Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence July 01, 2021 - Featured Image

Daily Threat Briefing Jul 1, 2021

The leaked Babuk Locker ransomware builder tool has finally made headway for a new attack campaign. An anonymous threat actor has been found using the leaked builder tool in a very active campaign that targets victims worldwide. The new ransomware variant, named after ‘Babuk Locker’, encrypts files on victims’ systems and later drops a note demanding a ransom of 0.006 Bitcoins.

Cybersecurity analysts are also warning of another ongoing cyberattack conducted by a China-based IndigoZebra threat actor group. The attackers are leveraging Dropbox to infiltrate the Afghan National Security Council (NSC) and drop a backdoor dubbed BoxCaon. The malware is capable of stealing confidential data.

The Windows SMB server is also under attack by the NSABuffMiner worm. The ultimate goal is to drop cryptominers on compromised machines.

Top Malware Reported in the Last 24 Hours

Leaked Babuk Locker code in use

A threat actor has been found using the leaked Babuk Locker builder tool to target victims across the globe. The ransomware goes by the same name and adds the .babyk extension to encrypted file names and later drops a ransom note. It demands .006 Bitcoins in ransom from the victims to decrypt their files.

New BoxCaon backdoor

A China-based threat actor group, IndigoZebra, is leveraging Dropbox cloud storage service to launch attacks against the Afghan National Security Council. The ongoing campaign makes use of phishing emails to lure NSC officials. A new backdoor dubbed BoxCaon is being used to steal confidential data as part of the attack.

Indexsinas SMB worm

Indexsinas, aka NSABuffMiner worm, is on a mission of hunting down Windows systems to launch cryptojacking attacks. It uses EternalBlue, DoublePulsar, and EternalRomance exploits to propagate into systems.

Top Vulnerabilities Reported in the Last 24 Hours

Claroty issues a patch

Claroty has issued a patch for a vulnerability affecting its Secure Remote Access (SRA) products. The flaw can be abused by threat actors to bypass access controls for the central configuration file of the SRA software. This, in turn, can endanger the targeted OT environment.

Netgear vulnerabilities disclosed

Microsoft has disclosed a series of HTTP authentication vulnerabilities affecting Netgear routers that can lead to data leaks and full system compromise. The three flaws impact DGN-2200v1 series routers running firmware versions prior to v1.0.0.60. They are tracked as PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365 and have been issued CVSS scores of between 7.1 and 9.4.

Top Scams Reported in the Last 24 Hours

WhatsApp users targeted

Police in the U.K warned WhatsApp users about a fraud campaign that tricks them into sharing their verification code. The end goal of the fraudsters is to steal their accounts. The scam works by fraudsters sending a message that includes a verification code. The message asks the recipients to verify their WhatsApp number by sending back the code on a phone number operated by fraudsters.

Related Threat Briefings