Go to listing page

Cyware Weekly Threat Intelligence, September 12 - 16, 2022

Cyware Weekly Threat Intelligence, September 12 - 16, 2022

Share Blog Post

The Good

EU and US authorities have issued friendly directives to enhance the security of software supply chains. These new moves follow the increasing attacks against government and private organizations. In another update, the CISA has rolled out its strategic roadmap for the next three years, which primarily focuses on building resilient critical infrastructure for Americans.

  • The CISA has announced the release of its 2023–2025 strategic plan that aims to focus on reducing risk and building resilience to cyber threats to the nation’s infrastructure. The plan is built on the foundation of CISA Strategic Intent, published in 2019. 
  • In another good news, the CISA is considering partnering with U.S. universities to educate students about cybersecurity fundamentals to make them capable for responding to hotline emergency calls, an idea which was proposed earlier this year. The emergency hotline will be available on 311.
  • OpSec mistakes have spilled the artifacts and tactics of yet another threat actor group. Researchers have got their hands on the personas and companies associated with the Iran-based Cobalt Mirage APT group that has been prominent since 2020.  
  • The Office of Management and Budget (OMB) has published a new memorandum that aims to improve the security of software supply chains. The directive calls for federal agencies to use software built with common cybersecurity practices. 
  • Europe’s new Cyber Resilience Act (CRA) was presented this week to bolster the security of hardware and software products. One of the rules mandates the cybersecurity requirements for products with digital elements, throughout the development lifecycle. 

The Bad

The healthcare sector needs to be on maximum alert as hackers are targeting firms left, right, and center. In two different advisories, the FBI has highlighted the points of targets, with one of them associated with healthcare payment processors. The agency said that more than $4 million was diverted to attackers’ accounts this year, so far, by targeting payment processors. Meanwhile, the infamous Operation Dream Job campaign is still underway, deploying AIRDRY.V2 backdoor on victims’ systems. 

  • The legislature of Buenos Aires, Argentina, was targeted in a ransomware attack that affected its operating systems and Wi-Fi connectivity. To prevent the further spread of the attack, the authorities took down the building’s WiFi network, among other systems.
  • Popular moving truck service U-Haul is sending out breach notifications that affected the personally identifiable information of users. The company disclosed that names, driver’s license numbers, and state identification numbers were viewed and potentially stolen by hackers between November 2021 and April 2022. 
  • Lorenz ransomware group exploited a flaw in MiVoice Connect’s Mitel Service Appliance component to gain access to a corporate network. The attackers waited for a month after gaining initial access and then performed lateral movement. They utilized FileZilla for data exfiltration and performed encryption through BitLocker.
  • Mandiant discovered a threat cluster, dubbed UNC4034, using trojanized versions of the PuTTY SSH client to deploy AIRDRY.V2 backdoor on targets’ devices. The activities appear to be a continuation of the Operation Dream Job campaign that has been active since 2020.
  • The Hive ransomware gang claimed responsibility for an attack on Bell Canada subsidiary Bell Technical Solutions (BTS). The company acknowledged the attack, stating that some operational and employee information was accessed in the attack.  
  • Akamai mitigated a record-breaking DDoS attack that targeted a company in Eastern Europe. The attack peaked at 704.8 Mpps. It is the second time the same entity was targeted by the attackers.
  • Russia-based Gamaredon hacking group has been targeting Ukrainian entities with a new info-stealing malware that is designed to steal specific computer file types, as well as deploy additional malware. It is delivered by a PowerShell script.
  • The FBI has issued an alert about hackers targeting healthcare payment processors to route payments to their bank accounts. This year alone, threat actors have stolen more than $4.6 million from healthcare companies. In another alert, the agency warned the sector that threat actors are continuing to exploit unpatched and outdated medical devices. 
  • A phishing attack took the advantage of the demise of Queen Elizabeth II to steal Microsoft credentials. The attackers also attempted to steal MFA codes to take over victims’ accounts.
  • A BEC group called Chiffon Herring targeted teachers in an impersonation attack to steal their checks. The general structure of the attack from the group is similar to many other payroll diversion attacks.
  • IPCA Laboratories, one of the biggest pharmaceutical companies in India, has been targeted in a cyberattack and the extortion group claims to have stolen 500GB of data from its systems. A portion of the company’s data was published on RansomHouse’s leak site.

New Threats

Emotet is proving too effective to be abandoned by cybercriminals. Throughout 2022, the banking trojan has infected over a million systems and the number will likely surge in the coming months. Moreover, it is also being used in attacks to deploy Quantum and BlackCat ransomware. Lately, several backdoor malware attacks caught the attention of researchers with one of them being used against government entities, aerospace firms, and IT organizations in Asia. 

  • A new cybercrime forum, called Breached, has replaced the now defunct RaidForums marketplace. The dark web forum includes old dumps from RaidForums and data related to software cracking, leaks, tutorials, and tech.
  • OriginLogger, also known as Agent Tesla v3, is a new variant of Agent Tesla keylogger malware. It is distributed via a Microsoft Word document containing a passport-size photo, along with a credit card. 
  • Researchers observed over 1 million computers infected by Emotet in 2022. There has also been a notable shift in the usage of the banking trojan as it turns out to be the new dropper for Quantum and BlackCat ransomware.
  • Fishpig extensions for Magento 2 were hacked to install the Rekoobe backdoor malware. The Fishpig distribution server was compromised on or before August 19. Any Magento store that installed or updated paid Fishpig extensions since then is now likely running the Rekoobe malware.
  • A new cyberespionage activity focusing on government entities, aerospace firms, and IT organizations in Asia was found to have been active since 2021. The attack begins with a malicious DLL that executes the ShadowPad RAT.
  • StrongPity threat actors abused Notepad++ plugins to circumvent security mechanisms and deploy a backdoor by achieving persistence on victims’ systems. The backdoor was used to install a keylogger that stole information from the compromised systems.
  • A new self-spreading malware bundle has been promoted in the form of fake cheat codes and cracks for popular games like FIFA, Final Fantasy, Forza Horizon, Lego Star Wars, and Spider-Man. These cheat codes and cracks are advertised via YouTube videos. 
  • The SparklingGoblin threat group is attributed to developing a Linux variant of SideWalk backdoor that targets the Windows sector in the education sector. The variant was deployed against only one victim in February 2021, a university in Hong Kong.
  • The Webworm cyberespionage group is experimenting with customized old malware strains to target IT service providers in Asia. One of the malware being used is Trochilus RAT.
  • A significant change in the distribution tactics used by the operators of Magniber ransomware has been observed. The attackers have replaced MSI installers with JavaScript executable files to deploy ransomware.
  • Malicious actors were found exploiting both old and new Oracle WebLogic Server vulnerabilities to deliver different malware families, with Kinsing being one of them. One of these vulnerabilities is tracked as CVE-2020-14882. 


lorenz ransomware group
buenos aires
europes new cyber resilience act
shadowpad rat
gamaredon hacking group
ipca laboratories
chiffon herring
cobalt mirage apt group
webworm cyberespionage group
hive ransomware

Posted on: September 16, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.