Go to listing page

Cyware Daily Threat Intelligence, March 04, 2021

Cyware Daily Threat Intelligence, March 04, 2021

Share Blog Post

Organizations are strongly advised to update all Microsoft Exchange Servers to the latest versions as new details about the exploitation of four zero-day vulnerabilities have emerged. Earlier Microsoft had claimed that the HAFNIUM group conducted the exploitation, but new telemetry reveals that multiple hacker groups such as LuckyMouse, Tick, and Calypso are also abusing these flaws to launch attacks.

The Lazarus group is back in a new form, deploying TFlower ransomware against dozens of organizations. The ransomware is distributed using a MATA malware framework. The Ursnif trojan has also made a comeback in a new cyberespionage campaign targeting 100 banks in Italy.

Top Breaches Reported in the Last 24 Hours

Maza underground forum affected
The Russian-speaking Maza cybercriminal forum has reportedly suffered a data breach leading to the leak of user data. The forum has been used to sell stolen financial data and payment card information and discuss topics, such as malware, exploits, spam, and money laundering, among others. Roughly 2,000 accounts have been exposed as a result of the breach.

Adecco hit
Switzerland-based Adecco Group had fallen victim to a security breach incident after a database containing 5 million records was put for sale on a hacking forum. The exposed records included full names, gender, dates of birth, marital status, and email addresses of users.

Navajo Nation attacked
Navajo Nation hospital is recovering from a ransomware attack that affected the sensitive details of its employees. Details about the attack are scarce. However, reports say that the malware knocked staff off their computers, forcing them to revert to pen and paper.

Qualys becomes a victim
Qualys is the latest victim of the data breach that occurred due to zero-day flaws in Accellion FTA. The incident has affected over 100 companies that used legacy file-transfer software from Accellion.

Top Malware Reported in the Last 24 Hours

Ursnif trojan makes a comeback
The Ursnif trojan has been traced back to attacks against at least 100 banks in Italy. These attacks led to the loss of credentials and financial data. In one case, an unnamed payment processor had over 1,700 sets of credentials stolen. Researchers have found usernames, passwords, credit cards, banking, and payment information harvested by the malware.

TFlower ransomware’s new connection
The Lazarus Group has been found using its MATA malware framework to deploy TFlower ransomware. The campaign using this ransomware has targeted a dozen victims for data exfiltration or extortion.

Top Vulnerabilities Reported in the Last 24 Hours

Update on Microsoft’s zero-day attacks
It was just yesterday that Microsoft had reported that four zero-day vulnerabilities found in its Exchange Servers were actively exploited by the HAFNIUM threat actor group in several targeted attacks. However, new telemetry from ESET suggests that several other threat actor groups are also involved in the abuse of at least SSRF vulnerability (CVE-2021-26855) to compromise servers. Most of the targets of these attacks are located in the U.S, Europe, Asia and the Middle East. Among the groups identified are LuckyMouse, Tick, and Calypso. 

Vulnerable Linux OS
Five similar vulnerabilities found in the kernel of Linux operating systems can allow attackers to escalate local privileges on a victim’s network. These flaws could also allow attackers to potentially steal data, run administrative commands, or install malware on operating systems or server applications.

Flawed WiFi Mouse app
An unpatched flaw in the WiFi Mouse app can allow attackers to take control of users’ systems. The flaw is related to poor password and PIN security required by the Windows Desktop application.

Snort vulnerability
Several products from Cisco are exposed to DoS attacks due to a vulnerability in the Snort detection engine. The flaw, tracked as CVE-2021-1285, can be exploited by sending specially crafted Ethernet frames. The issue has been fixed in version 2.9.17 of the Snort Detection Engine.

Top Scams Reported in the Last 24 Hours

BEC scam
Scammers are targeting investors in a sophisticated BEC scam for massive payouts. The scam begins with a phishing email that asks the targeted investors to send money under the pretext of fake ‘capital call’ notices. To make it look convincing, the email appears to come from a vendor and includes a document demanding payment for the fake investment. Researchers explain that the average payout in the scheme stands at $809,000.

Imposter scam
A new imposter scam that impersonates the Inspector General for SSA has been found tricking users into handing over their personal information. According to the Office of Inspector General (OIG), the scam has been updated to include the use of fake IDs designed to look like those used by fFederal employees.


navajo nation
maza cybercriminal forum
adecco group
luckymouse apt group
lazarus group
mata malware framework

Posted on: March 04, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.