Go to listing page

Cyware Daily Threat Intelligence, March 26, 2021

Cyware Daily Threat Intelligence, March 26, 2021

Share Blog Post

Ransomware gangs are getting faster at encrypting networks, making it hard for security experts to stop them. New variants of Hades and REvil ransomware have emerged recently to generate more profits for their operators. While the new version of Hades is being used in the wild against U.S. organizations, the new variant of REvil is being used to reboot Windows devices even after the encryption process.

Details of a newly discovered strain of Phoenix CryptoLocker ransomware have also surfaced in connection with the recent attack on insurance company CNA. The ransomware is probably a creation of the Evil Corp gang.

A piece of good news for victims affected by Mamba ransomware. Experts have found a flaw in the malware’s encryption process which can be effective in recovering the encrypted files.

Top Breaches Reported in the Last 24 Hours

RDC’s data breached
A Dutch company, RDC, has confirmed a data breach that affected the personal and vehicle details of millions of Dutch car owners. The leaked data are now on sale on a well-known cybercrime forum. 

Astoria affected
Several databases belonging to the Astoria Company LLC have been leaked on the Dark0de market by the ShinyHunter hacking group. The data listed for sale includes details of 40 million U.S. citizens.  

Update on CNA attack
New details reveal that the attack on CNA was launched using a new Phoenix CryptoLocker ransomware variant, which is possibly linked to the Evil Corp hacking group. Sources disclosed that the ransomware was deployed on over 15,000 devices in the CNA network. 

Top Malware Reported in the Last 24 Hours

Return of Hades ransomware 
An unknown threat group is deploying a variant of Hades ransomware in targeted attacks against U.S. organizations. At least three major organizations in the transport & logistics, retail, and manufacturing sectors have been successfully attacked with the ransomware strain. 
The attacks used a mix of custom tools and fileless approaches. 
A flaw in Mamba ransomware
The FBI has issued a statement about a flaw in the Mamba ransomware. The flaw is associated with the ransomware’s encryption process. The weakness resides in the open-source solution called DiskCryptor that Mamba uses to encrypt victims’ computers. 

REvil evolves
REvil ransomware has added a new capability that enables attackers to reboot an infected device after encryption. The newly added command lines called ‘AstraZeneca’ and ‘Franceisshit’ are used to access the Windows devices’ startup setting screen. 

Top Vulnerabilities Reported in the Last 24 Hours

Flaws in Weintek HMIs fixed
Three critical vulnerabilities identified in Weintek HMIs can be exploited by an attacker to execute malicious code with root privileges. The flaws are tracked as CVE-2021-27446, CVE-2021-27444, and CVE-2021-27442. The patches have been issued following their disclosure to the vendor. 

Vulnerable Plugin fixed
Two vulnerabilities discovered in the Facebook for WordPress plugin have been fixed with the release of new versions. The issues could grant hackers the ability to conduct remote code execution and install backdoors. 

SolarWinds releases a security update
SolarWinds has released a major security update that fixes at least four known security holes, including two holes related to remote code execution vulnerabilities. The patches have been released as part of a minor security update to SolarWinds Orion Platform, which was used in recent nation-state software supply chain attacks.  

QNAP reports of attacks
QNAP has urged its customers to enhance their security following the ongoing attacks targeting its NAS devices. The attacks involve hackers attempting to log into QNAP devices using brute force attacks.


hades ransomware
revil ransomware
evil corp gang
phoenix cryptolocker ransomware
mamba ransomware

Posted on: March 26, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.