Cyware Weekly Threat Intelligence - May 17–21

Weekly Threat Briefing • May 21, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • May 21, 2021
The Good
As we wait for the return of normalcy in our lives, we need good things in life. Like the smell of freshly brewed coffee and the news of ransomware gangs shutting down operations. Yes, that happened! Another notorious ransomware actor shut down shops and we are cheering! In other news, the CISA announced a new initiative to tackle security flaws a layer beneath the operating system.
The Qlocker ransomware gang shut down its operation after earning $350,000 in a month. The ransomware was infamous for exploiting vulnerabilities in QNAP devices.
Researchers released a decryptor for Judge ransomware that also decrypts files encrypted by the very similar NoCry ransomware. It creates a mutex to prevent multiple instances from running in parallel, provides sandbox detection, and deletes system restore points.
Officials from the U.S. CISA announced a new initiative to fight firmware vulnerabilities which made more than 2.5% of the National Vulnerability Database over the last five years.
The Biden Administration ordered an overhaul that focuses on cybersecurity spending, including helping companies upgrade cybersecurity measures as part of its $2.3 trillion infrastructure spending.
Microsoft released an open-source lab environment SimuLand that will help test and strengthen Microsoft 365 Defender, Azure Sentinel, and Azure Defender against real attack scenarios.
The Bad
However, the respite is short-lived. The week saw an unnerving case of mixed-up video feeds because of an internal server flaw. Although poorly secured databases keep getting buried under other attacks, they continue to be a massive pain point for organizations. More than 20 apps were found leaking the personal information of tens of millions of users. It will be an injustice to end this blurb without talking about scams. This time families of missing people came under the radar of scammers.
Personal data—names, email addresses, dates of birth, chat messages, location, and payment details—of over 100 million Android users was exposed due to unprotected databases used by 23 apps. Some of the apps are Logo Maker, Astro Guru, and T’Leva.
An internal server bug in Eufy home security cameras enabled strangers to view, pan, and zoom in on victims’ home video feeds.
Australian digital real estate business Domain Group fell victim to a phishing attack that targeted its users by asking them to pay a deposit to secure rental property on a website nominated by the scammer.
Most of the IT services of New Zealand’s Waikato District Health Board (DHB) were knocked offline following a ransomware attack. As a result, patient notes became inaccessible, clinical services were disrupted, and surgeries postponed.
Meal kit delivery scams impersonating well-known companies like Gousto and HelloFresh have surged. The scam leverages SMS and WhatsApp messages to reach its targets.
Taxpayers in South Korea, Australia, and the U.S. are being targeted in a phishing campaign pretending to be accounting ledgers. The campaign is used to distribute RATs.
The FBI warned about scammers actively targeting the families of missing persons to make quick money between $5,000 and $10,000. Hackers are leveraging social media posts to gather information about the missing person.
Avaddon ransomware gang added Acer Finance to its list of victims. The gang gave the firm 240 hours for negotiation before it starts leaking the stolen valuable company documents.
A pair of attacks hit Toyota. While the first one attacked Daihatsu Diesel, a subsidiary of Toyota; the other one was launched against Auto Parts Manufacturing Mississippi, another subsidiary.
Betenbough Homes fell victim to an attack by REvil ransomware, following which the threat actor added the attack to its data leak site.
New Threats
Leaked source codes serve as a base for the development of many new malware strains. One such instance this week was the new Simps botnet built using the codes of Mirai and Gafgyt. The MountLocker ransomware got a pretty nasty update and has come back with enhanced capabilities. Also this week, Magecart threat actors made news (again).