Go to listing page

Cyware Weekly Threat Intelligence, February 27 - March 03, 2023

Cyware Weekly Threat Intelligence, February 27 - March 03, 2023

Share Blog Post

The Good

The Biden administration has unveiled the much anticipated National Cybersecurity Strategy that aims at improving cyber resilience and disrupting cyber threat operations. The plan will also focus on expanding the cyber workforce and enhancing the cybersecurity of critical infrastructure. Furthermore, the CISA released an open-source tool to help defenders map attacker behavior to the MITRE ATT&CK framework.

  • The White House unveiled its National Cybersecurity Strategy that focuses on securing cyberspace across public and private sectors. The strategy includes mandatory regulations on critical infrastructure vendors and offensive actions to deal with nation-state actors. The strategy will enable the FBI’s National Cyber Investigative Joint Task Force to work in tandem with all relevant U.S. agencies. 
  • The HHS Office for Civil Rights (OCR) announced the inclusion of three new divisions as part of its restructuring efforts to manage the increased volume of HIPAA and HITECH complaints and compliance reviews. This will improve OCR’s ability to effectively respond to complaints while meeting the growing demands to address health information privacy and cybersecurity concerns.
  • The CISA released an open-source tool to help defenders map an attacker’s behaviors to the MITRE ATT&CK framework. The tool can also be used to assess security tools, identify defense gaps, hunt for threats, and validate mitigation controls. 

The Bad

Several major data leak events made headlines this week. For instance, the operators of darkweb marketplace BidenCash, on its first anniversary, made the stolen data of over two million people public. In other news, a security lapse in video marketing software Animaker exposed the personal details of over 700,000 users. Meanwhile, Colombian entities were hit again by the Blind Eagle APT that deployed QuasarRAT on victims’ systems.

  • The BidenCash dark web marketplace leaked over two million credit card details to the public. The leaked dataset contained information such as full names, card numbers of CVV numbers, and home addresses of users from the U.S., China, Mexico, India, Canada, and the U.K. The operators had leaked the trove of data to celebrate one year birthday of the carding shop.
  • In a new update on ransomware attacks, the Canada-based bookseller Indigo revealed that the personal data of some of its employees were improperly accessed by threat actors. However, no customer data is not affected by the attack. Meanwhile, online ordering is still limited and delivery estimate systems are under maintenance. 
  • Organizations in Colombia suffered another round of attacks from the Blind Eagle APT group. The gang impersonated a Colombian government tax agency to target judiciary, financial, government, and law enforcement organizations in the country. The campaign also targeted some organizations in Chile, Spain, and Ecuador. 
  • Cryptocurrency hardware firm Trezor acknowledged an ongoing multi-channel phishing campaign that tricked customers into gaining access to their wallets. The attackers used phone calls, SMS, and emails to inform users that a security breach or suspicious activity was detected on their Trezor account.
  • The Blackfly espionage group recently targeted two subsidiaries of an Asian conglomerate, in an attempt to steal intellectual property. It used a series of tools as part of the infection process, including Winnkit backdoor and Mimikatz.
  • An advanced hacking operation dubbed SCARLETEEL was found targeting public-facing web apps to infiltrate cloud services and steal sensitive information. The threat actors had used cryptominers as a decoy for the theft of proprietary software.
  • A misconfigured database belonging to video marketing software Animaker caused the leak of the personal details of over 700,000 of its users. The database contained 5.3 GB of data such as full names, IP addresses, postal codes, mobile numbers, email addresses, and profile data of users.
  • Cryptocurrency companies were targeted as part of a new campaign that delivered a remote access malware called Parallax RAT. The attackers leveraged injection techniques to hide the malware within legitimate processes, thus, making it difficult for security solutions to detect. 
  • Resecurity identified one of the largest investment fraud networks, called Digital Smoke, that impersonated Fortune 100 corporations to defraud internet users across multiple countries. The campaign targeted users in Australia, Canada, China, Colombia, India, Singapore, Malaysia, Saudi Arabia, Mexico, and the U.S.
  • American fast-food chain Chick-fil-A confirmed that customers’ accounts were breached in a months-long credential-stuffing attack. This allowed threat actors to use stored reward balances and access personal information. The warning came after it was found that the user accounts were put on sale for prices ranging from $2 to $200.  

New Threats

On the new threats side, the prominence of the RIG exploit kit in the wild continues to worry security experts. It was found that the tool is being used to make roughly 2,000 intrusions daily by abusing old Internet Explorer unpatched vulnerabilities. A new sniffer malware, dubbed R3NIN, targeting e-commerce sites is also in the spotlight for stealing credit card details from customers. Additionally, a unique UEFI bootkit called BlackLotus was launched on a dark web forum; it is capable of bypassing Secure Boot defenses in Windows 11 systems.

  • The R3NIN sniffer is an evolving threat to e-commerce consumers. The malware is implanted in the form of an encoded malicious script into the web server and gets activated when a user accesses a corrupted web page. Upon execution, the sniffer malware steals sensitive information from users.
  • A stealthy UEFI bootkit called BlackLotus is the first publicly-known malware that is capable of bypassing Secure Boot defenses. The bootkit, offered at a price of $5,000, is designed to enable threat actors to take full control over the operating system boot process. It also features geofencing capabilities to avoid infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.
  • GootLoader and SocGholish malware were jointly observed in a new campaign that targeted six different law firms between January and February. The campaign notably employed the SEO poisoning tactic to funnel victims searching for business-related documents. These documents redirected victims to websites that dropped the JavaScript malware. 
  • A lesser-known threat group called Iron Tiger has updated its SysUpdate remote access malware to compromise Linux systems. The threat actors were found expanding their scope of attack beyond WIndows last summer and were seen targeting Linux and macOS systems using a new backdoor named rshell.
  • A new LockBit campaign observed between December 2022 and January 2023 was found using a combination of techniques to evade AV and EDR solutions. The campaign targeted users in Mexico and Spain, mainly in consulting and law firms.
  • RIG continues to make its mark as a successful exploit kit, attempting to make roughly 2,000 intrusions daily. By exploiting relatively old Internet Explorer vulnerabilities, the exploit kit has been seen distributing various types of malware such as Dridex, SmokeLoader, and Raccoon Stealer. 
  • The infamous threat actor Mustang Panda has been observed using an unseen custom backdoor called MQsTTang as part of an ongoing social engineering campaign that commenced in January. The campaign targeted entities in Bulgaria, Australia, and Taiwan.


socgholish malware framework
rig exploit kit
blacklotus bootkit
bidencash dark web forum
credential stuffing attack
mitre attck framework
digital smoke

Posted on: March 03, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite