Cyware Weekly Threat Intelligence, February 08 - 12, 2021
Weekly Threat Briefing • Feb 12, 2021
The Good
This year seems to be bringing out the humanity in threat actors, at least in some. Another ransomware shut down shop and apologized for being a pain. Also, let me ask you a question. What do musicians, influencers, and sports celebrities have in common? All of them got more than $100 million worth of cryptocurrency stolen from them. But, fret not. Suspects have been arrested.
-
The Ziggy ransomware gang apologized on Telegram for its activities and announced shutting down its operations. It has released the decryption keys.
-
Google announced launching a database for open source vulnerabilities, which would be a triage infrastructure for open source projects.
-
CyberArk researchers released BlobHunter, an open-source tool organizations can use to discover unsecured Azure blobs containing sensitive files inadvertently exposed by them.
-
The UK National Crime Agency, in coordination with the Europol, arrested ten suspects who siphoned off $100 million in cryptocurrency in numerous SIM-swapping attacks targeted at high-profile U.S. celebrities.
The Bad
Attacks on critical infrastructure just got extreme where physical risks to lives could be incurred. This week made us all ponder over the severity of cyberwar after an intruder tried poisoning a Florida city’s water supply. The alleged source code of Witcher 3 was put on auction. Lastly, Conti means business and by business, it means leaking data until the victims end up paying. This week two healthcare providers fell prey to this ignominious ransomware.
-
Hacktivists hijacked and defaced the DNS records of several Sri Lankan websites that include Google.lk and Oracle.lk. Users visiting these sites were redirected to web pages detailing various social issues impacting the local population.
-
Iranian threat actor group, Charming Kitten, has been linked with a massive cyberespionage campaign that involves the use of Furball spyware. The spyware is distributed via malicious wallpaper and gaming apps.
-
A hacker hacked into a water treatment plant in Oldsmar, Florida, in an attempt to poison the water supply by increasing the level of sodium hydroxide, also known as lye.
-
A cyberattack on Charles J.Hilton & Associates P.C. (CJH) potentially exposed the personal health information of more than 36,000 patients at the University of Pittsburgh Medical Center (UPMC).
-
First, the Polish video game company CD Projekt revealed falling victim to a cyberattack that affected some of its internal systems. Later, its source code for GWENT was leaked on a popular hacking forum in what appears to be a double extortion strategy. Now, threat actors are found auctioning the alleged source code for CD Projekt Red games, including The Witcher 3, Thronebreaker, and Cyberpunk 2077.
-
Conti ransomware operators published patients’ data stolen from two U.S. hospital chains. The affected organizations are the Florida-based Leon Medical Centers and Nocona-General Hospital in Texas.
-
Finnish therapy psychotherapy practice firm, Vastaamo, has declared bankruptcy after falling victim to a horrific security breach. The problem first began in 2018, when the firm discovered that a database of customer details and notes had been accessed by hackers.
-
A database belonging to Ukraine’s PrivatBank is being offered for sale on a popular hacking forum. It contains 40 million records that include full names, dates of birth, places of birth, passport details, and phone numbers of customers.
-
Singtel and QIMR Berghofer Medical Research Institute are investigating potential data breaches caused by vulnerabilities in Accellion’s file-sharing system.
-
No Support Linux Hosting came to a close due to a breach that impacted the company’s entire operation, including its official website, admin section, and customer database.
New threats
It’s the second week of February and apparently, love is in the air. However, do you know what else is in the air and all around you? Love scams! Along with this deception, we saw the emergence of a new ransomware strain that is no longer reliant on a C2 server for communication. Such tech, much danger. Before signing off, we also need to mention that the BazarBackdoor malware got a makeover and now it can evade detection.
- Zeoticus 2.0 ransomware emerged on the threat landscape and doesn’t depend on a C2 server. It relies on faster encryption algorithms such as XChaCha20, Poly1305, XSalsa202, and Curve25519.
- A new phishing attack campaign has been observed using Morse code to hide malicious URLs in an email attachment. The ultimate goal is to bypass secure email gateways or mail filters during the infection process.
- A set of nine new vulnerabilities, collectively known as Number:Jack, was identified in multiple TCP/IP stacks used by millions of IoT and OT devices. These flaws could allow attackers to intercept and manipulate data.
- A newly discovered variant of the LodaRAT malware is targeting Windows and Android devices in a new espionage campaign. Linked to the Kasablanka threat actor group, the malware is used to spy on users in Bangladesh.
- BendyBear is a new, highly sophisticated malware potentially linked to the BlackTech hacking group. The malware has features and behavior that strongly resembles the WaterBear malware family that has been active since 2009. It leverages the existing Windows registry key that is enabled by default on Windows 10.
- BazarBackdoor malware has been rewritten in the Nim programming language with a purpose to evade detection by security software. Once a computer becomes infected, BazarBackdoor is used to provide the threat actors remote access to the computer to spread laterally throughout a network.
- Researchers have uncovered two malware families called Hornbill and Sunbird targeting military, nuclear, and election entities in India and Pakistan. The two malware are capable of exfiltrating SMS messages, encrypted messaging app content and geolocation, and other sensitive information.
- UAE and Kuwait government agencies are targets of a new cyberespionage campaign potentially carried out by the Iran-based MuddyWater threat actor group. The objective of the campaign is to install a remote management tool called ScreenConnect, customized with malware samples and URLs masquerading as the Ministry of Foreign Affairs.
- Pre-valentine malware attacks were found to be sent via emails confirming hefty orders from flower and lingerie shops, Rose World and Ajour, respectively. This spear-phishing attack directs victims to a malicious document that executes the BazaLoader malware.
- Adobe is warning of a critical buffer overflow vulnerability being exploited in the wild. The flaw, tracked as CVE-2021-21017, is being used to target Adobe Reader users on Windows. It can lead to arbitrary execution of code on affected systems.