Go to listing page

Cyware Daily Threat Intelligence, February 11, 2021

Cyware Daily Threat Intelligence, February 11, 2021

Share Blog Post

Government agencies have always been a hot target for cybercrime. The latest targets in this regard are agencies in UAE and Kuwait. Believed to be carried out by the Iranian threat actor group, MuddyWater, the attack campaign involves the installation of a malicious ScreenConnect remote management tool that includes malware and URLs masquerading as the Ministry of Foreign Affairs.

Besides, CD Projekt Red is facing persistent threats as the source code of some of its popular games - Witcher 3, Thronebreaker, and Cyberpunk 2077 - have been allegedly put on auction by threat actors. A new instance of an obfuscation technique has also emerged in the last 24 hours. This is related to the BazarBackdoor, which has been re-written in the Nim programming language with the purpose to evade detection by security software.

Top Breaches Reported in the Last 24 Hours

MNH attacked
French health insurance company Mutuelle Nationale des Hospitaliers (MNH) has suffered an attack from RansomExx ransomware. This has severely disrupted the company’s operations. The attackers have demanded a ransom to release the decryption key for encrypted files.

Auction of Cyberpunk code
Threat actors are auctioning the alleged source code for CD Projekt Red games including The Witcher 3, Thronebreaker, and Cyberpunk 2077. As part of the double extortion attempt, the attackers had released the source code of Gwent on a hacking forum and threatened to release more data if their ransom demand was not settled.

Government agencies targeted
UAE and Kuwait government agencies are targets of a new cyberespionage campaign potentially carried out by the Iran-based MuddyWater threat actor group. The objective of the campaign is to install a remote management tool called ScreenConnect, customized with malware samples and URLs masquerading as the Ministry of Foreign Affairs.

Top Malware Reported in the Last 24 Hours

Hornbill and SunBird
Researchers have uncovered two malware families called Hornbill and Sunbird targeting military, nuclear, and election entities in India and Pakistan. The two malware are capable of exfiltrating SMS messages, encrypted messaging app content and geolocation, and other sensitive information. Hornbill and SunBird both have similarities and differences in the way they operate on an infected device.

BazarBackdoor evolves
BazarBackdoor malware has been rewritten in the Nim programming language with a purpose to evade detection by security software. Once a computer becomes infected, BazarBackdoor is used to provide the threat actors remote access to the computer to spread laterally throughout a network.

Top Vulnerabilities Reported in the Last 24 Hours

SAP addresses a critical flaw
SAP is warning of a critical vulnerability in an application used by e-commerce businesses. The vulnerability, tracked as CVE-2021-21477, affects SAP commerce versions 1808, 1811, 1905, 2005, and 2011. It scores 9.9 on the CVSS scale.

Siemens patches 21 flaws
Siemens has released advisories for 21 security holes affecting JT2Go, a 3D viewing tool for JT data (ISO-standardized 3D data format), and Teamcenter Visualization. An attacker can exploit them for arbitrary code execution, data extraction, and DoS attacks. Many of the issues affect Siemens products due to their use of the Open Design Alliance (ODA) Drawings SDK.

Intel patches 19 flaws
Intel has announced the release of updates that patch 19 vulnerabilities found across its products. The list of high-severity flaws includes a privilege escalation issue in the Intel Solid State Drive (SSD) Toolbox, and a denial-of-service (DoS) flaw in the XMM 7360 Cell Modem.

 Tags

mutuelle nationale des hospitaliers mnh
sunbird
screenconnect
hornbill
bazarbackdoor malware
cyberpunk code

Posted on: February 11, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.