Cyware Weekly Threat Intelligence - June 07–11

Weekly Threat Briefing • Jun 11, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jun 11, 2021
The Good
The world can be a bit hard sometimes and that’s why we have this weekly dose of good news from the cyber world. For starters, we have this amazing news in which the U.S. Department of Justice (DoJ) and other law enforcement authorities seized servers belonging to one of the largest online marketplaces for stolen credentials. For entrée, the CISA released best practices for mapping threat actor behavior to the MITRE ATT&CK framework. Dessert comes in the form of approximately $2.3 million in bitcoin ransom seized by the DoJ.
The DoJ seized approximately $2.3 million in BTC that was supposed to reach as a ransom payment to the members of DarkSide, the group behind the Colonial Pipeline attack.
According to Europol, law enforcement authorities made more than 800 arrests in raids at 700 locations worldwide under Operation Trojan Shield, wherein the police followed upon criminals’ activities via AN0M, an encrypted chat platform.
One directive from President Joe Biden’s executive order on cybersecurity established a Cyber Safety Review Board (CSRB) in the Department of Homeland Security to investigate major cyber incidents involving government systems.
The CISA released best practices for MITRE ATT&CK mapping. This guide will help analysts map adversary behavior to the MITRE ATT&CK framework while encouraging a common language in threat actor analysis.
The DoJ announced that law enforcement agencies from the U.S., Germany, the Netherlands, and Romania took down Slillpp, the largest online marketplace for stolen credentials. The multinational operation seized the servers that hosted Slillpp’s infrastructure and domain names.
Toshiba researchers successfully sent quantum information for 600-kilometer-long quantum fibers. This development paved the way for the secure exchange of information without scrambling the fragile quantum data encoded in the particles.
The Bad
However, threat actors were at it again with their malicious activities this week. Stolen credentials once again proved to be a threat as 8.4 billion passwords were uploaded on a hacker forum. Gaming companies are still under threat from cybercriminals. One such game publisher suffered an attack wherein the source code for some of its games was stolen. Organizations in Ukraine were targeted in a huge spear-phishing campaign conducted by Russian hackers.
Private companies operating in multiple critical infrastructure sectors are being targeted in BEC attacks by scammers impersonating construction companies, warned the FBI.
An attack by the Ragnar Locker ransomware forced the memory and storage manufacturer ADATA to take its system offline. The attack occurred on May 23, following which the firm took preventive measures to contain the infection.
An ongoing phishing campaign purporting to be from FINRA is targeting users in an attempt to steal personal details. FINRA has recommended users not to click on any link or image from unsolicited emails to stay safe from these attacks.
Around 8.4 billion entries of passwords were disclosed on a popular hacker forum. The compilation—comprises a 100GB TXT file and goes by the name RockYou2021—was stored in plain text.
Spammers are leveraging online casino websites—Ducky Luck, Raging Bull Casino, and Sports and Casino—to send deceptive emails to users in an attempt to spread malware. These emails lure the victims into believing that they have won the ‘Grand Prize’ and will receive the amount only after they confirm their account.
Ukrainian public and private sectors were targeted in a massive spear-phishing attack carried out by Russian threat actors. The attack was conducted via emails claiming to be from representatives for the Kyiv Patrol Police Department.
A ransomware breach at U.S. constituent engagement software vendor iConstituent impacted at least 60 members of the U.S. Congress, preventing victims from sending emails to their constituents for days.
Hackers stole around 780GB of data from the video game publisher Electronic Arts (EA). The intrusion is under investigation and no player data was accessed, claimed the firm.
A ransomware attack forced the Foodservice supplier Edward Don to shut down parts of its network to stop the attack from propagating. The attack disrupted the company’s phone systems, network, and email.
New Threats
Ransomware was on our minds as the new BlackCocaine ransomware was found responsible for the attack on Nuclear Software. Diplomatic entities across the Middle East and Africa are in trouble with the emergence of a cyberespionage APT actor. The attacks have traced back to as early as 2017. This newsletter would be incomplete without mentioning this deplorable development as a pernicious malware has been spotted targeting Kubernetes clusters via Windows containers. This malware is the first of its kind.