Cyware Weekly Threat Intelligence, April 12 - 16, 2021

Weekly Threat Briefing • Apr 16, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Apr 16, 2021
The Good
Imagine a refreshing lemonade on a hot summer day, while you kick off your shoes and relax. Wouldn’t it be nice to have such a refreshing piece of news too? We have just the right thing for you! The FBI obtained a warrant to copy and delete web shells from hundreds of Hafnium victims. In another major news, the U.S. formally ascribed the SolarWinds attacks to a Russian intelligence agency.
The FBI used backdoors, which Halfnium hackers exploited to enter Exchange Servers globally, to remotely delete web shells from hundreds of impacted servers.
The Internet of Secure Things Alliance (ioXt) launched a new security certification for VPNs and mobile apps. The compliance program consists of a set of security-related requirements against which apps can be certified.
The SolarWinds attack was officially attributed to Russia’s Foreign Intelligence Service - SVR. The NSA, FBI, and CISA issued a joint advisory warning of SVR’s activities against various organizations.
The Bad
Social media has never really been a safe place to be in. Although this week didn’t bring anything exceptional except for the common maladies, something really concerning is phishing attacks launched against job seekers. Threats looming over cryptocurrency platforms are not going anywhere, as proven by an attack on Celsius Network. Last but not the least, the Joker malware is back and making Huawei users cry.
Babuk ransomware operators reportedly posted 500GB worth of Houston Rockets’ internal business data—contracts, NDA, and financial data—on its dark web forum.
Employment-oriented service users in the U.S., the Middle East, and Canada are being targeted with customized phishing emails that attempt to hijack their LinkedIn accounts or promote fake LinkedIn email leads.
Two Tasmanian casinos were forced to shut down following a ransomware attack. The attack affected hotel booking systems, as well as the slot machines.
Celsius Network, a cryptocurrency rewards platform, underwent a security breach, which, in turn, led to a phishing attack on its customers. This breach resulted in the loss of partial customer list of the company.
More than 100,000 web pages hosted by Google sites are being used to trick netizens into opening booby-trapped business documents containing RAT, with common business lures.
Attackers are launching campaigns in which IceID was switched with QakBot trojan to deliver malicious payloads. The campaign relied on updated XLM macros to distribute the trojan.
ParkMobile suffered a breach and the account information of 21 million customers was for sale on a Russian-speaking crime forum for $125,000.
ShinyHunters leaked sensitive information of about 2.5 million Upstox users. the exposed information includes names, dates of birth, email addresses, bank account information, and about 56 million KYC documents stolen from the company’s server.
APKPure, one of the largest app stores, fell victim to a supply chain attack. Threat actors managed to launch the attack by compromising client version 3.17.18 to deliver malware dubbed Triada.
More than 500,000 Huawei users were infected with the Joker malware distributed via 10 apps in AppGallery.
New Threats
Lazarus is back at it again. At what you ask? Cryptocurrency stealing. There’s a twist though - it is using a unique tactic. You’ll read about it real soon. The BRATA malware family made its way into the Google Play Store, deploying a backdoor via several apps. Also, IoT devices are at high risk from a set of nine newly disclosed flaws. Go on, read along.