Cyware Weekly Threat Intelligence, June 20 - 24, 2022

The Good

• Members of the CISA have proposed an emergency number (311) for small and medium-sized businesses to handle cybersecurity incidents. The idea is among several recommendations the committee suggested to encourage the public to adopt cybersecurity best practices. The call line will help businesses bolster their IT defenses by offering immediate cybersecurity training.
• The U.S. President signed two bipartisan bills—Federal Rotational Cyber Workforce Program Act and State and Local Government Cybersecurity Act—to strengthen the government’s cybersecurity posture across the local, state, and federal levels.
• In a joint operation, Europol, along with Belgian and Dutch law enforcement authorities, has effectively dismantled a massive phishing operation that netted millions in illicit gains. The modus operandi started with an email, and text message containing a link to a phishing page. 
• The DOJ, along with German law enforcement, seized the infrastructure of the Russian RSOCKS botnet that has infected millions of devices across the world. The botnet leveraged brute-force attacks to compromise routers and other IoT devices which are then used to launch DDoS attacks.  

The Bad

• Google’s Threat Analysis Group has held RCS Labs responsible for installing spyware on smartphones of certain users in Italy and Kazakhstan. The spyware is distributed via a combination of tactics that also include the drive-by-download attack. 
• According to an advisory from the CISA, state-sponsored APT actors continue to exploit the well-known Log4Shell vulnerability to launch attacks. The agency has advised organizations to update all affected VMware Horizon and UAG systems to the latest versions.
• AvosLocker was found using several tools, including Cobalt Strike, Sliver, and commercial network scanners to expand its attack surface. The initial infection chain involved the exploitation of the Log4Shell vulnerability.  
• The operators behind the RIG exploit kit swapped the Raccoon Stealer malware with Dridex trojan for an attack campaign that has been active since January. The switch in the modus operandi comes in the wake of Raccoon Stealer temporarily closing its operation in February.
• A phishing email campaign spoofed MetaMask cryptocurrency wallet provider in an attempt to steal recovery phrases from Microsoft 365 users. The recovery phrases could later enable attackers to steal NFTs and cryptocurrency from compromised wallets. The phishing email used a Know Your Customer (KYC) verification request to lure recipients into sharing sensitive data.
• Ukrainian organizations have been subjected to new hacking attempts tailored to drop CredoMap malware and malicious Cobalt Strike beacons onto their networks. It is suspected to be the work of Fancy Bear and UAC-0098. The CredoMap malware is capable of stealing account credentials and cookies stored in Firefox, Edge, and Chrome web browsers. 
• Researchers stumbled upon a ransomware attack deploying zero-day exploits for vulnerabilities impacting Mitel VOIP appliances. The vulnerability is rated critical and affects Mitel Service Appliances – SA 100, SA 400, and Virtual SA. 
• Sensitive information of 1.1 million patients is reportedly affected due to a data breach at Indiana University Health Hospital. The breach took place in 2020. 
• BidenCash, a new carding site, is leaking credit card details and the information of their owners for as little as $0.15. The site admins also gave away a CSV database containing 6,600 credit cards for free, to promote their site.
• Conti cybercrime group ran one of its most aggressive operations to hack more than 40 companies in a little over a month. Security researchers codenamed the hacking campaign as ARMattack and revealed that it occurred between November 17 and December 20, 2021.
• The U.S subsidiary of Nichirin Co. was forced to halt some of its operations following a ransomware attack. According to the firm, the attack occurred on June 14 after attackers gained unauthorized access to its systems. 

New Threats

• Researchers discovered several malicious Python packages designed to exfiltrate AWS credentials and keys. The packages—loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils—were uploaded to a third-party software repository. 
• A new malware tool dubbed Quantum Lnk Builder has been spotted for sale on cybercrime forums. It can enable cybercriminal actors to build malicious Windows shortcut files. It also offers the capability to generate HTA and disk image payloads.
• A new version of Emotet is capable of using spreadsheets, documents, and other Microsoft programs to bypass security solutions. Indeed, this new Emotet malware has led to a nine-fold increase in the use of Microsoft Excel macros compared with what security experts found in the fourth quarter of 2021.
• Kaspersky revealed the tactics and techniques of a new APT group targeting high-profile entities in Europe and Asia. Named ToddyCat, the group has a distinct sign of using two new malware, called Samurai backdoor and Ninja trojan, in its attack campaigns. 
• Operation technology devices from 10 ICS vendors are found to be vulnerable to 56 new security flaws. Collectively called OT:Icefall, these flaws stem from insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse.
• Check Point researchers have discovered a connection between the new Nimbda malware loader and the Tropic Trooper APT group. The attackers had used the loader, which is a variant of Yahoyah trojan, to deploy TClient backdoor in the final stage of the campaign.
• MEGA addressed multiple vulnerabilities in its cloud storage service that could have allowed threat actors to decrypt user data stored in encrypted form. According to researchers, the flaws can be abused in various ways, including Plaintext Recovery attack, Framing attack, Integrity attack, and Guess-and-Purge (GaP) Bleichenbacher attack.
• China-based APT groups Bronze Starlight and Bronze Riverside are using the HUI loader to spread ransomware to hide their cyber espionage campaigns. Bronze Starlight is reportedly delivering the LockBit 2.0, Atom Silo, Rook, Pandora, LockFile, and Night Sky ransomware families.
• ClearSky discovered a new malware associated with the Iranian SiameseKitten (Lyceum) group. The malware is distributed via a fake Adobe update. In some cases, fake Microsoft certificates were also used to propagate the malware.