Threat Briefing: April 26, 2023

Multiple cyber events over the last several months have highlighted how cyber actors don’t always need the newest and greatest vulnerability or even technology to launch a cyber-attack, but rather rely on exploiting older vulnerabilities or outdated and unpatched systems to launch attacks using new malware or ransomware variants. The exploitation of these older vulnerabilities or targeting of older and unpatched systems highlights how the best way for Nelnet to get ahead of future cyber threats is to update and patch today to prevent an attack not just days or weeks from now, but years from now as well.

3CX Attack Initial Vector Impacted Energy Sector and Financial Sector Entities, the North Korean cyber actors behind the compromise of 3CX compromised a software application called X_Trader, which was discontinued in 2020 but available for download through spring of 2022. The X_Trader application was downloaded onto the computer of a 3CX employee and utilized to gain further access to the 3CX network, and the malicious version of X_Trader was also downloaded by two entities in the energy sector and two financial services business involved in financial trading. North Korea’s attack is an example of a supply-chain attack resulting in a second supply-chain attack, possibly representing a shift in their tactics. The Hacker News

Russian State-Sponsored Actors Exploited 2017 Cisco Vulnerability to Deploy Jaguar Tooth Malware In 2021,, the attacks by APT 28, associated with Russia’s military intelligence unit, were focused on entities in Europe and U.S. government agencies. APT 28 also exploited simple network management protocol (SNMP) to gain access to Cisco routers, which allows network administrators to monitor or configure network devices. The Jaguar Tooth malware deployed on victim devices is used to collect additional information on victim devices and transferred over trivial file transfer protocol. National Cyber Security Centre

Cyber Actors Demand 8-Figure Ransom from Western Digital, Stole 10TB of Data Including Executive Data and Cloud Infrastructure Information, the actors also claimed to have also compromised the company’s code-signing certificate and have threatened to publish the data if a payment isn’t received. The breach of Western Digital occurred in late March 2023 and temporarily disrupted access to Western Digital’s cloud service for approximately a week. The cyber actors provided screenshots to verify the data they had taken from Western Digital, while the cyber actors for the group haven’t been identified, they do claim to have a professional relationship with the ALPHV ransomware gang. Dark Reading

March 2023 Saw Highest Number of Ransomware Attacks in a Month, Increase Associated with Exploitation of Vulnerability Impacting Fortra GoAnywhere MT File Tool,, the CLOP ransomware group was the most prolific group, associated with 129 attacks during March of 2023, with LockBit 3.0 and Royal also accounting for significant ransomware incidents. The majority of businesses impacted were those in the professional and commercial services, engineering, construction, aerospace, construction supplies, and logistics and almost half of them impacted businesses in North America. Bleeping Computer

Network Infrastructure Provider, CommScope, Victim of Vice Ransomware Attack,, the attack occurred during late March and resulted in the loss of company information due to the attack, however, did not disrupt the company’s services. Data stolen from CommScope was posted on Vice Society’s data leak site, including bank documents, company files, and employee passports. Vice Society has previously focused its efforts on ransomware attacks against educational institutions The Record

Windows Zero-Day Vulnerability Exploited to Deploy Nokoyawa Ransomware, the vulnerability, CVE-2023-28252, can be addressed by applying a patch made available in Microsoft’s April 2023 Patch Tuesday updates, and is a privilege escalation flaw impacting the Windows Common Log File System driver. The Nokoyawa ransomware variant has been around since February 2022 and has code similarities to Karma and Nemty ransomware variants. Security Week

Australian Financial Fraud Losses Exceeds $3.1 Billion in 2022, the Australian Competition and Consumer Commission reported an increase in 2022, compared to the $2 billion lost in 2021. The largest source of losses came from investment scams, with $1.5 billion in losses while remote access scams accounted for $229 million in losses. The average loss per scam also increased, from approximately $12,000 in 2021 to approximately $19,000 in 2022, with over 500,000 complaints submitted in 2022. The Guardian

North Korean Foreign Trade Bank Official Indicted For Using Cryptocurrency to Launder Funds for North Korea, the North Korean official was charged with working with over-the-counter cryptocurrency traders to use cryptocurrency stolen from cryptocurrency exchanges to buy items for the North Korean government through Hong Kong shell companies. Additionally, the individual worked with North Korean information technology workers who used fake personas to get jobs at U.S.-based companies and were paid in cryptocurrency, which was then laundered to benefit North Korea. U.S. Department of Justice

Indian Government Convicts 11 Individuals for Supporting North Korean Cyber Attack Against India’s Cosmos Cooperative Bank, on two separate occasions, North Korean cyber actors targeted ATM infrastructure. The cyber actors were able to disrupt the ATM operations and money mules supporting the operation then used cloned Visa debit cards to carry out 12,000 transactions resulting in $10 million in losses. Bank Info Security

Proposed Legislation Would Increase Cybersecurity Cooperation Between U.S. and Taiwan Governments, as part of the legislation the U.S. would conduct cyber training and assist Taiwan with disrupting Chinese cyber attacks focused against Taiwan. The legislation would also rely on U.S. cybersecurity technology to help bolster Taiwan’s cyber defenses. MSN

GitHub Repository Hosting RedLine Stealer Malware Removed, cybersecurity researchers identified the control pane for RedLine utilized four GitHub repositories and informed GitHub’s owner Microsoft of the discovery. GitHub then suspended the repositories disrupting RedLine’s operation and the lack of a fallback channel will force RedLine’s developers to create new panels to support users of the RedLine malware. Security Week

