TIMELINE OF NOTABLE CYBER EVENTS - H1 2023

01
January
02
February
03
March
04
April
05
May
06
June
January
  • Researchers have discovered a previously unknown Linux malware that exploits 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScripts into websites based on a WordPress CMS (Content Management System). The malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities.
  • Check Point Harmony Endpoint provides protection against this threat (Backdoor_Linux_WordPressExploit_B).
  • Check Point Research reports tthat threat actors in hacking forums have started making use of AI tools like ChatGPT, in order to create malware and attack tools such as info-stealers and encryptors.
  • Britain’s international mail service, Royal Mail, has had its operations disrupted by a cyberattack. The service has instructed its users not to post mail, as it is unable to dispatch packages to their destinations. The LockBit ransomware gang has been confirmed as the perpetrator of the attack, and is threatening to leak stolen data if its ransom demand is not met.
  • Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Lockbit).
  • Check Point Research reported attempts by Russian cybercriminals to bypass OpenAI’s restrictions, to use ChatGPT for malicious purposes. In underground hacking forums, hackers are discussing how to circumvent IP addresses, payment cards and phone numbers controls - all of which are needed to gain access to ChatGPT from Russia.
February
  • Check Point Research has flagged the Dingo crypto Token, with a market cap of $10,941,525 as a scam. The threat actors behind the token added a backdoor function in its smart contract, to manipulate the fee. Specifically, they used the “setTaxFeePercent” function within the token’s smart contract code to manipulate the buying and selling fees to an alarming 99%. The function has already been used 47 times, and investors of Dingo Token can potentially risk losing all their funds.
  • Arnold Clark, one of Europe’s largest car retailer, has been a victim of a Play ransomware attack. The threat actors claim to have 467GB of data including names, contact details, dates of birth, vehicle information, passports or driver’s licenses, national insurance numbers, and bank account details.
  • Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.PLAY.A)
  • Check Point Research exposed two malicious code packages, Python-drgn and Bloxflip, distributed by threat actors, leveraging package repositories as a reliable and scalable malware distribution channel.
  • Check Point’s researchers found that threat actors are working their way around ChatGPT’s restrictions to create malicious content and to improve the code of a basic Infostealer malware from 2019.
  • Check Point Research identified a campaign against entities in Armenia, using a new version of OxtaRAT – an AutoIt-based backdoor for remote access and desktop surveillance. The threat actors have been targeting human rights organizations, dissidents, and independent media in Azerbaijan for several years, amid rising tensions between Azerbaijan and Armenia over the Lachin corridor.
  • Check Point Threat Emulation and Anti-Bot provides protection against this threat (Trojan.Win.OxtaRAT.A; Trojan.WIN32.OxtaRAT)
  • Community Health Systems, one of the leading healthcare providers in the US, has confirmed that it was affected by the recent attacks targeting a zero-day vulnerability in Fortra’s GoAnywhere MFT file transfer platform, revealing that the breach exposed personal information of almost 1 million patients.
  • Check Point IPS provides protection against this threat (GoAnywhere MFT Insecure Deserialization)
  • Microsoft has released security updates to a total of 77 flaws in the latest Patch Tuesday. Nine vulnerabilities have been classified as ‘Critical’ as they allow remote code execution on vulnerable devices, and three are actively exploited in attacks (CVE-2023-21823, CVE-2023-21715 and CVE-2023-23376).
  • Check Point IPS provides protection against these threats (Microsoft Windows Graphics Component Elevation of Privilege (CVE-2023-21823); Microsoft Office Security Feature Bypass (CVE-2023-21715); Microsoft Windows Common Log File System Driver Elevation of Privilege (CVE-2023-23376) etc.)
  • One year into the Russia-Ukraine war, Check Point Research marks September 2022 as a turning point, as weekly cyber-attacks against Ukraine decreased by 44%, while cyber-attacks against some NATO countries increased by nearly 57%. Further analysis of this year lists wipers and hacktivism as key trends.
