Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence, March 29 - April 02, 2021

Cyware Weekly Threat Intelligence, March 29 - April 02, 2021 - Featured Image

Weekly Threat Briefing Apr 2, 2021

The Good

As ransomware becomes a national security threat, the DHS plans to launch cyber sprints with an aim to address ransomware and other cybersecurity-related issues. With guest personal information and credit card data becoming an attractive target for hackers, the NIST issued a cybersecurity guide to protect hotel property management systems. Moreover, the U.S. National Counterintelligence and Security Center is initiating a call-to-action campaign to spread awareness about supply chain threats and mitigation.

  • The DHS will engage in a series of 60-day cyber sprints to focus on ransomware, cybersecurity workforce, and defense of industrial control systems, transportation systems, and election infrastructure. The first sprint will address ransomware, which poses a national security threat.

  • The NIST published a cybersecurity guide for the hospitality industry to assist them in reducing security risks related to hotel property management systems. The guide lists security suggestions and recommendations for utilizing commercially available products to better protect guest privacy and payment card information.

  • The U.S. National Counterintelligence and Security Center is raising awareness of supply chain threats and warning against the foreign hackers that are increasingly targeting government vendors and suppliers in an effort to steal intellectual property.

  • The U.S. Cyber Command and the DHS are preparing to publish a Malware Analysis Report (MAR) that sheds light on 18 pieces of malicious code allegedly employed by Russian hackers in SolarWinds espionage.

  • President Joe Biden sent a letter to the House and the Senate to extend an executive order regarding sanctions issued in response to cyberattacks. It also enables authorities to block the property of entities engaging in “significant malicious cyber-enabled activities.”

The Bad

This week scammers took the road to phishing, fraudulent campaigns, and fake accounts. While a large spearphishing campaign impersonated the MacKenzie Bezos-Scott grant foundation to lure victims with financial benefits, ongoing fraudulent campaigns have been targeting major banks of Indonesia to embezzle customers’ money. On the other hand, North Korean hackers set up a fake company website and associated Twitter and LinkedIn accounts to entice security professionals into a cyberespionage trap.

  • A massive phishing campaign impersonated the MacKenzie Bezos-Scott grant foundation, assuring financial benefits to recipients in exchange for a processing fee.

  • Network device maker Ubiquiti has confirmed being a target of an extortion attempt following a security breach in January. According to the company, no customer data has been compromised.

  • North Korean threat actors have set up a website for a fake company called SecuriElite, along with associated Twitter and LinkedIn accounts, to lure security professionals into a cyberespionage trap. The campaign is similar to the one observed in January that had targeted security researchers.

  • An ongoing fraudulent campaign has been found targeting major Indonesian banks to steal customers’ money. To lure victims, cybercriminals pose as bank representatives or customer support team members on Twitter and so far have created over 1600 fake Twitter accounts as a part of the campaign.

  • Apart from the University of Maryland and the University of California, the Clop ransomware gang has released data from four more universities. The impacted universities include the Yeshiva University, Stanford University, the University of Miami, and the University of Colorado Boulder.

  • An unsecured Microsoft Azure Blob belonging to one of the largest charities in New York has exposed more than 2,000 CSV and TXT files that included entries related to patients’ PII. The leaked files include 13,000 entries on vaccines, administration dates, vaccine types, products, and expiration dates.

  • London-based Harris Federation has been severely affected by a ransomware attack, leaving 37,000 students from London and surrounding areas with no connection to IT, phone, and email systems. However, the organization has taken the necessary steps to block the ransomware from spreading further.

  • After hitting Shell, the Clop ransomware gang publicly leaked passport and visa scans of selected workers as part of the extortion attempt. Earlier this month, the oil giant’s system was compromised after attackers gained unauthorized access to various files.

  • In another extortion attempt, the Clop ransomware gang posted screenshots of confidential documents online allegedly belonging to the University of Maryland and the University of California. These screenshots included sensitive information such as photos, names, home addresses, social security numbers, immigration status, and dates of birth of individuals.

  • New York-based Personal Touch Holding Corp. declared a data breach that affected more than 753,000 patients, employees, and former workers. The breach stemmed from a ransomware attack that was executed on its cloud service provider.

  • Steam users reported a scam that warns them of their Steam accounts being suspended. The scam, which plays on the fear and curiosity of users, is aimed at harvesting credentials.

  • PHP programming language developers suffered a supply chain attack through their Git server. Two malicious commits imitating the signatures of known PHP developers and maintainers were pushed to the php-src Git repository on the git.php.net server.

  • Australia’s Channel Nine TV network suffered a cyberattack that disrupted its live broadcast and halted several shows from being on air.

  • The email accounts of the members of the German Parliament were targeted in a spearphishing attack. A Russia-linked threat group called Ghostwriter is believed to be behind the attack.

  • While analyzing Docker Hub, Unit 42 researchers found 30 malicious images that were downloaded a total of 20 million times. These images were being used as part of a cryptojacking operation worth $200,000.

New Threats

Vulnerabilities and new malware were in the limelight of this week. A flaw has been identified in Airlift Express’ E-commerce store, which could result in account hacks and abuse by cybercriminals. Furthermore, a new malware operation, dubbed BazarCall, has been discovered that deploys Windows malware via call centers. Another malware that grabbed security researchers' attention is the new Android spyware that is capable of hiding itself and exfiltrating user data.

