Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing April 2, 2020

The Good

The month of February witnessed much hustle and bustle in the cyber threat landscape, including some path-breaking research by some of the security experts. Recently, a group of researchers devised a method called DEEP-Dig to fool hackers into sharing their tactics. Meanwhile, researchers at Open Cybersecurity Alliance introduced a new language framework to connect cybersecurity tools via a common messaging platform. In other news, scientists developed an automatic system to create random strings of numbers and encryption information.

  • A new cyber defense approach called DEEP-Dig (DEcEPtion DIGging) that focuses on improving intrusion detection of a system, has been developed by a group of scientists at the University of Dallas. The approach will trap malicious actors into a decoy site, allowing machines to learn their tactics. Researchers anticipate that the approach will benefit defense organizations.
  • A team of researchers devised a powerful approach to secure web browsers last month. The new method works by shifting some of the browser code into ‘secure sandboxes’ that prevent malicious code from taking over a user’s computer. This new strategy is now a part of the Firefox browser’s test release for the Linux operating system.
  • The Open Cybersecurity Alliance (OCA) launched a new language framework called OpenDXL Ontology to connect cybersecurity tools through a common messaging framework. The new framework aims to eliminate the need for custom integration between entities such as endpoint systems, firewalls, and behavior monitors.
  • For the first time, scientists built a robotic system that uses the crystallization process to create random strings of numbers and encrypted information. This method proves to be a good alternative to existing true random number generators which usually takes a longer time to crack the algorithm.
  • Japan CERT released a new utility tool called EmoCheck that allows Windows users to check if they are infected with the Emotet trojan. Once installed on a system, the tool scans for the trojan and if it is found, it alerts the user with the process ID and the location of the malicious file.

The Bad

Also, some of the big firms around the world leaked out terabytes of data due to unsecured database servers. Rallyhood, a community collaboration platform, disclosed nearly 4.1 terabytes of files via unprotected bucket. There were more firms that faced similar incidents, including Tetrad and Decathlon. While Tetrad, a US market analysis firm, laid bare 120 million records of Americans, sports giant Decathlon leaked 123 million records belonging to UK and Spain customers.

  • Rallyhood exposed nearly 4.1 terabytes of files via an unprotected AWS S3 bucket, giving anyone access to a decade’s worth of user files. Some of the files contained sensitive data like shared passwords lists, contracts, and other permission slips and agreements.
  • Around 747GB data related to 120 million Americans was exposed by a market analysis company Tetrad due to a misconfigured Amazon S3 bucket. The leaky database included data from Chipotle, Kate Spade, and Bevmo.
  • Sports giant Decathlon also made headlines last month for revealing 123 million records due to an unsecured Elasticsearch server. It contained information belonging to Decathlon Spain and possibly its UK business as well.
  • A data breach at Dutch airline Transavia affected the data of as many as 80,000 passengers. The compromised data dated back to 2015 and included passengers’ full names, dates of birth, and information regarding luggage reservations.
  • Over 10.6 million guest records stolen from MGM Resorts were posted on an online hacking forum last month. The compromised records included data of regular tourists, celebrities, government officials, reporters, CEOs and professionals from tech firms.
  • A popular photo app, PhotoSquared leaked around 94.7 GB data containing over one million records due to a misconfigured S3 database. The records dated back from November 2016 to January 2020. The exposed data included user photos, order records, receipts, and shipping labels.
  • Public Services and Procurement Canada inadvertently shared the data of more than 69,000 public servants with the wrong people. The data leaked included full names, personal record identifier numbers, home addresses, and overpayment amounts of employees.
  • Cosmetics giant Estée Lauder Companies Inc. came under fire for leaking over 440 million records publicly due to an unprotected database. The exposed records included emails in plain text, internal documents, middleware logs, and more. The duration of the data breach was unknown.
  • TastSelv Borger tax portal, managed by the US company DXC Technology, accidentally leaked the personal data of 1.2 million Danish citizens due to a software error. The bug was rectified as soon as DXC became aware of it.
  • Australian logistics company, Toll Group fell victim to a ransomware attack. The firm became aware of it on January 31, 2020, and immediately disabled the relevant systems to prevent the ransomware infection. Over 1000 servers crippled due to the attack.
  • An open and publicly accessible database belonging to an email marketing firm, Pabbly exposed nearly 51 million records. The exposed records dated back to 2014 and contained customer names, email addresses, subject lines, email messaging, and internal data.
  • An S3 bucket owned by FutebolCard leaked 25GB of sensitive data belonging to supporters of a number of Brazilian organizations. The exposed information included names, contact details, dates of birth, marital status, social security numbers, and payment method of fans. Futebol rectified the issue on January 31, 2020, by taking the bucket offline.

