The relentless REvil ransomware is in news for more than one reason and it’s not good :(
Two of these are associated with the attacks on Brazil-based Grupo Fleury and a clothing firm in France named FCUK. The disturbing part is that the GOLD NORTHFIELD threat actor group has repurposed the ransomware’s source code to unleash a new malware called LV ransomware.
Apart from REvil’s terror, there have been reports on multiple phishing campaigns that distributed a variety of trojans, including a newly discovered ChaChi trojan. ChaChi is being used against government organizations and schools in the U.S. Other trojans spotted are the notorious Ursnif that targets the Italian users, and a variant of Agent Tesla that targets Windows users.
Top Breaches Reported in the Last 24 Hours
Grupo Fleury attacked
Brazil-based Grupo Fleury has disclosed an attack by REvil ransomware that led to the disruption of its operations. The company’s systems remain down since the attack. Works are on to restore all the affected resources. In addition to these, the gang has also been held responsible for the attack on clothing firm FCUK.
Top Malware Reported in the Last 24 Hours
Ursnif’s new attack
A variant of Ursnif trojan is being used in the wild to target online banking users in Italy. As a part of the attack, the trojan tricks desktop users into downloading an app from a fake Google Play page to infect their mobile device with the Cerberus malware.
Newly discovered LV ransomware
A new strain of REvil ransomware called LV ransomware is creating waves in cybercrime space. Believed to be a work of GOLD NORTHFIELD, the ransomware uses CRC32 hash to encrypt files. Three ransom payment Tor domains used by the LV gang have been discovered by security experts.
Another campaign of Agent Tesla spotted
A threat actor has been observed utilizing Windows Imaging Format (WIM) attachments to distribute the Agent Tesla trojan. The campaign starts with phishing emails that pretend to be from DHL or Alpha Trans.
New ChaChi trojan
A new ChaChi trojan is being used as a critical part of ransomware operations targeting government organizations and schools in the U.S. The new malware type is capable of performing data exfiltration, backdoor creation, and credential dumping from the Local Security Authority Subsystem Service (LSASS). The trojan is linked to the PYSA ransomware gang.
ReverseRAT attack reported
Asian Power enterprises and government organizations were targeted in an attack campaign that distributed ReverseRAT backdoor. The threat actors used the compromised Windows systems to launch the attack.
Top Vulnerabilities Reported in the Last 24 Hours
New DNS hijack vulnerabilities
A class of new vulnerabilities discovered in AWS Route53 and other DNS services can be abused to leak sensitive information of customers. Researchers found that the vulnerabilities can be exploited via a self-service domain registration system. While the flaw in AWS Route53 has been mitigated, two other DNS-as-a-service providers are yet to fix the flaw.
Weidmueller patches flaws
Weidmueller has patched dozen of vulnerabilities that affect some of its industrial WLAN devices. The security holes impact wireless access point/bridge/client devices running firmware versions prior to 1.16.21 (build 21010513) or 1.11.13 (build 21010513). Some of these flaws, tracked with CVE identifiers CVE-2021-33528 through CVE-2021-33539, can be exploited for privilege escalation, decryption of traffic, arbitrary code, denial of service attacks, and authentication bypass.
Vulnerable Dell computers
Around 30 million Dell computers are affected by multiple vulnerabilities that can enable attackers to remotely execute code in the pre-boot environment. The problem resides in the BIOSConnect feature of Dell SupportAssist. Mitigation measures and security updates to address these flaws have been released by the firm.
VMware issues a patch
VMware announced the availability of patches for an authentication bypass vulnerability in its Carbon Black App Control (AppC) running on Windows machines. The flaw is tracked as CVE-2021-21998 and has a CVSS score of 9.4.
One-click account takeover vulnerabilities
Atlassian has patched account takeover vulnerabilities discovered in its subdomains. Attackers can exploit these flaws by tricking victims into clicking on a malicious link.