Go to listing page

Cyware Weekly Threat Intelligence, April 12 - 16, 2021

Cyware Weekly Threat Intelligence, April 12 - 16, 2021

Share Blog Post

The Good
Imagine a refreshing lemonade on a hot summer day, while you kick off your shoes and relax. Wouldn’t it be nice to have such a refreshing piece of news too? We have just the right thing for you! The FBI obtained a warrant to copy and delete web shells from hundreds of Hafnium victims. In another major news, the U.S. formally ascribed the SolarWinds attacks to a Russian intelligence agency.

  • The FBI used backdoors, which Halfnium hackers exploited to enter Exchange Servers globally, to remotely delete web shells from hundreds of impacted servers.
  • The Internet of Secure Things Alliance (ioXt) launched a new security certification for VPNs and mobile apps. The compliance program consists of a set of security-related requirements against which apps can be certified.
  • The SolarWinds attack was officially attributed to Russia’s Foreign Intelligence Service - SVR. The NSA, FBI, and CISA issued a joint advisory warning of SVR’s activities against various organizations.

The Bad
Social media has never really been a safe place to be in. Although this week didn’t bring anything exceptional except for the common maladies, something really concerning is phishing attacks launched against job seekers. Threats looming over cryptocurrency platforms are not going anywhere, as proven by an attack on Celsius Network. Last but not the least, the Joker malware is back and making Huawei users cry. 

  • Babuk ransomware operators reportedly posted 500GB worth of Houston Rockets’ internal business data—contracts, NDA, and financial data—on its dark web forum.  
  • Employment-oriented service users in the U.S., the Middle East, and Canada are being targeted with customized phishing emails that attempt to hijack their LinkedIn accounts or promote fake LinkedIn email leads. 
  • Two Tasmanian casinos were forced to shut down following a ransomware attack. The attack affected hotel booking systems, as well as the slot machines. 
  • Celsius Network, a cryptocurrency rewards platform, underwent a security breach, which, in turn, led to a phishing attack on its customers. This breach resulted in the loss of partial customer list of the company. 
  • More than 100,000 web pages hosted by Google sites are being used to trick netizens into opening booby-trapped business documents containing RAT, with common business lures.  
  • Attackers are launching campaigns in which IceID was switched with QakBot trojan to deliver malicious payloads. The campaign relied on updated XLM macros to distribute the trojan. 
  • ParkMobile suffered a breach and the account information of 21 million customers was for sale on a Russian-speaking crime forum for $125,000. 
  • ShinyHunters leaked sensitive information of about 2.5 million Upstox users. the exposed information includes names, dates of birth, email addresses, bank account information, and about 56 million KYC documents stolen from the company’s server.
  • APKPure, one of the largest app stores, fell victim to a supply chain attack. Threat actors managed to launch the attack by compromising client version 3.17.18 to deliver malware dubbed Triada. 
  • More than 500,000 Huawei users were infected with the Joker malware distributed via 10 apps in AppGallery. 


New Threats
Lazarus is back at it again. At what you ask? Cryptocurrency stealing. There’s a twist though - it is using a unique tactic. You’ll read about it real soon. The BRATA malware family made its way into the Google Play Store, deploying a backdoor via several apps. Also, IoT devices are at high risk from a set of nine newly disclosed flaws. Go on, read along.

  • Lazarus APT was found stealing cryptocurrency with a never-before-seen tool - modified JS sniffers. Named Lazarus BTC Changer, this crypto skimmer switches the destination payment address to the threat actor’s BTC address. 
  • A new malicious package—web-browserify—targeting NodeJS developers was spotted on the npm registry. The package once executed, uses another legitimate npm component, systeminformation, to collect information from the infected systems.  
  • The new Saint Bot malware was leveraged to drop information stealers and other malware downloaders in targeted campaigns against Georgian government institutions. 
  • Several new variants of the Android malware family BRATA were found posing as app security scanners on Google Play Store to propagate a backdoor capable of collecting sensitive information. 
  • NAME:WRECK, a set of nine newly disclosed DNS vulnerabilities, put more than 100 million consumers, enterprises, and industrial IoT devices at risk. These vulnerabilities affect four well-known TCP/IP stacks, IPnet, FreeBSD, Nucleus NET, and NetX. 
  • A new report revealed that the Facebook data leak incident affected users in Egypt the most. The private details of around 45 million Egyptians have been leaked following the incident. 
  • An exploit and details for an unpatched vulnerability affecting Chrome, Edge, and other web browsers were made public. The flaw resides in the v8 JavaScript engine used by Chromium and can be exploited for arbitrary code execution in the browser process. 
  • Cracked copies of Microsoft Office and Adobe Photoshop are being used to steal browser session cookies and Monero cryptocurrency wallets from users who install the pirated software. The cracked software are distributed via BitTorrent. 
 


 Tags

lazarus btc changer
hafnium
namewreck
saint bot malware
brata android rat
solarwinds attack

Posted on: April 16, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.