Go to listing page

Cyware Weekly Threat Intelligence, January 30–February 03, 2023

Cyware Weekly Threat Intelligence, January 30–February 03, 2023

Share Blog Post

The Good

The U.S. government is leaving no stone unturned to protect critical infrastructures from the risk of cyber attacks. In the latest development, the CISA is establishing a new office to tackle supply chain security issues. The task force will be composed of the federal government and industry representatives from the Information and Communications Technology (ICT) sector. Meanwhile, Singapore and European Union have signed an agreement to drive collaboration across different digital platforms, including improving their cybersecurity standards. 

  • The CISA is establishing a new office to tackle supply chain security issues. The task force will be composed of the federal government and industry representatives from the information and communications technology sector. With this initiative, the industry and partners can put updated federal guidance and policies into practice.
  • Singapore has started labeling SMS messages sent from organizations that are not registered with the local ID registry as ‘likely scam.’ The mandate will better safeguard users against potential scams. This will also facilitate tracking the origin of scam messages sent to mobile users. 
  • Singapore and European Union (EU) signed a partnership agreement to drive collaboration across multiple digital platforms. These include digital payments, trusted data flows, 5G, artificial intelligence (AI), and digital identities. The agreement also mentions improving and maintaining cybersecurity standards across these platforms.

The Bad

Beware! Emails and SMS messages that convincingly look like communications from well-known brands are being sent to users in a widespread BEC campaign that is active since April 2021. Attributed to a newly found threat actor called Firebrick Ostrich, the campaign is primarily focused on organizations in the U.S. That’s not all. Another BEC campaign is underway that redirects users to a fraudulent Microsoft phishing page. In other news, a car retailer and a school in Guildford County in the U.K. were targets of separate ransomware attacks that impacted the sensitive information of individuals.

  • Proofpoint researchers uncovered a malicious OAuth app campaign that leveraged Microsoft's "verified publisher" status to meet some of its OAuth app distribution requirements. The victims mainly appear to be U.K.-based organizations and individuals, including marketing and financial personnel and high-profile users. 
  • Users looking for password managers were targeted in a malvertising campaign that leveraged Google Ads. The users were redirected to fake sponsored sites exhibited on the top results in an attempt to steal their login credentials. 
  • British car retailer Arnold Clark was targeted by the Play ransomware group that stole personal data such as names, contact details, dates of birth, vehicle information, and bank account details of customers. The investigation is ongoing to understand the precise extent and nature of the compromised data.  
  • North Korean Lazarus hacking group has been associated with the new ‘No Pineapple!’ cyberespionage campaign that targeted organizations in research, healthcare, chemical engineering, energy, and defense sectors. The attackers stole around 100GB of data from one of the victims.  
  • Google Fi informed its customers that their personal details were impacted by a data breach, which is believed to be connected to a recent leak at T-Mobile. The exposed data included phone numbers, SIM card serial numbers, account status, account activation data, and mobile service plan details. 
  • A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen used in recent attacks targeting medical institutions in the United States and Europe. Although its origins are unknown, the operation has distinctive ties with Russian hacking groups, such as Killnet, Mirai, Venom, and Anonymous Russia.
  • The Vice Society ransomware group claimed to have stolen sensitive data from the Guildford County School, the U.K. Post attack, the gang posted several files containing sensitive information belonging to teachers and students. Meanwhile, the school is yet to determine the full extent of the attack.
  • The U.K-based Planet Ice suffered a data breach that exposed the personal details of over 240,000 customers. The breach occurred after hackers gained unauthorized access to its Ice Account system. 
  • The LockBit ransomware gang claimed responsibility for the cyberattack on ION Group. On January 31, the firm disclosed the incident by revealing that the incident impacted ION Cleared Derivatives, a division of ION Markets.
  • More than 350 BEC campaigns impersonating 151 organizations have been identified since April 2021. These campaigns were launched by a financially motivated threat actor, called Firebrick Ostrich, who utilized 212 malicious domains in the process. 
  • Trend Micro researchers also observed a BEC campaign that is believed to have been running since April 2022. Linked to the Water Dybbuk threat actor, the campaign used a malicious JavaScript attachment that redirected users to a fraudulent Microsoft phishing page. 

New Threats

A series of new data-wiping malware such as SwiftSlicer and Nikowiper came to light this week as researchers unveiled the recent activities of the Russia-based Sandworm APT group. Variants of several known malware threats also emerged, with one of them coming from the LockBit ransomware operators. Called LockBit Green, the ransomware is designed to target cloud-based services. Three new variants of the Prilex PoS malware were also found using sophisticated methods to steal credit card information.

  • A new variant of the LockBit ransomware dubbed LockBit Green is capable of targeting cloud-based services. The variant resembles Conti ransomware v3. It uses a random extension rather than the standard .lockbit extension and the ransom note is identical to the one used by the LockBit Black variant.
  • This week, three new variants of Prilex PoS malware designed to pilfer credit card information were observed. Tracked as 06.03.8080, 06.03.8070, and 06.03.8072, the versions have been modified with the ability to restrict NFC-based contactless payment transactions.
  • CheckPoint observed that over the last six years, the TrickGate packer was used to deploy some of the most wanted malware such as Cerber, TrickBot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, and AgentTesla. The malware packer underwent changes periodically, enabling the operators to stay under the radar for years.
  • Researchers shared technical details of a new Sh1mmer exploit that could allow attackers to gain root-level access to ChromeOS. Expanded as Shady Hacking 1nstrument Makes Machine Enrollment Retreat, the exploit could be used to bypass administrator restrictions and unenroll enterprise-managed Chromebooks.
  • The sophisticated HeadCrab botnet has infected at least 1,200 Redis servers for cryptomining. Primarily based on Redis processes, the HeadCrab botnet boosts numerous options and capabilities. Upon execution, it creates new Redis commands to enable its operators to perform multiple malicious activities.
  • A threat actor named InTheBox is promoting over 1800 phishing forms for Android on Russian cybercrime forums. These phishing forms are designed to steal credentials and sensitive data from banking, cryptocurrency exchanges, and e-commerce apps. 
  • The ASEC analysis team recently discovered the distribution of the TZW ransomware in South Korea. The malware disguises itself as a normal program file related to boot information to spread across systems. 
  • The Russian Sandworm APT was attributed to a series of new data-wiping malware attacks against Ukrainian entities. The malware, dubbed SwiftSlicer and Nikowiper, are capable of overwriting important files on targeted systems, thus, destroying Windows domains.
  • Malvertising attacks are being used to distribute .NET loaders dubbed MalVirt. The loaders include different anti-analysis techniques, notably KoiVM virtualization, and are used to deploy Formbook infostealer malware in the later stage of the campaign that is still ongoing. 
  • Android users in Southeast Asia are being targeted in a campaign that is active since July 2022. The campaign distributes a banking trojan called TgToxic which is capable of stealing victims’ assets from banking applications, cryptocurrency wallets, and other financial apps. The victims are targeted via phishing emails and SMSes that carry malicious links. 
  • Users of the GoAnywhere MFT software were warned of a zero-day remote code execution vulnerability that could allow malicious actors to target systems directly from the Internet. While there are no security patches available currently, users have been asked to follow recommendations to prevent exploitation.


lockbit green
vice society ransomware gang
sh1mmer exploit
trickgate malware
bec campaigns
water dybbuk
lockbit ransomware

Posted on: February 03, 2023

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite