The Week in Cybersecurity: Austrian hackers-for-hire KNOTWEED serve up Subzero malware

Welcome to the latest edition of The Week in Cybersecurity, which brings you headlines and analysis of the most pressing topics in cybersecurity. This week: Austrian group KNOTWEED spreads malware via Microsoft products, new malware-infested apps pop up in the Google Play store, and more.

This Week’s Top Story

European cyber mercenary KNOTWEED is serving Subzero malware via Microsoft products

Microsoft Security shared in a recent blog post their discovery of a private-sector offensive actor (PSOA) using multiple Windows and Adobe 0-day exploits in targeted attacks against European and Central American customers. Microsoft’s Security Response Center dubbed the group KNOTWEED, and stated their belief that the group developed the Subzero malware, used in these various attacks against the company’s customers.

PSOAs, also known by Microsoft as ‘cyber mercenaries,’ sell hacking tools or services through a variety of business models. Microsoft believes that KNOTWEED blends two business models: access-as-a-service and hack-for-hire. The group sells the Subzero malware to third parties to use. But KNOTWEED-associated infrastructure has also been used in some of these attacks, which suggests more direct involvement from the group, Microsoft said.

KNOTWEED, an Austrian PSOA named DSIRF, claims they offer services to critical infrastructure sectors, including risk analysis and “highly sophisticated” red teaming. However, various news reports show that DSIRF/KNOTWEED has both developed and attempted to sell the Subzero malware. One of the attack’s victims communicated to Microsoft that they “had not commissioned any red teaming or penetration testing,” confirming it was unauthorized, malicious activity.

Microsoft will continue to monitor KNOTWEED’s activity and implement protections for their customers. On top of listing the Indicators of Compromise (IOCs) and detection methods, Microsoft is also advising customers to prioritize patching CVE-2022-22047, a vulnerability KNOTWEED has exploited, as well as updating the Microsoft Defender Antivirus.

News roundup
Here are the stories we’re paying attention to this week…

Hackers opt for new attack methods after Microsoft blocked macros by default (The Hacker News)

With Microsoft taking steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, malicious actors are responding by refining their new tactics, techniques, and procedures (TTPs).

LockBit ransomware gang claims it ransacked Italy's tax agency (The Register)

The LockBit ransomware crew is claiming to have stolen 78GB of data from Italy's tax agency and is threatening to leak it if a ransom isn't paid by July 31. The notorious gang put a notice on its dark-web site adding the agency – the Agenzia delle Entrate – to its growing list of victims. According to LockBit, the data stolen includes documents, financial reports, and contracts.

Chinese UEFI rootkit found on Gigabyte and Asus motherboards (Security Week)

Dubbed CosmicStrand and likely developed by an unknown Chinese-speaking threat actor, the rootkit was found located in the firmware images of Gigabyte and Asus motherboards using the H81 chipset, suggesting that a common vulnerability may have been exploited for infection.

More malware-infested apps found in the Google Play store (Graham Cluley)

Three million Android users may have lost money and had their devices infected by spyware, after the discovery that the official Google Play store has been distributing apps infected by a new family of malware. French security researcher Maxime Ingrao described last week on Twitter how he had discovered the new malware, named “Autolycos”, and how it signs up users to premium services.

Hackers steal $6M from blockchain music platform Audius (BleepingComputer)

The decentralized music platform Audius was hacked over the weekend, with threat actors stealing over 18 million AUDIO tokens worth approximately $6 million. Audius is a decentralized streaming platform hosted on the Ethereum blockchain where artists can earn AUDIO tokens by sharing their music, and users can curate and listen to content.