New Threats

In new threats for the month, researchers released details about a new threat called KrØØk that impacted Wi-Fi chips provided by Broadcom and Cypress. Also, the infamous BlueKeep flaw returned to affect over 55% of medical imaging devices. Whereas, researchers spotted a variant of Racoon info-stealer targeting over 60 web applications.

  • Security researchers presented the technical details of a serious vulnerability called KrØØk. The flaw affects the Wi-Fi chips made by Broadcom and Cypress and can allow an adversary to decrypt some wireless network packets transmitted by vulnerable devices.
  • A new version of the ‘Cerberus’ android banking trojan was uncovered accessing 2FA-protected accounts by stealing one-time codes generated by the Google Authenticator app. The new variant is available for sale on hacking forums.
  • The capabilities of the Racoon info-stealer were enhanced to extract sensitive data from about 60 applications on a targeted computer. The applications include a wide range of browsers, email client software, and cryptocurrency wallets.
  • A new report revealed that the BlueKeep flaw plagued more than 55% of medical imaging devices including MRIs, X-rays, and ultrasound machines. The flaw was tracked as CVE-2019-0708 affects RDP service running on outdated Windows versions.
  • Over 20,000 WordPress sites were detected running trojanized versions of premium WordPress themes and plugins designed to distribute WP-VCD botnets. The purpose of the attackers was to generate more revenues by misleading visitors with fraudulent ads.
  • AZORult trojan also made a comeback in a campaign disguising itself as fake ProtonVPN installers. Once installed, the trojan collected the infected machine’s environment data and sent it back to an attacker’s C2 server located in Russia.
  • A notification sent out by the FBI alerted US private organizations about an ongoing hacking campaign that distributes Kwampirs malware. The campaign was similar to a supply chain attack that was reported by Symantec in 2018. Now, the campaign has evolved to target companies in the ICS sector.
  • There was a newly discovered KBOT virus that claimed to be the first ‘living’ virus spotted in the wild. The malware penetrates into a user’s computer via the web, the local network, or an infected piece of external media. It attempts to harm the system by writing itself to Startup and the Task Scheduler.
  • A remote access trojan (RAT) named Parallax was found to be widely distributed through malicious spam campaigns. When installed, it allows attackers to gain full control over an infected system. The malware was being offered for as low as $65 a month on underground forums.
  • Five critical vulnerabilities, collectively dubbed as ‘CDPwn’, were found in the Cisco Discovery Protocol (CDP) which could lead to remote code execution and denial of service. The flaw could allow attackers with an existing foothold to remotely take over millions of devices running the protocol.
  • The China-based Winnti group targeted two Hong Kong universities with a new variant of ShadowPad backdoor. The new version was much simpler compared to previously analyzed malware samples used by the group. It was, as per researchers, much likely executed via DLL side loading.

Related Threat Briefings

Jul 1, 2025

Cyware Monthly Threat Intelligence, June 2025

Jun 1, 2025

Cyware Monthly Threat Intelligence, May 2025

May 1, 2025

Cyware Monthly Threat Intelligence, April 2025

Apr 2, 2025

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors.  A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Mar 4, 2025

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024

Cyware Monthly Threat Intelligence

The Good The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and t

Sep 2, 2024

Cyware Monthly Threat Intelligence

The Good In a series of proactive measures aimed at bolstering global cybersecurity resilience, significant strides were made in the education and law enforcement sectors to safeguard critical systems against evolving threats. The NASA Katherine Jo

Aug 1, 2024

Cyware Monthly Threat Intelligence

The Good The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disin

Jul 1, 2024

Cyware Monthly Threat Intelligence

The Good Recent developments showcase a proactive stance in bolstering cybersecurity across critical sectors. The collaboration between the U.K’s National Crime Agency (NCA) and the FBI to dismantle the Qilin ransomware gang highlights internationa