Get A Quote
Written by Hitachi Systems Security on 24 February 2023

Weekly News February 24, 2023

New threat actor Hydrochasma targets Medical and Shipping Organizations in Asia

Hydrochasma, is a threat actor named by Symantec after leading a campaign targeting shipping companies and medical laboratories in Asia since at least October 2022. The goal of this campaign seems to be intelligence gathering, while phishing email campaigns is the modus operandi.

Tools deployed by Hydrochasma seek remote access, escalation of privileges and spread laterally across victim networks, which could potentially be used to exfiltrate data. Threat actors were able to deploy several tools that allowed them to move around the victim’s network and expose local servers for a takeover.

Searchers note a lack of custom malware used in this attack that could provide clues on the threat actor, relying on publicly available tools.

Growth in ChatGPT-based phishing attacks

Cybercriminals have taken advantage of the Chat GPT craze to create fake fraudulent payment pages on social media, spread malware and conduct other cyberattacks.
According to Cyble Research and Intelligence Labs (CRIL), threat actors have created similar domains (typosquatting), posing as the official site, mimicking the ChatGPT icon and name. The goal is to trick users into believing that this is the authentic application, in order to steal their sensitive information.
CRIL identified that these phishing sites distributed malware such as Lumma Stealer, Aurora Stealer, clipper malware, etc.

Hardbit needs your cyberinsurance details for customizable pricing

Hardbit 2.0 wants victims to disclose their insurance policies to adjust their pricing to match the insurance’s policy. Thus, increasing the amount most likely to be obtained for the group. It is suggestable that the group may lack certain skills that restrict them to not be able to access the victims’ insurance policies from within the infrastructure. Once the group have encrypted the data, the victim has 48 hours to contact the group to discuss the price. Hardbit does not recommend third party intervention to keep the cost low.  Hardbit does not have a known leaksite but do threaten to publish stolen data if the ransom is not paid. Instead of a leaksite, they may well be auctioning the data or through private sells.

Half of the apps are found to have high level risk vulnerability due to Open source code

Over the last two years, the number of vulnerable open-source codebases remains high but the high-risk vulnerabilities have dropped to its lowest in four years. Open-source components and their dependencies are a security problem for developers and software markers. The vulnerabilities can be very hard to find. Nearly one in eight applications have more than 10 different version of a specific codebase which are then all important from various component and dependencies, this means that there are a lot of opportunities for bugs and vulnerabilities to be part of the software or application. We recommend checking the last update on the open-source code before using it; if the code has not been modified in years, they represent a security risk as the project is no longer maintained and out of date.

New Malware as a service named StealC.

The unfortunate popularity of Stealerlogs is not denied by the arrival of a newcomer in this market, called "Stealc". Like the most popular stealerlogs, such as Vidar, Raccoon, Mars or Redline, on the basis of which it was developed, StealC presents itself as operational and ready for use. It was discovered on the DarkWeb in January 2023 by the firm SEKOIA.IO during a routine surveillance, and by the way, its alleged developer, known as Plymouth. This information suggests that this newcomer to the stealerlogs market could be a serious competitor to other malware and reinforce a nefarious dynamic.

Our recommendations :

  • Identify which domain you want to monitor and how critical it would be for a malicious to access it.
  • Shut down your website to minimize the risk in case of suspicions of access as admin or VIP.
  • Try to identify the user in question.
  • Reset passwords.

Related Posts

Don't Wait.
Get a quote today.

Toll Free 1 866-430-8166Free Quote
Secure Your Organization Today.
phone-handsetcrossmenu