Cyware Daily Threat Intelligence, February 22, 2021

Share Blog Post

Unpatched zero-day vulnerabilities are potential gold mines for cybercriminals to take control over systems and launch a variety of attacks. One such attack that affected about 100 companies worldwide has come under the scanner of researchers. The Clop ransomware threat actor in conjugation with Fin11 APT had successfully exploited multiple zero-day vulnerabilities Accellion File Transfer Application to launch the attack in December 2020.

A Chinese threat actor group APT31 took the exploitation technique to another level by cloning a zero-day vulnerability stolen from the NSA’s Equation Group. The replicated exploit known as Jian was used between 2015 and 2017. That’s not all. Microsoft revealed details about the mass exploitation of a privilege escalation vulnerability—Win32k component—before it was patched this February.

Top Breaches Reported in the Last 24 Hours

Lakehead university affected
Canadian undergraduate research university Lakehead is dealing with a cyberattack that forced the institution to cut off access to its servers. Although the extent of the attack is unclear, the university claimed that the attack was aimed at its file-sharing servers.

Breaching 100 companies
Threat actors associated with Clop ransomware and Fin11 have been held responsible for breaching 100 companies using Accellion’s legacy file Transfer Appliance. The attack occurred in mid-December 2020 and involved the exploitation of multiple zero-day vulnerabilities. A new DEWMODE web shell was used as a part of the attack.

UL attacked
A ransomware attack at Underwriters Laboratories (UL) has caused the shut down of their systems. It is unclear which ransomware group is behind the attack and whether any unencrypted files are stolen.

Top Malware Reported in the Last 24 Hours

Threat actors leverage Google Alerts
Threat actors are leveraging Google Alerts to promote a fake Flash Player updater that installs other unwanted programs on users’ computers. The modus operandi includes threat actors creating fake stories with titles containing popular keywords that index on Google Search. Once indexed, Google Alerts will alert people who are following those keywords.

New Silver Sparrow malware
Security researchers have discovered a new malware called Silver Sparrow on nearly 30,000 Apple Macs. The malware comes with a mechanism to self-destruct itself. The malware has been found in 153 countries, including the U.S., the U.K, Canada, France, and Germany.

Top Vulnerabilities Reported in the Last 24 Hours

Windows zero-day actively exploited
A zero-day vulnerability tracked as CVE-2021-1732 was being exploited in the wild since at least the summer of 2020. It could allow local attackers to elevate their privileges to the admin level by triggering a use-after-free condition in the win32k.sys core kernel component.

APT31 cloned EpMe exploit
Research has revealed that the Chinese threat actor group APT31 had cloned and used a Windows zero-day exploit stolen from the NSA’s Equation Group for years before the flaw was patched. The replicated exploit was known as Jian and was used between 2015 and 2017.

Python updated
The Python Software Foundation (PSF) has released Python 3.9.2 and 3.8.8 to address two notable security flaws, one of which is remotely exploitable. One of the flaws is tracked as CVE-2021-3177. The other is tracked as CVE-2021-23336 and concerns a web cache poisoning vulnerability.


 Tags

win32k component
clop ransomware
fin11 apt
apt31 threat actor group
nsas equation group

Posted on: February 22, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!