Cyware Weekly Threat Intelligence, February 13-17, 2023

The Good

• The White House Office of the National Cyber Director confirmed it will include guidance on post-quantum cryptography in the upcoming National Cybersecurity Strategy to fortify digital networks. This will enable the government and private industries to better safeguard sensitive information, such as medical and personal data, against cyberattacks in the coming years.  
• The Biden administration has ordered federal agencies to use only .gov and .mil domains for official updates as a way to bolster trust and improve the security of official government communications. The order strictly comes into effect from May 8.
• The DoJ has launched a new Disruptive Technology Strike Force to address several national security threats. The force will consist of top experts and will use intelligence and data analytics to tackle nation-state-sponsored cyberattacks, supply chain attacks, and abuse of sensitive data. The force is also assigned with the job of providing early warnings of threats to critical assets.

The Bad

• Scandinavian Airlines (SAS) suffered a cyberattack that affected its customer-side operations. The airline revealed that the passengers who were using its app and website at the time of the attack had their contact details, flight history, and payment card numbers exposed. 
• A hacking crew called SiegedSec targeted Atlassian by gaining access to a third-party contractor’s systems and stole the personal data of more than 13,000 employees, along with floor plans for two of Atlassian’s offices. The exposed data included names, email addresses, work departments, and other information of employees.
•  Threat actors were found using fake Emsisoft code-signing certificates to gain initial access to an enterprise network. They signed the MeshCentral executable with the fake certificate to bypass security checks and move laterally across the network which enabled them to deploy ransomware.
• The ASEC analysis team recently discovered the distribution of Paradise ransomware through a vulnerability in the AweSun remote control program. Detailed information about the exploitation process is yet to be confirmed. However, it is believed that they are the same group who had exploited the Sunlogin vulnerability to deploy the Sliver backdoor and Cobalt Strike in a recent attack.   
• Cutout, a popular AI image editing tool, suffered a data breach that exposed user images, usernames, and email addresses. An unsecured Elasticsearch database belonging to the tool included 9GB of user data with 22 million log entries. It also had information on the number of user credits, a virtual in-game currency, and links to Amazon S3 buckets.
• Xavier University, Louisiana, reported a data breach that involved the compromise of Social Security numbers and other personal information of more than 44,000 students and vendors. The university disclosed that the data was exposed following a cyberattack on November 22. 
• The threat actors behind a massive AdSense fraud campaign have infected 10,890 WordPress sites since September 2022. The activity had surged in January, with over 2,600 sites being detected. The hacked websites redirected users to low-quality websites running the Question2Answer CMS. 
• Cracked versions of Hogwarts Legacy, the recently released Harry Potter video game, were found leading users to websites conducting survey scams. This ultimately led to the execution of a trojan and adware on victims’ systems. 
• German airport websites were hit by DDoS attacks once again. The alleged attack took place a day after an IT failure that caused cancellations and delays for thousands of passengers traveling via the country’s flag carrier Lufthansa. The investigations are underway. 

New Threats

• A new malware named Beep includes a wide range of evasion tactics, offering cybercriminals an opportunity to distribute their own payloads. The malware is offered as Malware-as-a-Service (MaaS) and is delivered via phishing emails, social networking platforms, or public file-hosting services. 
• Chinese threat actor 8220 Gang has been found consistently changing its C2 IP addresses to exploit Linux and cloud app vulnerabilities to expand its botnet and cryptomining attacks. The gang was also found using the ‘onacroner’ script, something that has been previously used by the Rocke cryptomining group.
• Researchers have associated two new malware with the infamous SideWinder APT. They are tracked as RAT.b and StealerPy. While the former is designed to harvest various data, the latter uses Telegram to communicate with the compromised target machines.
• Microsoft tracked a new campaign associated with the DEV-0147 group. Described as an expansion of the group’s operation, the campaign targeted diplomatic entities in South America. The group used ShadowPad and QuasarLoader as part of the campaign.  
• Researchers at Censys disclosed the increase in ransomware attacks aimed at VMware ESXi instances as ESXiArgs ransomware enters Europe. So far, the ransomware has infected over 500 systems located in France, the Netherlands, Germany, the U.K., and Ukraine. 
• A campaign, which is active since December 2022, has been targeting crypto users by deploying MortalKombat ransomware and a Go variant of the Laplas clipper malware on victims’ systems. The campaign mainly targets victims in the U.S., followed by the U.K., Turkey, and the Philippines. 
• The North Korean state-sponsored hacking group APT37, also known as RedEyes or ScarCruft, has recently added a new evasive malware dubbed M2RAT to its arsenal. The group is using the malware in conjunction with a steganography technique to target specific individuals and steal personal PC information and mobile phone data.
• Researchers observed that the Dark Caracal APT is currently using a new version of Bandook spyware to target Windows systems. So far, more than 700 computers have been infected by the malware, with a majority of them (approximately 75%) located in the Dominican Republic and 20% identified in Venezuela.
• A malware dubbed Frebniis is being used against targets in Taiwan. The malware abuses a feature of Microsoft’s Internet Information Services (IIS) to deploy a backdoor onto the targeted systems. It is also capable of intercepting the regular flow of HTTP request handling. 
• Two groups, identified as Midnight Hedgehog and Manadarin Capybara, have been found impersonating executives to launch BEC attacks worldwide. While the first group is engaged in payment fraud, Mandarin Capybara executes payroll diversion attacks. Both groups have launched BEC campaigns in at least 13 different languages, including Danish, Dutch, Estonian, French, German, Hungarian, Italian, Norwegian, Polish, Portuguese, and Spanish. 
• A variant of the Mirai botnet, dubbed V3G4, is exploiting IoT devices for DDoS attacks. One of the prime targets of the botnet includes exposed IP cameras. Researchers claim that the botnet has been leveraging several vulnerabilities to spread its infection from July to December 2022. 
• A new threat cluster tracked as WIP26 relies heavily on public cloud infrastructure to target telecommunication providers in the Middle East. It also used the backdoors dubbed CMD365 and CMDEmber to abuse Microsoft 365 Mail and Google Firebase services for C2 purposes.