Go to listing page

Cyware Monthly Threat Intelligence, January 2021

Cyware Monthly Threat Intelligence, January 2021

Share Blog Post

The Good 
Leaving behind the woes of 2020, the cybersecurity fraternity continues to make progress in the new year. Intel made the first-ever system where PC hardware plays a direct role in identifying ransomware instances. Meanwhile, law enforcement authorities shut down the operations of one of the greatest malware threats, while also sealing the doors of the world's largest underground marketplace. Let’s make a toast to the good bits of the month.

  • Intel, at the 2021 Consumer Electronics Show, added ransomware detection capabilities to its new 11th Gen Core vPro processors by improving its Hardware Shield and Threat Detection Technology (TDT).
  • The NSA released guidance to help network security analysts and system administrators in detecting and replacing outdated Transport Layer Security (TLS) protocol versions with up to date and secure variants.
  • Global law enforcement and judicial authorities took Emotet down, one of the most significant botnets used by cybercriminals to launch a variety of malware attacks. They have started spreading a module that will uninstall the malware on March 25, 2021.
  • CSIRO’s Data61, the digital specialist arm of Australia’s National Science Agency, the NSW Government, and other groups developed a privacy tool that adds an extra layer of security to ensure further protection of key datasets, such as those tracking COVID-19.
  • DarkMarket, the world’s largest underground marketplace, was taken down via the joint efforts of law enforcement authorities from the U.K, the U.S., Germany, Denmark, Australia, Ukraine, and Moldova.

The Bad
It goes without saying that attackers are perpetually advancing their toolsets for bigger hunts. During the month, ransomware attacks, breaches were galore, whereas details about SolarWinds attack kept coming forth with new facts. On top of it all, sensitive data were leaked left, right, and center, from various platforms, with ShinyHunters leading the pack.

  • A new report revealed that up to 18,000 SolarWinds customers may have received trojanized updates for their Orion monitoring product. As a result, attackers could establish a backdoor on victim systems and deploy more malware.
  • Retail giant Dairy Farm was attacked by REvil ransomware, following which the attackers demanded $30 million in ransom. Allegedly, the attackers had access to information for seven days after the attack.
  • Nissan revealed leaking the source code of mobile apps and internal tools due to a misconfiguration in one of its Git repositories, a Bitbucket instance. Hackers shared it in the form of Torrent links on Telegram channels and hacking forums.
  • ShinyHunters leaked 70GB of customer data, including card data, after breaking into the cloud backup database of Bonobos, an online men’s clothing store. The group also shared about 1.9 million Pixlr user records on a hacker forum for free.
  • The sensitive data of 325,000 users of the BuyUCoin cryptocurrency exchange was leaked on the dark web. It included the user names, e-mails, mobile numbers, encrypted passwords, wallet details, order details, bank details, KYC details, and deposit history.
  • The IT systems of Palfinger AG, an Austrian firm that makes cranes and other machinery, were taken down due to an ongoing global cyberattack. The attack sabotaged the firm’s e-mail and business operations.
  • A database belonging to Teespring, an e-commerce platform that lets users design and sell custom apparel, was disclosed on a popular hacker forum. The files in the leaked archive included email addresses and last update dates for around 8 million user accounts.
  • Trend Micro researchers found hundreds of networks that were still affected by VPNFilter malware. Believed to be operated by the Sofacy threat actor group, the malware is capable of exfiltrating data, encrypting communications with C2 server, and exploiting endpoints. 
  • In an ongoing investigation, Capcom claimed last month that up to 390,000 people may have been affected in a ransomware attack in November. Ragnar Locker had demanded $11 million for the release of 1TB of stolen data from the company.
  • A group of researchers was able to gain access to the Git repositories of the United Nations as part of the Vulnerability Disclosure Program. This resulted in the leak of several user credentials, including over 100,000 private records for the United Nations Environmental Programme employees.
  • The Conti ransomware group crippled OmniTRAX, the Colorado-based short line rail operator and logistics provider, and pilfered data after compromising its parent company, Broe Group. The group leaked a sample of the 70GB files containing the internal OmniTRAX documents.
  • Around 3GB archive of data belonging to the U.S.-based auto parts shop, NameSouth, was publicly leaked by the NetWalker gang, following a failed ransom negotiation. The trove contained financial and accounting data, credit card statements, employee PII, and various legal documents.

New Threats
In the time it takes one to blink, a new threat emerges. The month gave us an old malware with a new ensemble. Android had its own share of threats, one discovered by Google and the other by Italy’s security experts. Further, the cyber landscape saw new scams, new attack campaigns, and vulnerabilities affecting a myriad of systems.

  • A newly discovered phishing toolkit called LogoKit was found to be deployed in the wild. So far, researchers identified the toolkit on more than 300 domains in a week and on over 700 sites in a month.
  • Palo Alto’s Unit 42 is alerting organizations about new updates in Rocke Group’s Pro-Ocean — a cloud-targeted malware used throughout 2018 and 2019 to illegally mine Monero from infected Linux machines. It now includes capabilities such as spreading like a worm and new detection evasion techniques.
  • The FTC issued a warning about a scam that pretends to be from the U.S. regulatory agency. The scam leverages several YouTube links and pop-up sites that claim to protect personal and financial data from being exposed online.
  • Researchers reported the return of the attackers behind the CursedGrabber malware family, which utilizes brandjacking and typosquatting techniques against software supply chains. The attackers published three new malicious NPM packages designed to steal information.
  • A new variant of the NAT Slipstreaming attack, that can bypass mitigations for the previous version of the attack and expand the attacker’s reach, was uncovered by researchers.
  • The investigation of the XHunt campaign resulted in the discovery of two new backdoors called TriFive and Snugy. In addition to this, researchers decoded that BumbleBee web shell and SSH tunnels were used for moving laterally across compromised networks.
  • Babuk Locker surfaced as the first new ransomware family of 2021. Upon launching, it abuses the Windows Restart Manager to spread across network resources. After encryption, it demands ransom ranging between $60,000 and $85,000 in Bitcoins.
  • Google Project Zero researchers uncovered sophisticated hacking campaigns that used Windows and Android zero-day vulnerabilities. Threat actors leveraged these n-days vulnerabilities to exploit two servers delivering different exploit chains via watering hole attacks.
  • Interpol warned of a new investment scam last month targeting mobile dating apps. The modus operandi involves scammers taking advantage of people looking for a potential match and luring them into sophisticated fraud schemes.
  • A number of vulnerabilities discovered in the 123contactform-for-wordpress WordPress plugin can allow attackers to arbitrarily create posts and inject malicious files into the website without any form of authentication.
  • Cybercriminals were spotted using Windows RDP systems to amplify DDoS attacks. Systems in which RDP authentication is enabled on UDP port 3389 on top of the standard TCP port 3389 are susceptible to these attacks.
  • Italy's CERT issued a warning against a new Android malware, named Oscorp, that exploits accessibility services to steal user credentials and record audio and video on mobile screens.
  • Security researchers have observed the first attempts of exploiting Zyxel devices using a recently disclosed vulnerability, CVE-2020-29583. The flaw, that affects several Zyxel firewalls and WLAN controllers, arises due to the hardcoded credentials stored in the firmware.


 Tags

babuk locker ransomware
xhunt campaign
teespring
oscorp malware
dairy farm group
nat slipstreaming v20
pixlr
logokit
palfinger
solarwinds attack
pro ocean malware
buyucoin

Posted on: February 03, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Learn More About Cyware Solutions!