Cyware Weekly Threat Intelligence, May 16–20, 2022

The Good

• Singapore launched E-commerce Marketplace Transaction Safety Ratings, a scheme that assesses online marketplaces based on the type of anti-scam measures they take. The e-commerce platforms would also be accessed for the use of secure payment tools as well as the availability of dispute reporting and resolution mechanisms.
• The UK government published 2022 Civil Nuclear Cyber Security Strategy for the country’s civil nuclear sector that focuses on more testing, design-based security, enhanced resilience, and improved collaboration. The nuclear industry aims to achieve enhanced resilience by preparing better for and responding to incidents faster.
• The U.S. government and the EU have joined hands to take new initiatives to strengthen supply chain security, address disinformation and sanction evasions, and develop trustworthy AI and privacy-enhancing technologies. Both the parties will also exchange information on critical tech exports, with an initial focus on Russia and other sanctions-evading countries.
• Singapore set up the National Integrated Center for Evaluation (NICE) to evaluate and certify systems for cybersecurity strength. The $13.99 million facility will enhance software and hardware vulnerability assessment, physical hardware attacks, and security posture.

The Bad

• A server at Nikkei Group Asia, an overseas subsidiary of Nikkei Inc. based in Singapore, was compromised in a ransomware attack. Unauthorized access to the server was first detected and reported on May 13. The server supposedly stored some customer data, however, the exact impact of the attack is yet to be determined. 
• The new Costa Rican president announced that the country was at war with the Conti cybercriminal group. Officials had reportedly denied paying the $20 million ransom to the group. Meanwhile, Conti threatened to topple the government with cyberattacks and also claimed that it has the support of insiders from the government.
• An alleged data leak exposed the information of 22.5 million Malaysians born between 1940 and 2004. The database—160GB in size—was seemingly stolen from the National Registration Department (NRD) and is for sale on the dark web for $10,000. However, Malaysia's Home Minister claimed that NRD isn’t related to the alleged data breach.
• Pennsylvania-based Mercyhurst University was reportedly breached by the LockBit 2.0 gang. The threat actor claimed to have stolen data worth 300GB and the deadline for ransom payment is May 22. The attack affects both students and employees.
• Parker Hannifin leaked the personal data and PHI of employees and their dependents to an unauthorized third party in an alleged ransomware attack by Conti. The leaked information included records for the current and former employees enrolled in Parker's Group Health Plans. Hacker gained access to Parker Hannifin’s IT systems between March 11 and March 14.
• A cyberattack on Washington Local Schools affected the district’s internet, phone, WiFi networks, Google Classroom, and email addresses. The school district had announced to share an emergency phone number for each school as currently, teachers don’t have access to any calls or emails.
• An investigation by PRODAFT into Wizard Spider revealed that the threat actor has hundreds of millions of dollars in assets and is hiring cold callers to scare its victims into paying the ransom. The allegedly Russia-based group contains a complex set of sub-teams and groups as part of its infrastructure.
• Christus Health was targeted by the AvosLocker ransomware. Meanwhile, RefuahHealth and xNuLife Med also revealed falling victim to different cyberattack incidents, exposing personal data and sensitive healthcare data.
• Trend Micro researchers observed more than 200 apps on the Google Play Store that were found delivering the Facestealer spyware. The spyware aims to steal users’ passwords while being disguised in the form of apps related to fitness, photo editing, and other categories.
• The Bank of Zambia experienced a ransomware attack by the HIVE group that disrupted some of its operations. Officials have urged businesses in the financial sector to stay alert as the incident might impact them. Also, the bank has reportedly refused to pay the ransom.

New Threats

• A new threat, named Cryware, crippled multiple internet-connected cryptocurrency wallets for an irreversible theft of virtual currencies, warned Microsoft. With Cryware, attackers can gain access to hot wallets and immediately transfer funds to their own wallets.
• ShadowServer Foundation identified 381,645 Kubernetes API servers with “unnecessarily exposed attack surface” located across the U.S., Southeast Asia, Western Europe, and Australia. A vast majority of the exposed instances are running versions 1.17 through 1.22 on Linux/amd64 accounts.
• VMware alerted organizations about two critical bugs, tracked as CVE-2022-22954 (an RCE flaw) and CVE-2022-22960 (a privilege escalation flaw), that are under active exploitation, allegedly, by APT actors. They affect VMware Workspace ONE Access, vRealize Automation, and Identity Manager. The CISA has also urged federal agencies to patch the flaws.
• Microsoft discovered a campaign targeting SQL servers with built-in PowerShell binary to establish persistence on infected systems. Brute-force attacks are the initial attack vector and the malware is tracked by the name SuspSQLUsage. The motto of the campaign and the cybercriminals are unknown.
• The Jamf Threat Labs team discovered a new variant of the macOS malware tracked as UpdateAgent. First detected in late 2020, the Swift-based dropper imitates Mach-O binaries named "PDFCreator" and "ActiveDirectory" to establish a connection to a remote server.
• A new Chinese hacking group, named Space Pirates, is targeting organizations operating in the Russian aerospace industry. The group is believed to be associated with APT41, Mustang Panda, and APT27 and is infecting targets via phishing emails.
• SentinelOne discovered a new CrateDepression attack - a software supply chain attack in the crate registry of Rust programming language. The attack leverages typosquatting to publish a rogue library consisting of malware. The malicious dependency identifies environment variables, suggesting a singular interest in GitLab Continuous Integration pipelines.
• According to a GitHub advisory, a critical RCE flaw in Flux2, the continuous delivery tool for Kubernetes, can allow a third party in multi-tenancy deployments to impact ‘neighbors’ using the same off-premise infrastructure. The flaw arises through improper validation of kubeconfig files, which the third party can abuse to execute arbitrary code inside the controller’s container.
• Google's TAG has reported that a threat actor is developing exploits for five zero-days; four in Chrome and one in Android, to infect Android users. The adversary, as believed to be the case, is packaging and selling the exploits to different government-backed criminal groups across countries. Those groups were spotted weaponizing the bugs in at least three different campaigns.
• A security researcher uncovered a method to exploit a recently patched deserialization flaw in Microsoft SharePoint to conduct stage remote code execution (RCE) attacks. Microsoft patched the flaw, identified as CVE-2022-29108, in May’s Patch Tuesday updates. The researcher found that another bug in Microsoft SharePoint Server, tracked as CVE-2022-22005, could be used to trigger the same attack.
• WordPress websites were found at potential risk of cyberattacks after a large-scale attack abusing an RCE flaw in the Tatsu Builder plugin, tracked as CVE-2021-25094, was reported. Threat actors peaked with 5.9 million attempts per day on May 14. The extension is estimated to have between 20,000 and 50,000 installations.
• A new variant of the Sysrv botnet, dubbed Sysrv-K, was found scanning WordPress and Spring Framework for vulnerabilities to exploit. Its aim is to deliver cryptominer on vulnerable Windows and Linux servers. The flaws exploited have patches issued and the attackers are targeting old bugs in WordPress plugins, along with new ones, including CVE-2022-22947.