Cyware Daily Threat Intelligence

Daily Threat Briefing • May 14, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 14, 2021
Looks like the DarkSide ransomware gang is engaged in 'big game hunting', pursuing its targets to pay hefty ransoms. In the past 24 hours, two business giants—Colonial Pipeline and Brenntag—have reportedly paid over $4 million each in return for decryption keys.
Meanwhile, meet Lorenz, a new ransomware gang running wild in the threat landscape. The ransomware, which has targeted several organizations worldwide, uses an encryption process similar to that of the ThunderCrypt ransomware. So far, the ransomware has listed twelve victims on its data leak site.
Abuse of legitimate software continues to see a spike in phishing campaigns and the latest to be added to the list is the Microsoft Build Engine (MSBuild). Threat actors are leveraging the software to distribute Remcos RAT, Quasar RAT, and RedLine Stealer payloads onto victims’ computers.
Top Breaches Reported in the Last 24 Hours
Colonial Pipeline attacked
Colonial Pipeline has reportedly paid a ransom of $5 million to the DarkSide gang in return for a decryption key. The firm was attacked last week by the gang who stole confidential data before encrypting systems. In another incident, a chemical distribution company Brenntag has paid a $4.4 million ransom in Bitcoin to the DarkSide ransomware gang to receive a decryptor.
HSE affected
Ireland’s Health Service Executive (HSE) was forced to shut down its computer systems after it suffered a cyberattack. The attack is being characterized as a ransomware hack but it’s not yet clear if the hacker succeeded at acquiring data to hold hostage.
Top Malware Reported in the Last 24 Hours
Web Shells for Skimming
In a new technique, the Magecart group 12 has been identified hiding web shells known as Smilodon or Megalodon inside website favicons. These web shells are used to dynamically load JavaScript skimming code via server-side requests into online stores. This enables the threat actors to evade analysis techniques.
Delivering RATs
Threat actors are abusing the Microsoft Build Engine (MSBuild) to deploy RATs and fileless information-stealing malware as part of an ongoing campaign. So far, the software has been used to push Remcos RAT, Quasar RAT, and RedLine Stealer payloads onto the victims’ computers.
New Lorenz ransomware
Lorenz is a newly discovered ransomware that targets enterprises worldwide. The Lorenz ransomware encryptor is the same as the ThunderCrypt operation. Similar to other ransomware attacks, Lorenz breaches a network and spreads laterally to other devices until it gains access to Windows domain administrator credentials.
Top Vulnerabilities Reported in the Last 24 Hours
Cisco fixes AnyConnect Secure Mobility Client
Cisco has addressed a zero-day vulnerability CVE-2020-3556 discovered in its AnyConnect Secure Mobility Client. The flaw resides in the InterProcess Communication (IPC) channel of the software. The company is not aware of any threat actors exploiting it in the wild.
Citrix patches Workspace app
Citrix has issued a patch for a local privilege escalation vulnerability affecting its Workspace app for Windows. Tracked as CVE-2021-22907, the vulnerability could be exploited by local attackers to escalate privileges to SYSTEM level. The issue has been fixed with the release of Citrix Workspace App 2105 and Citrix Workspace App 1912 LTSR CU4.
Top Scams Reported in the Last 24 Hours
Zix phishing scam
Scammers are sending phishing emails from a compromised email account in an attempt to pilfer Office 365 and other email account credentials. The compromised email address belongs to a real estate services company (Authentic Title, LLC). The recipients are asked to click on a phishing link that takes them to a Zix authentication site and later a Microsoft OneNote page.