malware was distributed by exploiting vulnerabilities in VMWare Horizon servers. Other malware, such as VSingle and YamaBot, are also being used in the campaign.
  • Moobot, a variant of Mirai botnet, was found targeting old and new vulnerabilities affecting D-Link routers. One of these vulnerabilities dates back to 2015. 
  • A new malware named Shikitega has been found targeting endpoints and IoT devices that are running the Linux operating system. The malware exploits system vulnerabilities to gain high privileges and deploy cryptominers. 
  • Attackers behind Qyick, Agenda, BlackCat, Black Basta, and PLAY ransomware strains are leveraging a new Intermittent encryption approach to accelerate the process of encryption and evade detection on victims’ systems. The tactic is being intensively advertised to attract buyers and affiliates.
  • Intel471 researchers found a new ransomware gang that goes by the name of Monti. It appears to use a ransomware strain similar to Conti, the source code of which was leaked earlier this year.


asyncrat malware
lazarus apt
the north face outdoor apparel brand
backupbuddy plugin
metasploit module
bumblebee malware loader
ta505 threat actor group
sharkbot android trojan

Posted on: September 09, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.