Threat Briefing: September 1, 2023

Law enforcement and private sector organizations around the world have had some recent successes disrupting cyber actors while shedding light on malicious cyber activity. As cybersecurity is a constantly-evolving topic, these successful disruptions will likely give way to new cyber actors stepping in to fill the void. Identifying, defending, and responding to cyber actors requires a sustained effort, especially as cyber criminals look for new ways to circumvent cyber defenses. This Threat Briefing contains a couple of articles highlighting how one of the most targeted instruments by cyber actors can be your mobile device as it can contain valuable information about you and acts as a gateway to gaining access to additional useful data.

Cyber Actor Exploiting Vulnerability with Citrix NetScaler to Conduct Ransomware Attacks – The cyber actor group FIN8 has exploited the vulnerability which was identified in mid-July to launch attacks. As of early August, over 1,900 NetScaler devices were identified as being compromised due to the vulnerability. Dark Reading

Unknown Cyber Actors Exploiting Rust Programming Language Registry to Upload Malicious Packages Designed to Steal System Information – The data is then transmitted to a Telegram channel via API. There were seven malicious packages identified as part of the campaign which were uploaded to the library in mid-August. The Hacker News

DarkGate Malware Now Offered for Rent, Utilized to New Support New Malspam Campaign – The DarkGate malware can steal data from web browsers, escalate privileges, and evade security detection. The operators of DarkGate have offered subscriptions to the service, ranging from $15,000 per month to $100,000 per year. The Hacker News

Scam-as-a-Service Operation “Classicscam” Expands Capabilities to Collect Banking Credentials – The operation utilizes Telegram to communicate between actors and has been exploited to facilitate phishing activity used to steal credit card information and promote malicious ads. Since its inception in 2019, Classicsam has been linked to over $64.5 million in illicit financial activity and has been used by almost 400 different cyber actor groups. Bleeping Computer

SIM Swapping Attack Utilized to Compromise U.S. Company to Gain Access to PII of Customers at Three Cryptocurrency Companies – An unknown cyber actor convinced an employee of a U.S. cellular carrier to port a telephone number for the employee at a U.S. risk and advisory firm to a telephone controlled by the cyber actor. Once the cyber actor had access, they were able to access the PII of users from three different cryptocurrency companies who are clients of the U.S. risk and advisory firm. Dark Reading

New Malware Targets Android Devices, Looking to Compromise Devices and Engage in Fraud Targeting Customers of Banks in Southeast Asia – Once the malware, called MMRat, is installed it collects information on the user’s device and can modify device settings. The malware has utilized fictitious websites to support the distribution of MMRat. Security Week

U.S. and Five Eyes Allies Release Details on Malware Used by Russian Government Cyber Unit Known as “Sandworm” – The malware called “Infamous Chisel” has been used to conduct cyber operations against the Ukrainian government. The malware has focused on gaining access to Android devices used by members of the Ukrainian military in order to gain intelligence to support Russia’s military operations against Ukraine. CyberScoop

Meta Disrupts Chinese Sponsored Influence Campaign Operating on Facebook and Instagram – The campaign, known as “Spamoulfage” or “Dragonbridge,” was the largest disruption effort conducted by Meta. The campaign began operations in 2019 and expanded to other non-Meta platforms, such as YouTube, Reddit, and X, and was directed at individuals in the U.S., Australia, and the U.K. Dark Reading

QakBot Network Disrupted by Multinational Law Enforcement Operation – The long-running botnet was disrupted in a joint effort between U.S. and European law enforcement agencies. As part of the operation, law enforcement was able to repurpose the QakBot infrastructure to send an update removing QakBot from victim’s machines. As part of the operation, over $8 million in cryptocurrency was seized from the operators of QakBot. The Record