Cyware Daily Threat Intelligence

Daily Threat Briefing • May 18, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • May 18, 2021
DarkSide ransomware jitter continues to reign this week. In a never-seen-before instance, the ransomware has been upgraded to target hidden files in disk partitions. The impact of this is likely to leave massive damage on organizations and an increased incentive to pay a ransom to recover files.
A deluge of spear-phishing campaigns is targeting users worldwide. One such campaign focuses on impersonating financial institutions in the U.S and the U.K in an attempt to distribute RATs. The other campaign is being targeted against taxpayers in South Korea, Australia, and the U.S. Both the campaigns are aimed at stealing sensitive information from users.
Top Breaches Reported in the Last 24 Hours
Monday.com impacted
Monday.com has recently disclosed being breached due to the Codecov supply chain attack. Investigation reveals that the actors had gained access to a read-only copy of its source code.
Guard.me affected
Student health insurance carrier guard.me has taken its website offline after suffering a data breach. The incident occurred due to a vulnerability that allowed a threat actor to access policyholders’ personal information. The firm has started notifying the impacted students.
Top Malware Reported in the Last 24 Hours
New DarkSide ransomware variant
Researchers have discovered a DarkSide variant capable of seeking out partition information and compromising multiple disk partitions. With this, the variant aims to find additional files to encrypt, causing more damage and putting pressure on organizations to pay the ransom. This variant also looks for the domain controller and connects to its Active Directory via LDAP anonymous authentication.
Truist impersonated
Threat actors impersonated Truist in a spear-phishing campaign that attempted to distribute RATs. The tailor-made phishing campaign spoofed the financial institution through registered domains, email subjects, and applications related to the institution. To increase the attack success rate, the attackers used malware currently undetected by anti-malware engines. Other U.S. and U.K financial institutions (Maybank, FNB America, and Cumberland Private) have also been impersonated in this spear-phishing campaign.
Another spear-phishing campaign
Taxpayers in South Korea, Australia, and the U.S. are being targeted in a phishing campaign that pretends to be from accounting ledgers. The subject line reads “Account Ledger for 2020-2021,” and the email body encourages recipients to verify the attachment. The campaign is used to distribute RATs.
Top Vulnerabilities Reported in the Last 24 Hours
Object Injection vulnerability
A new object injection vulnerability in the PHPMailer library can allow attackers to conduct different kinds of malicious attacks such as code injection, SQL injection, path traversal, and application denial of service. The vulnerability occurs due to improper sanitization in a PHP function. It affects the library versions between 6.1.8 and 6.4.0.
Top Scams Reported in the Last 24 Hours
Scammers target families
The FBI has warned about scammers actively targeting the families of missing persons to make quick money between $5,000 and $10,000. The scammers manipulate the targeted families via phone calls or text messages into believing that their loved ones are in danger or have been abducted. They take the help of social media posts in order to gather information about the missing person.