Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing Apr 8, 2021

REvil ransomware operators never cease to surprise security researchers. With an intent to evade detection while encrypting files, attackers have come up with a refined version of the Safe Mode encryption method. The new change illustrates how ransomware gangs are continuously evolving their tactics to successfully encrypt target devices.

While REvil ransomware is undergoing evolution, another new ransomware dubbed Cring is being used in the wild to compromise networks that employ vulnerable Fortigate VPN servers.

The Lazarus APT is back in the spotlight for distributing a new malware dubbed Vyveva. The backdoor malware strain has been spotted in an attack against a South African freight and logistics firm.

Top Breaches Reported in the Last 24 Hours

PHP repository hacked

The maintainers of the PHP programming language have issued an update about a security incident that came to light last month. Following the attack, the attackers may have got hold of a user database containing passwords to make unauthorized changes to the repository.

Top Malware Reported in the Last 24 Hours

Web shells steal credit cards

Global payment processor VISA warned that threat actors are increasingly deploying web shells on compromised servers to exfiltrate credit card information from online store customers. The web shells are used to inject malicious scripts, known as credit card skimmers, into hacked online stores.

REvil ransomware evolves

The operators of REvil ransomware have added a new Safe Mode encryption method that automatically logs Windows into Safe Mode before performing the encryption process. With this new sample, the ransomware will change the user’s password to ‘DTrump4ever.’

New Cring ransomware

The newly discovered Cring ransomware is being used in attacks that exploit a vulnerability in Fortigate VPN servers. Fortinet issued a security patch to fix the vulnerability last year, however, cybercriminals can still deploy the exploit against networks that are yet to apply the security update.

New Vyveva backdoor spotted

The Lazarus APT group has been tied to a new backdoor malware dubbed Vyveva that was used against a South African freight and logistics firm. The backdoor can exfiltrate files, collect data from infected machines and drives, connect to a C2 server remotely, and execute arbitrary code.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Domain Time II network

A vulnerability residing in the ‘Domain Time II’ network time solution can lead to Man-on-the-Side (MotS) attacks. This can enable attackers to intercept the UDP query and deliver their own URL to the software. A patch to address the issue has been released with Domain Time II version 5.2.b.20210331.

Cisco fixes a flaw

Cisco has released security updates for several vulnerabilities affecting SD-WAN vManage Software’s remote management component. One of these is a critical pre-authentication RCE vulnerability tracked as CVE-2021-1479. The other two high-severity vulnerabilities are CVE-2021-1137 and CVE-2021-1480.

Top Scams Reported in the Last 24 Hours

Fake Trezor app steals crypto coins

Several Trezor users have been duped by a fake app that stole more than $1 million worth of crypto coins. The app was available on the App Store for at least two weeks and downloaded 1,000 times before it was taken down.

Phishing through legitimate services

Cybercriminals are increasingly using legitimate services, such as Google Forms and Telegram bots, to steal user data from phishing websites. These services are used by threat actors to generate web pages mimicking online services.

Related Threat Briefings