New Proposed Legislation Would Increase CISA Support for Primary and Secondary Schools to Combat Cyber Attacks, this would include establishing a new cybersecurity information exchange for collaboration between K-12 schools and also provide financial support to enhance financial support for K-12 schools. The proposed legislation would also create a voluntary registry for K-12 schools to track cybersecurity attacks directed against K-12 schools. NextGov

Russian National Sentenced to Time Served for Role in Laundering Cryptocurrency for Ryuk Ransomware Group, Denis Dubnikov pleaded guilty to money laundering in February 2023, for his role in supporting Ryuk between 2018 and 2021. Dubnikov was specifically tied to laundering $400,000 in ransomware proceeds from a victim in the U.S. Other members of the group laundered over $70 million obtained from Ryuk’s ransomware activity. Security Week

Quadrilateral Security Dialogue Working to Strengthen Cyber Information Sharing on Critical Infrastructure,, the group made up of the U.S., Australia, Japan and India is working on a new information sharing agreement. As part of the agreement, information obtained from private sector operators of critical infrastructure entities would be shared with cybersecurity agencies of the other member governments. In addition, there would be greater collaboration on establishing baseline security requirements and greater interoperability of systems. Info Security Magazine

Resale of Corporate Routers Provides Opportunity to Gain Access or Steal Company Data, a test of 18 used core routers was done and the routers were made by Cisco, Juniper Networks, and Fortinet. The study found information such as VPN or IPsec credentials, hashed root passwords, router-to-router authentication keys could be found on the routers, despite some of the routers being wiped by specialized disposal services. Security Week

Action1 Remote Monitoring and Management Tool Used to Facilitate Ransomware Attacks,, a cyber group known as Monti has been associated with the attack. After Action1 is installed on victim systems, a policy is created to automate the execution of several binaries for PowerShell and Command Prompt. Action 1 is available for free for use for up to 100 for PowerShell and Command Prompt. Action 1 is available for free for use for up to 100 endpoints, so it provides a cheap tool for cyber actors. Cyware

Two Cybercrime Groups Team-Up to Develop Domino Malware, Designed to Support Follow-On Exploitation,, the malware was developed by members of the former Conti ransomware variant and the FiN7 cyber group. Domino is deployed using a loader known as Dave, a crypter previously associated with Conti, Domino comes in two parts, a backdoor which sends system information to its C2 , and a loader which contains an encrypted .NET information stealer called Project Nemesis. This is used to capture data from crypto wallets, VPN services, Discord, and web browsers. The Hacker News

Weak Passwords and Unsecured APIs Exploited by Cyber Actors to Gain Access to Google Cloud Accounts, approximately half of security incidents for Google Cloud customers were due to weak passwords. Additionally, the compromise of weak API’s allowed cyber actors to gain access to a company’s system and accounted for one-fifth of security incidents. The use of Google Cloud allows for cyber actors to store malware and support phishing campaigns. Cyberscoop

Vice Society Ransomware Group Utilizes PowerShell Script to Facilitate Data Theft to Support Evasion Detection, the use of the PowerShell script helps to avoid the need for external tools which could be detected through security tools and reviews. The script excludes files for security solutions, system files or backups and prioritizes data over 10 KB and then exfiltrates data over HTTP. The Hacker News

U.S. Government Disrupted Iranian Cyber Actors Who Accessed Local Government Infrastructure to Support 2020 U.S. Elections, following CYBERCOM’s detection of Iranian activity on a city government infrastructure used to record election results, CYBERCOM worked with CISA to remediate the incident. CYBERCOM worked to disrupt the Iranian cyber actors access and remove them from the local governments system. The Record

15 Russian Diplomats Expelled from Norway Due to Espionage Concerns, the individuals were suspected of using their diplomatic status to engage in covert intelligence activities following a review of the individuals activities by the Norwegian government. Despite not being a member of the European Union, Norway has also carried out similar sanctions against Russia in response to Russia’s actions in Ukraine. BBC News

NATO Cyber Defense Exercise Increases International Cyber Engagement and Cooperation, the exercise included participants from 38 countries, an increase of 32 in 2022, and included over 3,000 individual participants and tested the ability of participants to defend against a simulated real-time attack while addressing forensic and legal issues. The increase against a simulated real-time attack while addressing forensic and legal issues. The increase in participants is likely fueled by Russia’s activity in Ukraine and Russia’s cyber activity against European countries. Security Week

Ukraine Government Officials Call for Destructive Russian Cyber Attacks to be Referred to International Criminal Court, the Ukrainian official called for Russian a-acks against schools and power plants should be charged as war criminals. While attribution to specific individuals may be challenging, joint investigative efforts between Ukraine and the U.S. have helped to provide more details following a-acks against Ukrainian targets. The possibility to prosecute cyber a-acks as a war crime is something that has been debated by international legal experts. The Record

Ideologically Motivated Russian Hacktivists Likely to Increase Attacks Against Critical Infrastructure,, these cyber actors are state-aligned but are not controlled by the Russian government. While these cyber actors have previously engaged in website defacements of DDoS attacks, there has been some indication these cyber actors are looking to launch destructive attacks against critical infrastructure in Western countries. National Cyber Security Centre

Content from this threat briefing was provided by Nelnet’s CyberSecurity Threat Intel.