Cyware Monthly Threat Intelligence

Monthly Threat Briefing • June 1, 2021
Monthly Threat Briefing • June 1, 2021
In the top news for the month, President Joe Biden an extensive executive order on improving the cybersecurity stature of the U.S. Meanwhile, top browser makers Google and Mozilla came along to develop an API to fend off XSS attacks. Advancing its cybersecurity posture, the U.S. Coast Guard announced to establish its own red team to take on cybersecurity threats.
From healthcare to audio device manufacturers, several global firms, such as Fujitsu, Bose, and Toyota, faced interruptions in services due to cyberattacks. Threats racked up against government agencies in Australia, Belgium, and Indonesia that impacted millions of citizens. Moreover, the new Agrius group from Iran launched disruptive attacks against Israeli targets.
New vulnerabilities, phishing techniques, and malware actors tried well enough to undermine organizations’ efforts to subdue them. While FragAttacks flaws concern WiFi devices, the new Snip3 deploys multiple RAT families and features exceptional evasive behavior. Moreover, flaws in multiple Android apps were found risking the data of 100 million users.
A total of 12 design and implementation flaws, dubbed FragAttacks, in IEEE 802.11 technical standards were discovered in WiFi devices, rendering them vulnerable to attacks. These flaws can be exploited by attackers within the radio range of the target.
Personal data—names, email addresses, dates of birth, chat messages, location, and payment details—of over 100 million Android users was exposed due to unprotected databases used by 23 apps. Some of the apps are Logo Maker, Astro Guru, and T’Leva.
A new and stealthy malware loader called Snip3 was part of an ongoing phishing campaign that targeted aerospace and travel organizations. The malware loader has been used to drop Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT on compromised systems.
In a new technique, the Magecart group 12 was identified hiding web shells known as Smilodon or Megalodon inside website favicons. These web shells were used to dynamically load JavaScript skimming code via server-side requests into online stores.
Researchers observed an updated version of Lemon Duck cryptomining botnet that targeted unpatched Microsoft Exchange servers and attempted to execute payloads for Cobalt Strike DNS beacons.
Three new malware, DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK, were associated with a massive cyberespionage campaign that targeted many organizations in the U.S. Launched via phishing emails, the attacks were carried out by a new uncategorized group - UNC2529.
A new cryptocurrency stealer variant, Panda Stealer, was found targeting individuals across the U.S., Australia, Japan, and Germany. It is being spread through a global spam campaign that leverages Discord channels.
The new Buer malware loader variant was being propagated via phishing emails. Dubbed RustyBuer, the new strain is written in Rust language and is capable of delivering Cobalt Strike Beacon as a second-stage payload.
Researchers demonstrated a new attack technique, dubbed TBONE, that can enable attackers to hack Tesla and other cars remotely without any user interaction. It abuses two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices.
Moriya, a previously unknown rootkit, was used by unknown threat actors to execute passive backdoors on public-facing servers. It allows the attackers to spy on victim network traffic. This rootkit is part of the TunnelSnake campaign.
The Royal Mail delivery firm, once again, came into the crosshairs of scammers aiming to evade security checks in a new phishing scam. The scam is initiated with recipients receiving SMS messages claiming that a parcel has been redirected to the local post office due to an unpaid shipping fee.