Go to listing page

Cyware Daily Threat Intelligence, May 18, 2021

Cyware Daily Threat Intelligence, May 18, 2021

Share Blog Post

DarkSide ransomware jitter continues to reign this week. In a never-seen-before instance, the ransomware has been upgraded to target hidden files in disk partitions. The impact of this is likely to leave massive damage on organizations and an increased incentive to pay a ransom to recover files.

A deluge of spear-phishing campaigns is targeting users worldwide. One such campaign focuses on impersonating financial institutions in the U.S and the U.K in an attempt to distribute RATs. The other campaign is being targeted against taxpayers in South Korea, Australia, and the U.S. Both the campaigns are aimed at stealing sensitive information from users.

Top Breaches Reported in the Last 24 Hours

Monday.com impacted
Monday.com has recently disclosed being breached due to the Codecov supply chain attack. Investigation reveals that the actors had gained access to a read-only copy of its source code.

Guard.me affected
Student health insurance carrier guard.me has taken its website offline after suffering a data breach. The incident occurred due to a vulnerability that allowed a threat actor to access policyholders’ personal information. The firm has started notifying the impacted students.

Top Malware Reported in the Last 24 Hours

New DarkSide ransomware variant
Researchers have discovered a DarkSide variant capable of seeking out partition information and compromising multiple disk partitions. With this, the variant aims to find additional files to encrypt, causing more damage and putting pressure on organizations to pay the ransom. This variant also looks for the domain controller and connects to its Active Directory via LDAP anonymous authentication.

Truist impersonated
Threat actors impersonated Truist in a spear-phishing campaign that attempted to distribute RATs. The tailor-made phishing campaign spoofed the financial institution through registered domains, email subjects, and applications related to the institution. To increase the attack success rate, the attackers used malware currently undetected by anti-malware engines. Other U.S. and U.K financial institutions (Maybank, FNB America, and Cumberland Private) have also been impersonated in this spear-phishing campaign.

Another spear-phishing campaign
Taxpayers in South Korea, Australia, and the U.S. are being targeted in a phishing campaign that pretends to be from accounting ledgers. The subject line reads “Account Ledger for 2020-2021,” and the email body encourages recipients to verify the attachment. The campaign is used to distribute RATs.

Top Vulnerabilities Reported in the Last 24 Hours

Object Injection vulnerability
A new object injection vulnerability in the PHPMailer library can allow attackers to conduct different kinds of malicious attacks such as code injection, SQL injection, path traversal, and application denial of service. The vulnerability occurs due to improper sanitization in a PHP function. It affects the library versions between 6.1.8 and 6.4.0.

Top Scams Reported in the Last 24 Hours

Scammers target families
The FBI has warned about scammers actively targeting the families of missing persons to make quick money between $5,000 and $10,000. The scammers manipulate the targeted families via phone calls or text messages into believing that their loved ones are in danger or have been abducted. They take the help of social media posts in order to gather information about the missing person.

 Tags

darkside ransomware
truist financial corporation
account ledger
spear phishing campaigns
object injection vulnerability

Posted on: May 18, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.