Go to listing page

Cyware Daily Threat Intelligence, May 21, 2021

Cyware Daily Threat Intelligence, May 21, 2021

Share Blog Post

Fake ransomware spotted! A Java-based RAT disguised as ransomware is running in the wild to harvest credentials of browsers and email clients. Named STRRAT, the uniqueness of the malware lies in the way it appends .crimson extension to files without actually encrypting them.

While STRRAT is after victims’ credentials, some ransomware gangs are playing a bigger game with their victims. CNA Financial reportedly paid $40 million in ransom to resolve a ransomware attack that occurred in late March.

While on one hand, the Conti ransomware gang did a favor to Ireland’s HSE by releasing a decryptor, on the other hand, it still warned that it intends to publish or sell data stolen during the attack. Only time will say how the organization plans to thwart the risk.

Top Breaches Reported in the Last 24 Hours

Mercari discloses a data breach
E-commerce platform Mercari has disclosed a data breach resulting from a supply chain attack at Codecov. The company has confirmed that tens of thousands of customer records, including financial information, were exposed to external actors due to the breach.

Alaska health department targeted
The website handled by the Alaska health department was targeted in a malware attack. Investigators are trying to determine if any personal or confidential information was compromised as part of the attack.

CNA pays $40 million
CNA Financial has paid $40 million in ransom to recover the decryption key from the ransomware attackers. The attack had taken place in March, following which many of its IT systems were knocked offline and sensitive data was stolen.

Top Malware Reported in the Last 24 Hours

STRRAT malware
Microsoft has warned about a massive email campaign that distributes STRRAT malware to steal confidential data from infected systems. The malware disguises itself as ransomware to continue with its infection process. It appends the filename extension .crimsom to files without actually encrypting them.

Top Vulnerabilities Reported in the Last 24 Hours

Blind SQL flaw
A time-based blind SQL injection vulnerability in the WP Statistics plugin impacts over 600,000 sites. The vulnerability can be exploited by attackers to extract sensitive information from a WordPress website using the plugin. The flaw is rated with a CVSS score of 7.5 and affects plugin versions prior to 13.0.8.

Top Scams Reported in the Last 24 Hours

Invoice impersonation phish
There has been an increase in the number of invoice impersonation phishing attacks that imitate legitimate system login pages for invoice processing. The goal of the scheme is to harvest credentials from unsuspecting users. The emails use phrases such as ‘You have received an Invoice’, ‘View Document’, and ‘Generated by Accounting’ to trick users into opening the malicious link.

Amazon vishing attack
Scammers are using voice messages along with ‘spray and pray’ techniques in a new campaign that trick users into visiting fake websites. These vishing attempts are made by scammers pretending to be from banks, or popular online services such as PayPal or Amazon. The scams tempt victims with false promises of tax rebates and competition prizes.


strrat rat
conti ransomware gang
cna financial
alaska health department

Posted on: May 21, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.