Cybersecurity Trends April 2023: Threat Intelligence Report
Phishing and Malware trends and statistics
Newly registered domains
Confirmed new phishing domains
New potential similar domains
During the month of April, FYEO discovered a total of 681K (Thousand) newly registered top level domains out these a total of 174 were considered being similar domains that are likely squatting domains, e.g when someone registers a domain name that is similar to a well-known brand or organization with the intention of using it for malicious purposes such as phishing attacks.
A further 3.3k (Thousand) domains out of the newly registered domain were identified as actively serving fake websites and content related to phishing by manual content scanning and analysis. And yet another 14K (Thousand) were identified as serving malware related files and content.
Data leaks and credentials statistics
Reported leaked credentials
Reported leak sources
FYEO indexed sources
FYEO indexed credentials
April 2023 saw over 120 security incidents that resulted in the compromise of more than 4M (Million) records. The biggest data breach of the month occurred at Shields Health Care Group, where over 2M (Million) records were compromised.
During the month FYEO indexed and gathered a total of 639K (Thousand) leaked credentials from a total of 223 sources that were gathered through open sources and public releases.
On the collection statistics it's worth noting that there is in general a large delay in the time in which the hacked data gets published. Therefore the data collected by FYEO is most likely not the same sources that were reported hacked for the month.
Ransomware groups responsible for the recent attacks on PaperCut
PaperCut is a software for managing printing services that is compatible with major printer brands and platforms and is used by large organizations, government agencies, and educational institutions. Recently, the Clop and LockBit ransomware groups exploited two vulnerabilities in the PaperCut Application Server, which allowed them to access and steal corporate data. These vulnerabilities, CVE-2023-27350 and CVE-2023-27351, were fixed by PaperCut after the attacks.
The company also warned that these flaws were actively being exploited in the wild and advised users to update their servers. According to Microsoft, the threat actors have been exploiting the PaperCut vulnerabilities since April 13th to gain initial access to corporate networks, and once inside, they deployed the TrueBot malware, which has been previously linked to the Clop ransomware operation.
These attacks highlight the importance of promptly patching vulnerabilities in software and implementing robust security measures to prevent and mitigate cyber attacks. It also underscores the need for ongoing cybersecurity training and awareness among employees to help prevent phishing attacks and other social engineering tactics that threat actors often use to gain access to sensitive data.
FYEO is actively monitoring the deep web and ransomware groups. By monitoring the activities of known ransomware groups, such as their tactics, techniques, and procedures, the FYEO Domain Intelligence platform can alert the organization of any suspicious activity that may indicate an impending attack. This early warning can give the organization time to strengthen its security measures, update its software, and educate its employees to avoid falling victim to a ransomware attack
Password managers are ViperSoftX new target
A recently discovered version of the information-stealing malware known as ViperSoftX has expanded its targets to include popular password managers such as KeePass and 1Password. Furthermore, ViperSoftX now targets more cryptocurrency wallets and different web browsers apart from Chrome.
The newest version of ViperSoftX uses stronger code encryption and includes features to evade detection by security software. ViperSoftX is an information-stealing malware that takes various data from infected computers. It is known to install a malicious extension, named VenomSoftX, on the Chrome browser. The latest version of the malware targets additional browsers such as Brave, Edge, Opera, and Firefox. It usually arrives as software cracks, activators, or key generators, disguised as benign software.
ViperSoftX's latest version includes several features that make it difficult to detect, analyze, and remain undetected. It now uses DLL sideloading to execute on the target system in the context of a trusted process, thereby avoiding detection. Upon arrival, the malware scans for specific virtualization and monitoring tools such as VMWare or Process Monitor and antivirus products such as Windows Defender and ESET before proceeding with the infection routine. One notable feature of the malware is its use of "byte mapping" to encrypt its code. This technique remaps the arrangement of shellcode bytes, making decryption and analysis without the correct map more challenging and time-consuming.
At FYEO, we see the discovery of the new version of ViperSoftX malware as yet another example of the ever-evolving nature of cyber threats. The malware's increased capabilities, including its ability to target a broader range of password managers and cryptocurrency wallets, and its use of more browsers, make it more dangerous than ever before. The fact that ViperSoftX is using byte mapping to encrypt its code highlights the importance of having robust security measures in place that can detect and prevent such advanced malware.
KuCoin's Twitter page compromised by cybercriminals to promote fake crypto investment opportunity
KuCoin experienced a security breach when its official Twitter account was hacked, enabling cybercriminals to promote a cryptocurrency scam. The scam led to the loss of over $22.6K (Thousand) worth of cryptocurrency. While the hack lasted only 45 minutes, it was enough time for the attacker's scam site to receive 22 Bitcoin and Ethereum transactions. In an official statement from KuKoin, they stated that all users' assets on the platform remain secure and have promised to fully reimburse verified losses resulting from the hack. The scammers used the common approach of a fake giveaway on kucoinevent[.]com, promising to airdrop 5K(Thousand) Bitcoin and 10K(Thousand) Ethereum to celebrate reaching 10M(million) users. To lend credibility to the fake promotion, the attackers posted fake comments from supposed participants.