March
  • Pierce Transit, a public transit operator that serves over 18K people daily in Washington State, has been a victim of a ransomware attack conducted by LockBit gang. The ransomware group claimed it stole correspondence, non-disclosure agreements, customer data, contracts and more.
  • Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Win.Lockbit) Israel’s National Cyber Directorate has asserted that Iranian APT group MuddyWater, known to be affiliated with Iran’s Ministry of Intelligence and Security, is behind the cyberattack on the Technion, one of Israel’s leading universities. The attack was masked as a regular ransomware attack and had significantly disrupted the university’s activities. Check Point Harmony Endpoint and Threat Emulation provide protection against this threat.
  • Check Point researchers have uncovered a cyber-espionage campaign by Chinese APT group SharpPanda. The campaign has targeted government entities in South-East Asia, and has utilized the Soul framework to establish access to vicitms’ network and exfiltrate information.
  • Check Point Threat Emulation and Anti-bot provide protection against this threat (Trojan.WIN32.SharpPanda)
  • Check Point Research has revealed the FakeCalls Android Trojan, which can mimic over 20 financial apps and engage in voice phishing by simulating conversations with bank employees. This malware, designed for the South Korean market also extracts private data from victims’ devices.
  • Check Point Harmony Mobile and Threat Emulation provide protection against this threat.
  • Check Point Research has analyzed ChatGPT4 and identified five scenarios that allow threat actors to by bypass the restrictions and to utilize ChatGPT4 to create phishing emails and malware.
  • New victims of Clop ransomware gang that leveraged for the attack purpose a zero-day security flaw (CVE-2023-0669) in the Fortra GoAnywhere Managed File Transfer system were disclosed. Among those are the American luxury brand retailer Saks Fifth Avenue, and City of Toronto.
  • Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (GoAnywhere MFT Insecure Deserialization (CVE-2023-0669); Ransomware.Win.Clop; Ransomware_Linux_Clop_A; Ransomware_Linux_Clop_B)
  • Researchers have uncovered a new variant of the FakeGPT Chrome extension, dubbed “ChatGPT-For-Google”, based on an open-source project affecting thousands victims daily. The variant steals Facebook session cookies and compromises accounts under a cover of a ChatGPT integration for Browser, using malicious sponsored Google search results.
April
  • Both Windows and macOS versions of 3CXDesktopApp, a VoIP application of 3CX Communications Company, were compromised and used to distribute Trojanized versions in a large-scale supply chain attack. In this widespread campaign, dubbed SmoothOperator, threat actors have misused 3CX’s application with a malicious file that is loaded using 3CXDesktopApp and beacons to the attacker’s infrastructure. More than 600,000 companies worldwide which use 3CX may be affected by this attack. The attack is linked to the North Korean Lazarus group, and is tracked as CVE-2023-29059.
  • Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Trojan-Downloader.Win.SmoothOperator; Trojan.Wins.SmoothOperator)
  • Australia’s largest gambling and entertainment firm, Crown Resorts, has disclosed that it is being extorted by CL0P ransomware group. This extortion attempt is also a result of CL0P’s group exploitation of Fortra GoAnywhere vulnerability.
  • Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Clop; Ransomware.Win.Clop; Ransomware_Linux_Clop)
  • Check Point Research has released an extensive publication and analysis of the Rhadamanthys infostealer that was launched on the dark web in September 2022. CPR showcases a step-by-step disassembly breakdown of how the malware compiles its own database of stolen Google Chrome information in order to send back to the C2 server.
  • Check Point Threat Emulation provides protection against this threat (InfoStealer.Wins.Rhadamanthys)
  • Various Muslim-affiliated hacktivist groups have launched “OpIsrael”, targeting Israeli websites with DDoS. Among the targets hit by Anonymous Sudan, were Israeli government subdomains, as well as websites of universities, hospitals, media journals, airports and several Israeli companies.
