Go to listing page

Cyware Weekly Threat Intelligence, August 02–06, 2021

Cyware Weekly Threat Intelligence, August 02–06, 2021

Share Blog Post

The Good

Following the REvil decryptor for Kaseya victims, the week witnessed the release of another decryptor for Prometheus ransomware victims. Such a wonderful ray of sunshine, yes? Now, vulnerabilities are out to bite malicious actors as one of their favorite tools was found to be flawed. In another camp, following the repeated cyberattacks on the nation, the U.S. has decided to join hands with tech firms to strengthen the country’s cyber defenses.

  • The NSA and CISA provided hardening guidance in a new technical report describing security challenges in setting up and securing a Kubernetes cluster.
  • SentinelOne discovered DoS vulnerabilities in Cobalt Strike—a legitimate penetration testing tool, which is often misused by blackhat hackers—that can hamper beacon C2 communication channels and new payloads.
  • Starting this month, Microsoft Defender and Microsoft Edge on Windows 10 will automatically—and by default—block Potentially Unwanted Applications (PUAs).
  • A free decryptor for Prometheus ransomware has been released for victims to retrieve their encrypted files. 
  • The CISA launched the federal civilian enterprise-wide Vulnerability Disclosure Policy (VDP) platform to manage security gaps in critical government systems.
  • The U.S. government has announced to partner with Google, Microsoft, Amazon, and other tech companies to reinforce the nation’s cybersecurity defenses. The initiative has been dubbed the Joint Cyber Defense Collaborative (JCDC) and will have the CISA working alongside various firms. 


The Bad

It is 2021 and companies are still leaving their databases unsecured and people are suffering because of such a mistake. Around 35 million U.S. residents had their personal information exposed this week. Coming to the topic of data breaches, the educational sector is still bearing the brunt of cyberattacks as a Candian school district was breached. Scammers can be called the shameless scum of the cyberworld as they are now targeting people who are seeking unemployment insurance.

  • Italian energy firm ERG suffered minor disruptions in its ICT infrastructure following a ransomware attack by the LockBit 2.0 group.
  • WizCase reported a breach affecting Reindeer, an American marketing company. The incident exposed over 50,000 files in a 32GB trove of data, owing to a misconfigured Amazon S3 bucket.
  • An alleged ransomware group attacked the vaccination registration system in Italy’s Lazio region, preventing residents from booking new vaccination appointments for days.
  • An unsecured Elasticsearch database had left the details of about 35 million residents across Chicago, San Diego, and Los Angeles exposed online. The data included gender, full names, dates of birth, and marital status of users.
  • Canada’s School District No.73 suffered a breach, impacting the personal information—identity and contact information—of students. 
  • Scammers are masquerading as members of the SEC, FINRA, and other state securities regulators to trick investors into sharing more information. They created fake social media profiles and fake websites as a part of the phishing campaign. 
  • Thailand’s vaccine registration platform had publicly exposed emails and personal details of over 20,000 applicants. The security issue has been patched now.
  • WeTransfer is being abused by threat actors to target Microsoft Office 365 users. The attackers aim to exfiltrate their credentials. 
  • An unsecured database at OneMoreLead laid bare a glut of personally identifiable information containing around 126 million records for 63 million people in the U.S.
  • The FTC is warning people who have applied for unemployment insurance against a phishing campaign. The emails and text messages impersonate states’ workforce agencies and aim to pilfer your social security numbers and other personal information.


New Threats

The notorious APT31, also known as Zirconium, attacked Russia for the first time ever! It is also propagating a new RAT. The week was a hard one as various sets of vulnerabilities kept coming forth, along with their potentially devastating consequences. This includes a set of DNS vulnerabilities that can allow attackers to rip data off of corporate networks. Cannot finish this without talking about cryptostealers. Raccoon stealer got upgraded and can now exfiltrate cryptocurrency from victims.

  • A new cybercrime service dubbed Prometheus TDS is available for sale on underground platforms for $250 a month. Attackers have used this new malware-as-a-service to deploy Campo Loader, Hancitor, IcedID, QBot, Buer Loader, and SocGholish malware.
  • The Chinese threat actor group APT31 has been found using a new RAT to target entities in Mongolia, Russia, Belarus, Canada, and the U.S. In addition to this, the group has attacked Russia for the first time.
  • Sophos stumbled across a new attack campaign by Raccoon Stealer that uses clippers to rip off cryptocurrency, alongside financial information from the users.
  • The new FatalRAT is being spread via different software or media articles on Telegram channels. The malware includes several evasion techniques and can log user keystrokes, collect system information, and exfiltrate over a C2 channel.
  • Cybereason exposed DeadRinger - three clustered activities by different Chinese espionage groups that targeted at least five global telecom providers in Southeast Asia.
  • Kaspersky documented a new Chinese-speaking threat actor—GhostEmperor—targeting Microsoft Exchange flaws in high-profile attacks in Southeast Asia.
  • Security experts discovered a set of nine vulnerabilities, aka PwnedPiper, in the TransLogic Pneumatic Tube Systems from Swisslog Healthcare. The flaws impact around 80% of U.S. hospitals, with a possibility of complete system takeover.
  • A set of new DNS vulnerabilities have been found affecting major DNS-as-a-service providers, which could enable threat actors to swipe confidential data from corporate networks.  


 Tags

joint cyber defense collaborative jcdc
apt31
deadringer
prometheus tds
pwnedpiper vulnerabilities
fatalrat
reindeer
raccoon stealer
ghostemperor
onemorelead
dns vulnerabilities

Posted on: August 06, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.