Cyware Weekly Threat Intelligence, February 20-24, 2023

The Good

• The U.K. government has announced it will invest a sum of around $22 million in Northern Ireland’s cybersecurity industry. A portion of the amount will be used to create a new Cyber-AI Hub at the Centre for Secure Information Technologies (CSIT) in Belfast. The new Cyber-AI Hub will support the research and development of AI-enabled cybersecurity projects.
• The NSA has issued fresh guidelines to help remote workers secure their home networks from cyber threats. It includes a long list of recommendations such as keeping the software up to date, backing up the data regularly, and limiting the user-account privileges on the computer. The guide also urges users to replace routers as soon as or before they reach their end-of-life date.  
• Google is exploring new protection mechanisms to improve the security of Android at the firmware level. The plan is to strengthen Android’s Application Processor by enabling compiler-based mitigations. Additionally, the focus is on providing additional security to mitigate Control Flow Integrity (CFI), Kernel Control Flow Integrity (KCFI), ShadowCallStack, and Stack Canaries to improve the performance of Android devices. 

The Bad

• Web hosting giant GoDaddy disclosed that it was a victim of a multi-year security breach that started in May 2020. The same attackers stole the source code for Managed WordPress (MWP) in November 2021 and, later in December 2022, infected the cPanel hosting server with malware.
• The LockBit ransomware group took credit for an attack on the water utility at Águas e Energia do Porto, Portugal. The attack occurred on February 8; however, the security team was able to limit the extent of the damage. Meanwhile, the gang added the company to its leak site on February 18, and has threatened to publish the stolen data if the ransom demand is not fulfilled by March 7.
• Researchers came across multiple phishing attempts launched via malicious npm packages. Over 15,000 spam packages were dropped with tempting descriptions that promised free resources, game cheats, and likes on social media platforms. These packages were generated automatically using a Python script and hence closely resembled one another.
• A ransomware attack forced agricultural and food production giant Dole to shut down its food packaging and distribution operations across North America, The incident took place earlier this month, and even after two weeks, the company’s operations are still down across the U.S.
• Telus, one of the biggest telecommunications companies in Canada, became aware of a security breach after a threat actor uploaded private source code and employee data to the dark web for sale. The company has begun investigating the matter and has so far not found evidence of corporate or retail customer data being stolen. 
• Android voice chat app, OyeTalk, had inadvertently leaked unencrypted data through its unprotected Google Firebase instance. The leaked data includes usernames and cellphone IMEI numbers. It is believed that malicious actors could have deleted the dataset, resulting in a permanent loss of users’ private messages. 
• Lehigh Valley Health Network revealed that it suffered an attack by the BlackCat ransomware group. The unauthorized activity was detected on February 6 and involved a computer system used for patient images for radiation oncology treatment. The investigation to understand the full scope of the attack is underway.
• Australia-based retail firm, The Good Guys, confirmed that its customer data was compromised in a third-party breach at My Rewards. The affected data included names, email addresses, and phone numbers of customers.
• Unknown hackers stole internal data from the gaming giant Activision and published them on dark web forums. According to the firm, the hackers stole information such as full names, email addresses, phone numbers, salaries, work addresses, and home addresses of employees. 

New Threats

• A new version of Hardbit ransomware has been found asking for details on cyber insurance policies from victims as part of the negotiation process. This is a unique trick adopted by the operators so that their ransom demands are covered by the victim’s insurance company, without the involvement of intermediaries. 
• Malwarebytes Labs detected a Magecart skimmer that not only acquires the victim's email, address, phone number, and credit card details but also records their IP address and browser user agent. The skimmer code uses iframes that are loaded when the checkout page is accessed. 
• A new threat group called Clasiopa has been found using a distinct custom backdoor malware named Atharvan. The infection vector used by the group is unknown, although there is some evidence that the attackers gain access through brute force attacks on public-facing servers.
• Multiple threat actors have been found exploiting a now-patched critical security vulnerability in Zoho ManageEngine products since January 20. Tracked as CVE-2022-47966, the remote code execution flaw can allow a complete takeover of the susceptible systems by unauthenticated attackers.
• Researchers discovered multiple phishing pages related to OpenAI’s ChatGPT chatbot that pushed a variety of malware onto the victims’ systems. These websites were either disguised in the form of a legitimate tool such as ChatGPT Windows desktop client or promoted via Facebook. The malware distributed includes RedLine stealer and Lumma stealer.
• A new malware dubbed S1deloaded Stealer has been found leveraging the DLL sideloading tactic in an ongoing attack campaign to evade detection. The campaign targets YouTube and Facebook users, infecting their computers and hijacking their social media accounts to mine cryptocurrency. So far, more than 600 devices have been targeted in the campaign.
• Researchers discovered a new XMRig coin miner attack campaign that used trojanized versions of legitimate apps for Apple macOS, such as Final Cut Pro, Logic Pros, and Photoshop, to evade detection. The malware also made use of the Invisible Internet Project (i2p) to download malicious components and send mined currency to the attackers’ wallets.
• A previously unseen threat group, dubbed Hydrochasma, was found targeting medical labs and shipping companies in Asia. The activity has been ongoing since October 2022 and primarily relies on phishing emails. The tools deployed by the threat actors indicate a desire to achieve persistent and stealthy access to victim machines.