  • Check Point Research has discovered a new strain of ransomware dubbed Rorschach, which was deployed via DLL sideloading of a legitimate, signed security product. This ransomware is highly customizable with technically unique features previously unseen in ransomware, and is one of the fastest ransomware observed, by the speed of encryption.
  • Check Point Harmony Endpoint provides protection against this threat.
  • Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.
  • Check Point IPS provides protection against this threat (Microsoft Message Queuing Remote Code Execution (CVE-2023-21554))
  • Check Point Research flags a sharp increase in cyberattacks targeting IoT Devices, with 41% increase in the average number of weekly attacks per organization during the first two months of 2023, compared to 2022. On average, every week, 54% of organizations suffer from attempted cyber-attacks targeting IoT devices, mostly in Europe followed by APAC and Latin America.
  • Check Point Quantum IoT Protect provides protection against this threat
  • Check Point Research warns about an increase in discussions and in trade of stolen ChatGPT accounts, with a focus on Premium accounts. Cyber criminals leak credentials to ChatGPT accounts, trade premium ChatGPT account and use Bruteforcing tools for ChatGPT, which allow cyber criminals to get around OpenAI’s geofencing restrictions and get access to the previous queries of existing ChatGPT accounts.
  • Capita, a professional outsourcing company based in London, has provided an update on a recent cyber incident they experienced, acknowledging that data was exfiltrated from their systems one week prior to the outage. The company revealed that approximately 4% of its server infrastructure was accessed by hackers who stole files. The BlackBasta ransomware group, known to operate from Russian-speaking regions, has been identified as the perpetrator of the attack.
  • Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.BlackBasta)
  • The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.
  • Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))
May
  • Microsoft warns of a recent wave in exploitation of CVE-2023-27350, a critical-severity remote code execution vulnerability in PaperCut Application servers. According to reports, the vulnerability is being utilized by threat actors to deliver the Cl0P and LockBit ransomware variants. PaperCut has released a patch addressing the vulnerability.
  • Check Point Harmony Endpoint and Threat Emulation provide protection against these threats (Ransomware.Wins.Clop; Ransomware.Win.Clop; Ransomware_Linux_Clop, Ransomware.Win.LockBit; Ransomware.Wins.Lockbit)
  • Check Point Research reveals new findings related to Educated Manticore, an activity cluster with strong overlap with Phosphorus, an Iranian-aligned threat actor operating in the Middle East and North America. Educated Manticore adopted recent trends and started using ISO images and possibly other archive files to initiate infection chains.
  • Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (APT.Wins.APT35.ta)
  • After launching a devastating attack on the city of Oakland on April, the Play ransomware gang has taken responsibility for another attacks in the United States on Massachusetts city of Lowell. The gang claims to have stolen an undisclosed amount of data that includes passports, government IDs, financial documents and more.
  • Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.Play)
  • Check Point Research has noticed a surge in cyberattacks leveraging websites associated with the ChatGPT brand. These attacks involve the distribution of malware and phishing attempts through websites that appear to be related to ChatGPT, to lure users into downloading malicious files or disclose sensitive information.
  • The Swedish-Swiss multinational automation company ABB has been a victim of a ransomware attack conducted by the Russian Black Basta ransomware group. The threat actors have attacked the company’s Windows Active Directory, affecting hundreds of devices. To prevent the spread of ransomware to its customers, ABB terminated VPN connections with other networks.
  • Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.BlackBasta; Ransomware.Wins.Blackbasta)
  • Check Point Research had discovered a custom firmware implant tailored for TP-Link routers that has been linked to a Chinese state-sponsored APT group tracked as Camaro Dragon, which shares similarities with Mustang Panda. The implant was used in targeted attacks aimed at European foreign affairs entities, and it features several malicious components. This includes a custom backdoor named “Horse Shell”, which enables the attackers to maintain persistent access, build anonymous infrastructure and enable lateral movement into compromised networks.
  • Check Point Quantum IoT Protect and Threat Emulation provide protection against this threat (APT.Wins.HorseShell)
  • The FBI, CISA, and ACSC warn that the BianLian ransomware group has shifted its tactics to extortion-only attacks. Instead of encrypting files and demanding a ransom, the group now focuses on stealing sensitive data and threatening to release it unless a payment is made.
