Go to listing page

Cyware Weekly Threat Intelligence, April 19-23, 2021

Cyware Weekly Threat Intelligence, April 19-23, 2021

Share Blog Post

The Good
When it comes to energy grids, cyberattackers have become an existential threat. The Department of Energy has, thus, initiated a plan to strengthen the energy sector supply chain in the country. The Justice Department also announced plans to form a dream team to dismantle ransomware operations. Cybercriminals begone!

  • The U.S. Department of Justice announced plans to build up a new task force to tackle the underlying causes behind the rise in ransomware attacks and disrupt their operations running globally.
  • The U.K. NCSC released a free cybersecurity training package for teachers and staff to help them mitigate cyber threats while demonstrating case studies for a better understanding of the impact of cyber incidents.
  • The U.S. Department of Energy, CISA, and the electricity sector are working on a 100-day plan to strengthen the cybersecurity posture of electric utilities, ICS, and the energy supply chain.

The Bad
The attack against Quanta just got bigger with the REvil gang leaking data belonging to high-value organizations. Will Apple pay the $50 million ransom? While we are on the topic of leaked data, another threat actor was found selling almost 50GB worth of sensitive data belonging to an OTP-generating firm. The SolarWinds attack once again grabbed eyeballs as it was found to be associated with the latest Codecov breach.

  • Login credentials for 1.3 million current and previously compromised Windows Remote Desktop servers were leaked on the UAS dark web market. 
  • The REvil ransomware gang stole massive amounts of data—large quantities of confidential drawings and gigabytes of personal data— from Apple, Dell, HPE, Lenovo, and Cisco.
  • A misconfigured database leaked names, addresses, phone numbers, social security numbers, and account numbers of Eversource Energy customers.
  • Bloomberg employees are being impersonated by hackers with the motive to install RAT on target computers. The phishing campaign has, reportedly, been active since 2020 and utilizes the NanoCore tool.
  • Investigation of the Codecov system breach revealed that it is linked to the SolarWinds attack, attributed to the Russian Foreign Intelligence Service (SVR). 
  • A large-scale scam campaign, with an aim to pilfer login credentials from users, was discovered targeting Facebook Messenger users in over 80 countries. 
  • Google Alerts is still being abused for scams and malware by redirecting users to fake adult sites, fake dating apps, sweepstake scams, and unwanted browser extensions. Such attacks are launched by sending fake Google Alert URLs to unsuspicious users.
  • A hacker was spotted selling approximately 50GB of sensitive data stolen from OTP-generating companies, including Google, Facebook, Amazon, Emirates, Apple, Microsoft, Signal, Telegram, and Twitter.  

New Threats
Seems like it is still open season for ProxyLogon vulnerability exploitation. The week was introduced to quite a few new botnets, one of which has started abusing the ProxyLogon flaws to mine for cryptocurrency. Don’t be fooled by a pretty pink WhatsApp version, it’s a malware! In another vein, threat actors are actively abusing a flaw in Pulse Connect Secure VPN devices. No patch is available as of now. 
  • The WhatsApp Pink malware has now been updated to automatically respond to Signal, Telegram, Viber, and Skype messages. The malware is distributed via a fake version of WhatsApp claiming to be pink-themed. 
  • The new Pareto botnet has been found infecting a massive number of Android devices to conduct fraud in the internet TV advertising ecosystem. It works by spoofing signals within malicious Android mobile apps to impersonate consumer TV streaming products running Fire OS, tvOS, Roku OS, and other prominent platforms.
  • Telegram is used yet again to distribute the ToxicEye RAT. The malware is capable of taking over file systems, installing ransomware, and leaking data from victim systems.
  • Prometei botnet is the latest malware to have jumped onto the ProxyLogon wagon and can allow threat actors to mine cryptocurrency.
  • A newly discovered zero-day authentication bypass vulnerability found in Pulse Connect Secure gateway is currently being exploited in the wild. Tracked as CVE-2021-22893, the flaw has been linked with UNC2603 and UNC2717 threat actors against different government and law enforcement agencies.
  • An infostealer named Ficker is being propagated via fake Microsoft Store, Spotify, and FreePdfConverter apps. Using this malware, attackers can steal saved credentials in web browsers, desktop messaging clients (Pidgin, Steam, Discord), and FTP clients.  
  • A new ransomware called NitroRansomware encrypts victims’ files and demands a Discord Nitro gift code to decrypt files. It is distributed as a fake tool stating it can generate free Nitro gift codes. 
  • The latest variant of XCSSET Mac malware comes with the functionality of stealing confidential information from cryptocurrency apps. 
  • A text message scam is making the rounds in the U.K. The message pretends to be from a package delivery firm and urges Android users to download a tracking app that is actually the new Flubot spyware.


prometei botnet
pareto botnet
toxiceye rat
whatsapp pink
zero day vulnerabilities
pulse secure vpn
xcsset malware

Posted on: April 23, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.