Cyware Weekly Threat Intelligence, December 19-23, 2022

The Good

• President Joe Biden signed the Quantum Computing Cybersecurity guidelines into law to motivate federal agencies to adopt technology protected from decryption by quantum computing. Called Quantum Computing Cybersecurity Preparedness Act, the bill will help organizations to protect systems against quantum tech threats.
• Owing to the evolving security standards, NIST has set a timeline to remove the support for the SHA-1 algorithm from all hardware and software devices. The agency recommends switching to SHA-2 or SHA-3 for securing electronic information.
• The French government has announced a vast training program to help hospitals and medical facilities protect themselves against cyberattacks. The development comes following repeated attacks against hospitals that see either hackers damaging their critical infrastructures or stealing patients’ sensitive data.

The Bad

• A data breach at BetMGM, a sports betting firm, resulted in the compromise of names, contact details, dates of birth, social security numbers, and account identifiers of customers. The number of users affected in the incident remains unknown.
• Cybercriminals behind the Raspberry Robin worm were linked to a cyberespionage campaign targeting telecommunications and government organizations across Europe, Oceania, and Latin America. The malware was propagated via infected USB drives. 
• FortiGuard researchers came across two holiday-themed phishing campaigns that led to the distribution of AgentTesla and a backdoor malware. Threat actors used specially-crafted emails to trick unsuspecting users into downloading the malware that exfiltrated information from their machines.
• A phishing campaign impersonating the Chinese Ministry of Finance and other state institutions was used to steal credit card credentials and other sensitive information. Malicious QR codes that came embedded within the attached documents were used to redirect unsuspecting users to sites that prompted them to add their banking details.
• Comcast Xfinity accounts were hacked through credential stuffing attacks that bypassed the 2FA protection. This enabled the attackers to use the compromised accounts and reset passwords for other sites, such as Coinbase and Gemini.
• German industrial engineering and steel production giant Thyssenkrupp was again targeted by cybercriminals. However, the company’s IT security team detected the incident at an early stage, preventing the attackers from doing further damage. 
• Some parts of The Guardian’s IT infrastructure were affected in a ransomware attack this week. Reports suggest that the entire data center network is impacted by the attack. The incident occurred on December 20 and it is unclear if any sensitive data has been taken by the attackers. 
• Shoemaker Ecco left 50 indices exposed to the public internet, with over 60GB of data accessible since June 2021. The server misconfiguration could have impacted millions of users. The exposed data ranged from sales to system information. Anyone with access to the misconfigured server could have viewed, edited, copied, or deleted the data. 
• The FBI warned against threat actors using search engine ads to promote websites propagating ransomware or exfiltrating login credentials for crypto exchanges and financial institutions. These attacks are executed by purchasing advertisements that impersonate legitimate services or businesses.
• The Play ransomware gang claimed responsibility for an attack on Germany-based H-Hotels by listing the company on its Tor site. The data stolen includes client documents, passports, IDs, and more.
• Sensitive information of more than 100,000 students was left publicly exposed due to misconfigured AWS S3 buckets belonging to McGraw Hill. These unprotected buckets contained more than 22 TB of data and over 117 million files and were fixed on July 20. 
• Restaurant CRM platform SevenRooms confirmed suffering a data breach after a hacker claimed to have stolen 427GB of customer records and leaked a sample on a cybercrime forum. The leaked sample included a folder named after big restaurant chains, clients of SevenRooms, API keys, promo codes, payment reports, reservation lists, and more. 
• Popular authentication services and IAM solutions provider Okta suffered a breach impacting its private GitHub source code repositories. The company said attackers could not access the Okta service or its customers’ data. 

New Threats

• A new info-stealer named RisePro has garnered popularity on the illicit dark web forum called Russian Market. The malware is a clone of Vidar stealer and has been designed primarily to steal credentials and exfiltrate them in the form of logs. 
• The PyPI repository was the target of multiple attacks this week. In one incident, the malicious packages were embedded with ten stealer variants that borrowed base code from W4SP stealer. In another instance, a malicious package masquerading as SentinelOne SDK was uploaded to the repository to harvest sensitive data from developers. 
• A new Android malware, dubbed BrasDex, was spotted targeting Brazilian users in a new campaign. Developed by threat actors behind the Casbaneiro banking trojan, the malware possesses a complicated keylogging capability that abuses Android Accessibility Services and pilfers credentials from a set of Brazilian banking apps.  
• Researchers discovered a new exploit method that bypasses the URL rewrite mitigations provided for ProxyNotShell. Called OWASSRF, the vulnerability abuses CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution through Outlook Web Access (OWA). As per the latest update, eight organizations have observed such exploitation attempts.
• The capabilities of the Zerobot botnet have been expanded to target new devices, including firewalls, routers, and cameras. The new variant supports seven additional types of DDoS capabilities, including UDP_RAW, TCP_XMAS, ICMP_FLOOD, TCP_SYN, TCP_ACK, TCP_SYNACK, and TCP_CUSTOM attack methods. 
• The infamous Vice Society ransomware group has added a new ransomware, dubbed PolyVice, to its arsenal. The ransomware implements a robust encryption scheme using NTRUEncrypt and ChaCha20-Poly1305 algorithms. 
• The Fin7 hacking group has created an automated system called Checkmarks to breach corporate networks by exploiting unpatched Microsoft Exchange servers. The attack platform has already breached over 8000 companies, primarily in the U.S.
• A new version of Godfather Android banking trojan was spotted in the wild. The malware masqueraded as MYT Music app on the Google Play Store to target users in the U.S., Spain, Turkey, Canada, Germany, and the U.K.
• A new variant of IceID trojan was being distributed in a malvertising campaign that abused Google PPC ads. The variant is tracked as 'TrojanSpy.Win64.ICEDID.SMYXCLGZ' and includes multiple evasion functionalities to bypass security checks.