Cyware Weekly Threat Intelligence, February 22 - 26, 2021

Weekly Threat Briefing • February 26, 2021
Weekly Threat Briefing • February 26, 2021
The Good
Stop what you are doing as I have brought some fresh baked good news for you. We all need hope and optimism in our daily lives and here comes your weekly dose of the same. Android users rejoice as now they get the Password Checkup feature. Researchers invented means to detect hidden cryptomining malware and they are in the search for a partner to bring the solution to the market. Let’s toast to a better cyberplace.
The Bad
The week found itself among a whole heap of cyberattacks. Bombardier got bombarded with a data breach and some of its sensitive data was leaked online. Although unfortunate, it’s not very shocking as ransomware attackers are constantly posting stolen information on dedicated leak sites. Google alerts have become a convenient tool for attackers to spread malware on victim systems.
New Threats
New threats are always around the corner. And this week is nothing special. But, something worrying came up. Four new ICS threat actors emerged just like the four horsemen riding into the battlefield. A new malware called Silver Sparrow affecting Apple M1-powered Macs has been uncovered and I’d suggest you get some reading done about it so that you don’t become a victim in the long list of victims.
Four new ICS threat actors—Kamacite, Stibnite, Vanadinite, and Talonite—were identified by Dragos. These groups were spotted targeting energy and manufacturing sectors.
Malicious hackers have started scanning the internet for VMware vCenter servers that are vulnerable to a critical remote code execution vulnerability. The flaw is tracked as CVE-2021-21972 and can be exploited by attackers to execute malicious commands with elevated privileges.
Chinese cyberespionage gang TA413 launched attacks against Tibetan organizations using a malicious Firefox add-on. Dubbed FriarFox, this add-on allowed the hackers to steal Firefox and Gmail browser data, along with delivering malware on infected computers.
A botnet used for cryptocurrency mining activities is abusing Bitcoin blockchain transactions to stay under the radar. As a part of the campaign, the threat actors have been found abusing remote code execution vulnerabilities (CVE-2015-1427 and CVE-2019-9028) in Hadoop Yarn and Elasticsearch.
Botnet operators are abusing VPN servers provided by Powerhouse Management to bounce and amplify junk traffic as part of DDoS attacks. The root cause of the attack is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.
Researchers have detected a new variant of MINEBRIDGE RAT that includes new TTPs and social engineering lure. The malware, which is linked to the TA505 threat actor group, uses a job resume theme to attract recipients.
Researchers are warning of recent phishing attacks targeting at least 10,000 Microsoft email users. The emails appear to come from popular mail couriers such as FedEx and DHL Express.
Think tanks in the U.K are warning about a silent stealing fraud that targets online users. The modus operandi of the fraud involves stealing £10 each from 100,000 customers rather than stealing a large amount directly from a bank.
Researchers have demonstrated a new class of attacks called Shadow attacks that could let attackers replace content in digitally signed PDF documents. The attack is successful on 16 PDF viewers, including Adobe Acrobat, Foxit Reader, Perfect PDF, and Okular.
Security researchers have discovered a new malware called Silver Sparrow on nearly 30,000 Apple Macs. The malware comes with a mechanism to self-destruct itself.
An ongoing espionage campaign aimed at the defense industry has been tracked by researchers. Tied to the North Korea-based Lazarus group, the attack involves the use of ThreatNeedle malware that exfiltrates sensitive information.