Go to listing page

Cyware Daily Threat Intelligence, July 23, 2021

Cyware Daily Threat Intelligence, July 23, 2021

Share Blog Post

Faking is a thing cybercriminals do on purpose. While Phoenix CryptoLocker operators breached the network of an insurance company by utilizing a fake browser update sent via a legitimate website, hackers delivered fake patches via email for a new vulnerability exploiting Chrome.

Moreover, attackers were seen on a malware spree. On one hand, cybercriminals abused Discord to host, disseminate, and control malware targeting its users, on the other, an APT group distributed Android Trojan via the Syrian e-government portal. Ahead of the Tokyo Olympics, an Olympics-themed malware was discovered targeting Japanese computers.

Top Breaches Reported in the Last 24 Hours

Kaseya gets a decryptor
Kaseya obtained a key from a trusted third party to decrypt its own and customers’ systems that were compromised in a ransomware attack earlier this month. The decryptor will be used to assist about 1,500 companies that were affected in the ransomware attack allegedly conducted by the Russian-based cybercriminal gang REvil. 

Saudi Aramco faces cyber extortion
The leaked data from Saudi Arabia’s state oil giant, Saudi Aramco, is now being used in a cyber extortion attempt that likely came from one of its contractors. Reportedly, 1TB worth of Aramco data is held by the extortionist who is demanding a ransom of $50 million.

CNA’s network breach via fake browser update
Phoenix CryptoLocker operators breached the network of a U.S. insurance company CNA Financial, stole data, and deployed ransomware payloads in an attack in March 2021. As an initial step, the attackers breached an employee’s workstation by employing a fake browser update delivered through a legitimate website. 


Top Malware Reported in the Last 24 Hours

Malware targets Discord
As per Sophos, more than half of the network traffic engendered by malware leverages TLS encryption, and 20% of that includes malware communicating with legal online services. Moreover, 4% percent of the total TLS-protected malware downloads originates from Discord.

APT hackers spread Android Trojan
StrongPity (or Promethium), an APT actor, has been tracked in a new campaign deploying Android malware via the Syrian e-Government Web Portal, revealing updated tricks for attacking victims. Active since 2012, the APT group has focused on targets across Syria and Turkey. 

Wiper malware attacks Japanese PCs
A Japanese security firm Mitsui Bussan Secure Directions (MBSD) discovered an Olympics-themed malware sample, Wiper, that targets Japanese PCs and wipes files from them. The malware doesn’t just delete all of a system’s data, instead it searches for a certain file located in a user’s personal Windows folder. The Wiper malware was discovered two days ahead of the Tokyo Olympics 2021 opening ceremony.


Top Vulnerabilities Reported in the Last 24 Hours

Vulnerabilities in WAGO industrial systems
??An analysis by Team82 research team found vulnerabilities in WAGO industrial systems, which uses cloud-based automation for OT. The four bugs found in two WAGO systems are WAGO PFC iocheckd (CVE-2021-34566, CVE-2021-34567 and CVE-2021-34568) and WAGO PFC diagnostic tools (CVE-2021-34569). These vulnerabilities, if abused, can provide control over industrial operations and equipment.


Top Scams Reported in the Last 24 Hours

Fake Chrome patches
The Cofense Phishing Defense Center (PDC) detected an email delivering an HTML application (HTA) file attachment that distributes fake patches for a new vulnerability abusing the Chrome web browser. After opening the attachment, the user lands on a payload site with Chrome logo and a loading GIF that gives an impression of a permissible download.

Phishing attack on Milanote
Cybercriminals are abusing the Milanote app to launch credential-stealing campaigns that can dodge secure email gateways. According to Avanan analysts, of the most recent emails that leveraged Milanote, 95.5% of them were phishing.

 Tags

android trojan
phoenix cryptolocker ransomware
fake chrome update
saudi aramco
discord cdn
data wiper
wago pfc200

Posted on: July 23, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.