Go to listing page

Cyware Daily Threat Intelligence, March 05, 2021

Cyware Daily Threat Intelligence, March 05, 2021

Share Blog Post

Three more top Russian cybercrime forums have been targeted in a hacking spree. After the breach of the elite Maza hacking forum, reports suggest that an unknown threat actor has gained access and leaked user data from three other forums, namely Verified, Cdrclub, and Exploit. Only time will say if rivalry or security lapse is behind the security breach.

A new ransomware family is on an attack spree. Named Quoter, the ransomware is a work of a threat actor behind the infamous RTM banking trojan. Traces of the notorious AZORult trojan were found to be associated with a cyberespionage campaign that targeted oil and gas industries in the Middle East. Meanwhile, the ongoing investigation into the SolarWinds supply chain attack has revealed three new malware called GoldMax, Sibot, and GoldFinder.

Top Breaches Reported in the Last 24 Hours

Data of passengers affected
IT operators Sita, which serves the Star Alliance including Singapore Airlines, Lufthansa, and United, has reported a data breach that affected passenger details. The firm has contacted affected customers and all related organizations about the breach.

Cybercrime forums hacked
Since the beginning of this year, an unknown threat actor has been hacking cybercrime forums and leaking user data publicly or offering it for sale. At least four such forums have been breached to date, namely Verified in January, Crdclub in February, and Exploit and Maza in March. All are predominantly Russian-language forums and saw their breaches publicly disclosed online.

CompuCom affected
CompuCom has suffered an attack by DarkSide ransomware. The attack followed the theft of administrative credentials for the Office Depot subsidiary.

Top Malware Reported in the Last 24 Hours

AZORult returns
Researchers have traced a campaign from September 2020 that targeted oil and gas supply chain industries in the Middle East. Threat actors behind the campaign had used the infamous AZORult trojan to infect organizations and steal sensitive data.

New Quoter ransomware on a spree
The threat actor behind the infamous RTM banking trojan is using the newly discovered ransomware family called Quoter as part of its triple-threat strategy. The attack campaign, which has beenis active since December 2020, starts with the distribution of the RTM trojan. Should the money-stealing tactics of the trojan fail, the attackers begin deploying Quoter ransomware.

New malware from SolarWinds 
Microsoft and FireEye have revealed information on three new malware from the devastating SolarWinds hack. The newly discovered malware are GoldMax, Sibot, and GoldFinder. All these malware are associated with the Nobelium hackers who used the Sunburst backdoor and Teardrop malware in the same attack.
 
Top Vulnerabilities Reported in the Last 24 Hours

PoC for RCE flaw released
A working Proof-of-Concept (PoC) is now publicly available for the SIGRedan RCE vulnerability affecting the SIGRed Windows DNS server. Microsoft had issued security updates for the flaw tracked as CVE-2021-1350 in July 2020, along with a registry-based workaround to protect affected WIndows servers from attacks.

Fixes released for TrickBoot attacks
Supermicro and Pulse Secure have released fixes for their motherboards that are vulnerable to TrickBot’s UEFI firmware-infecting module, known as TrickBoot. When executed, the module analyzes a device’s UEFI firmware to determine if it has ‘write protection’ disabled and later reads, writes, and erases the firmware.

Update on exploitation of zero-day flaws
An ongoing investigation into the active exploit of four Microsoft Exchange zero-day flaws has revealed attacks against local U.S. government agencies.

Top Scams Reported in the Last 24 Hours

New social engineering trick
Cybercriminals are actively sharing tips and advice on new social engineering tricks to bypass the 3D Secure (3DS) protocol to commit payment fraud. Designed to target smartphone users, the trick can intercept 2FA numbers sent to shoppers. Other scams designed to circumvent 3DS include phishing pages used to harvest static passwords and use of PayPal.

Phishing campaign
A phishing campaign targeting users of Outlook Web Access and Office 365 services pilfered thousands of credentials by using compromised SendGrid accounts. The campaign used Zoom invites as a lure to attract recipients.

 Tags

sibot
rtm banking trojan
verified
goldmax
azorult trojan
quoter ransomware

Posted on: March 05, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.