Cyware Weekly Threat Intelligence, March 01 - 05, 2021

Weekly Threat Briefing • March 5, 2021
Weekly Threat Briefing • March 5, 2021
The Good
We hope you have your cuppa ready and have made yourself comfortable on your couch, bed, or that ergonomic chair. This week has showered some really good news on the cybersecurity community and we want you all to enjoy it as much as we did. Small businesses in the UK don’t have to worry anymore about their cybersecurity posture as help has arrived. On the other side of the pond, the NSA released a document that states the importance of zero trust within networks and how it can benefit organizations.
The Bad
We don’t really have a better way to put this - we have had way too many data breaches this week. The Accellion FTA flaws keep claiming more victims. Databases are still not secured properly. When will human errors reduce? Ringostat and Mariana Tek suffered breaches due to unsecured storage servers. For more of the bad news, please read on.
New Threats
It seems that cybercriminals have started taking the idea of recycling seriously. No, not in an environmental context, but in the context of malware code. Just when you thought that we were probably moving on from the SolarWinds attack, researchers have managed to baffle us yet again with the discovery of three more malware variants. Also, Ursnif made a comeback and has launched attacks on Italian banks. Why Italy? We don’t know.
Three more malware strains—GoldMax, Sibot, and GoldFinder—related to the SolarWinds supply chain attack have been discovered by Microsoft and FireEye. These tailor-made malware were introduced after the threat actor has gained access to specific networks.
The Ursnif Trojan has been traced back to attacks against at least 100 banks in Italy. These attacks led to the loss of credentials and financial data. In one case, an unnamed payment processor had over 1,700 sets of credentials stolen.
The Lazarus Group has been found using its MATA malware framework to deploy TFlower ransomware. The campaign using this ransomware has targeted a dozen victims for data exfiltration or extortion.
Scammers are targeting investors in a sophisticated BEC scam with an average payout of $809,000. The scam begins with a phishing email that asks the targeted investors to send money under the pretext of fake ‘capital call’ notices.
A new imposter scam that impersonates the Inspector General for SSA has been found tricking users into handing over their personal information.
New research reveals that the SunCrypt ransomware shares similarities with QNAPCrypt ransomware, which targets Linux-based file storage systems. Investigation says that the QNAPCrypt and an early version of SunCrypt share identical code logic for file encryption.
Threat actors leveraging Search Engine Optimization (SEO) techniques in a newly found Gootloader technique to distribute malware to as many victims as possible. The technique spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants, in South Korea, Germany, France, and the United States.
Researchers have traced a cyberespionage campaign that distributes ObliqueRAT malware. The trojan is distributed as benign image files on hijacked websites and used against organizations in South Asia.
Threat actors are targeting Amazon, Zillion, Lyft, and Slack NodeJs apps using a new Dependency Confusion vulnerability to steal Linux/Unix password files and open reverse shells.
A new variant of Ryuk ransomware that includes self-propagation capabilities has been uncovered by researchers. It makes use of privileged accounts and machines based on the Windows domain only for propagation.