  • An OTP vulnerability discovered in Airlift Express could lead to account hacks and exploits by cybercriminals. The flaw, which resides in Airlift Express’ E-commerce store, was fixed after it was reported by security experts.
  • The U.S. DOJ has warned of phishing attacks that use fake post-vaccine surveys to steal money from people. Threat actors promise potential victims of cash or prizes in return for filling the survey.
  • Scammers are impersonating stock-trading broker Robinhood in a newly found phishing campaign that is aimed at stealing user credentials and spreading malware. The campaign leverages phishing emails that include fake tax documents.
  • Researchers have outlined a privilege escalation issue found in the popular website CMS, Umbraco. The problem resides in an API endpoint and can allow threat actors to view data on websites. The issue has been observed in Umbraco versions 8.9.0 and 8.6.3.
  • Security researchers discovered a new malware operation, dubbed BazarCall, that uses call centers to disseminate some of the most malicious Windows malware.
  • Gamers are being targeted with backdoor malware—disguised as game tweaks, patches, and cheats—to steal information from infected systems. Threat actors are using social media channels and YouTube to advertise their malware-laced game tools.
  • Citrix issued patches for security flaws affecting its Hypervisor. The flaws could allow attackers to deploy arbitrary code on virtual machines. The two vulnerabilities were found to impact all currently supported Hypervisor versions, including version 8.2 LTSR.
  • A money-laundering fraud ring, dubbed Cart Crasher, is targeting donation sites to steal money and launder stolen payment cards, taking advantage of the charity drive sparked by the pandemic.
  • New York’s Department of Financial Services (DFS) warned users of an ongoing series of attacks that result in the theft of personal information from New Yorkers. Companies targeted by these attacks have been asked to immediately take action to protect New Yorkers’ data.
  • Researchers disclosed details about three new malicious payloads—SodaMaster, P8RAT, and FYAnti—deployed by the Stone Panda threat group. The ultimate purpose of these malware is to exfiltrate information from a number of sectors located in Japan.
  • Security researchers spotted fake versions of the jQuery Migrate plugin—used by over 7.2 million WordPress sites—inserted in dozens of websites containing obfuscated code to deliver malware.
  • VMware issued patches for two vulnerabilities that could lead to the theft of administrator credentials in vRealize. Tracked as CVE-2021-21983 and CVE-2021-21975, the flaws are related to arbitrary code execution and server-side request forgery, respectively.
  • The IRS is warning of ongoing phishing attacks that impersonated the agency in order to target educational institutions. The attack uses the tax refund payment baits to lure universities’ staff and students.
  • Two new vulnerabilities discovered in Linux-based operating systems could let attackers bypass mitigations for speculative Spectre attacks and obtain sensitive information from kernel memory. The flaws are tracked as CVE-2020-27170 and CVE-2020-27171, patches for which were issued on March 20.
  • Security researchers discovered a new Android spyware that poses as an app called “System Update.” The malware is capable of hiding itself and exfiltrating various user data. It can also record calls and ambient sound from the microphone, and take photos using the phone’s camera.
  • A group of researchers disclosed a flaw in the popular netmask networking library. The NPM library has gained over 238 million downloads. The vulnerability, tracked as CVE-2021-28918, stems from the way netmask processes a decimal IPv4 address containing a leading zero.
  • Apple released security updates in the form of iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3 to patch a zero-day vulnerability that is being actively exploited in the wild. Tracked as CVE-2021-1879, the vulnerability was discovered in the Webkit browser engine and can allow attackers to launch universal cross-site scripting attacks.
  • Two high-severity security flaws, tracked as CVE-2021-3449 and CVE-2021-3450, in OpenSSL 1.1.1 could be exploited to carry out denial-of-service attacks and bypass certificate verification. The maintainers have released the version OpenSSL 1.1.1k to fix the two flaws.

Related Threat Briefings

Feb 7, 2025

Cyware Weekly Threat Intelligence, February 03–07, 2025

PyPI is taking a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. The U.K is bringing earthquake-style metrics to cybersecurity with its new Cyber Monitoring Centre, designed to track digital disasters as precisely as natural ones. Inspired by the Richter scale, the CMC will quantify cyber incidents based on financial impact and affected users, offering clearer insights for national security planning. Kimsuky is back with another phishing trick, this time using fake Office and PDF files to sneak forceCopy malware onto victims' systems. Its latest campaign delivers PEBBLEDASH and RDP Wrapper by disguising malware as harmless shortcuts, ultimately hijacking browser credentials and sensitive data. Hackers have found a new way to skim credit card data - by hiding malware inside Google Tag Manager scripts. CISA is flagging major security holes in Microsoft Outlook and Sophos XG Firewall, urging agencies to patch them before February 27. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. Bitcoin scammers are switching tactics, swapping static images for video attachments in MMS to make their schemes more convincing. A recent case involved a tiny .3gp video luring victims into WhatsApp groups where scammers apply pressure to extract money or personal data. XE Group has shifted from credit card skimming to zero-day exploitation, now targeting manufacturing and distribution companies. A new version of ValleyRAT is making the rounds, using stealthy techniques to infiltrate systems. Morphisec found the malware being spread through fake Chrome downloads from a fraudulent Chinese telecom site.

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.