  • Check Point Threat Emulation provides protection against this threat (Ransomware.Win.GenRansom.glsf.A)
  • Check Point Research elaborates on the latest Chinese state sponsored attacks and their use of network devices. This follows a joint Cybersecurity Advisory that United States and international cybersecurity authorities issued on Chinese state-sponsored cyber actor, also known as Volt Typhoon. This actor have compromised “critical” cyber infrastructure in a variety of industries, including governmental and communications organizations.
June
  • One of the United States’ largest dental insurers, MCNA, has notified regulators that information of 8.9 million of the company’s customers has been leaked as a result of a ransomware attack. Notorious ransomware gang LockBit has claimed the attack, and has allegedly posted the data in its shame blog.
  • Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.LockBit; Ransomware.Wins.Lockbit)
  • A zero-day SQL injection vulnerability (CVE-2023-34362) affecting MOVEit Transfer, a managed file transfer platform, has been widely exploited in the wild for weeks. The vulnerability could lead to information disclosure, and experts worry that a large number of organizations have had their data stolen. Experts are concerned about a potential large-scale extortion campaign, similar to the Fortra GoAnywhere zero-day campaign by Cl0P ransomware group earlier this year.
  • Check Point IPS blade provides protection against this threat (MOVEit Transfer SQL Injection (CVE-2023-34362))
  • Check Point Research has published an analysis of a backdoor tool used by the Chinese APT group Camaro Dragon. The backdoor tool, dubbed TinyNote, is written in Go and includes a feature bypassing Indonesian antivirus software SmadAV, which is popular in Southeast Asian countries. The APT group’s victims likely include embassies in Southeast Asian countries.
  • Check Point Threat Emulation provides protection against this threat (APT.Wins.MustangPanda.ta.*)
  • The Estonia-based cryptocurrency wallet service Atomic Wallet has confirmed a cyber-attack that compromised customers’ wallets, resulting in the loss of more than 35M dollars. Researchers suggest with high confidence that the North Korean state-backed Lazarus Group is responsible for the attack.
  • Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (APT.Win.Lazarus; APT.Wins.Lazarus)
  • Check Point Research has identified an ongoing operation against targets in North Africa involving a previously undisclosed multi-stage backdoor called Stealth Soldier. The backdoor primarily operates surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information.
  • Check Point Threat Emulation provides protection against this threat (Trojan.Wins.StealthSoldier)
  • The Louisiana Office of Motor Vehicles (OMV) and the Oregon DMV Services have released statements warning US citizens of a data breach exposing millions of driver’s licenses. This comes after the Clop ransomware gang had hacked the agencies’ MOVEit Transfer security file transfer systems and stole the stored data
  • Check Point IPS blade, Harmony Endpoint and Threat Emulation provide protection against this threat ((Progress MOVEit Transfer Multiple Vulnerabilities); Webshell.Win.Moveit, Ransomware.Win.Clop, Ransomware_Linux_Clop; Exploit.Wins.MOVEit)
  • Check Point provides details about the MOVEit vulnerability, its exploitation and the attack, as well as the major impact it had on variety of organizations across the world.
  • Two of the largest airlines in the world, American Airlines and Southwest Airlines, have stated they are handling data breaches due to an incident involving a hack of Pilot Credentials, a third-party vendor. The breach, which occurred at the end of April, has included the illicit obtainment of documents related to almost 9,000 applicants in the pilot and cadet hiring process to both airlines. Despite that, there has not been an impact on the airlines’ own networks or systems.
  • Hawaii’s largest university, the University of Hawai’i, has disclosed that one of its campuses had suffered a ransomware attack. The impact of the attack had not been made public by the university, but ransomware gang NoEscape, which has assumed responsibility for the attack, claimed to have exfiltrated 65 GB of sensitive data from the university’s network.
  • Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Win.NoEscape)