Go to listing page

Cyware Weekly Threat Intelligence, February 01 - 05, 2021

Cyware Weekly Threat Intelligence, February 01 - 05, 2021

Share Blog Post

The Good
Good news travels like molasses, nonetheless, it travels. This week has brought us some good news in its bounty. Another ransomware bit the dust. Another dark web marketplace was shut down. It seems like we are finally gaining some momentum in the race against threat actors.

  • Operators behind the Fonix ransomware shut down their operation and released the master decryption key for free to the infected users.
  • A coordinated law enforcement operation successfully shut the shop for ValidCC, a dark web marketplace involved in trading stolen payment card data for more than six years.
  • IBM announced to offer $3 million in grants to six school districts in the U.S. to help them prepare for and defend against cyberattacks.
  • As part of efforts to addressing account takeovers by OGUsers, Twitter, Instagram, TikTok, and other platforms are reclaiming the hordes of stolen accounts and sending cease and desist letters to the hackers.

The Bad
By now, it has started feeling like a normal year in the sense that we are witnessing multiple breaches a week. Some unsecured database. Just the usual, you know? Also, Babuk Locker is moving pretty fast for a newly born ransomware. Maybe it’s time Spotify addresses its security concerns after being attack for the second time in three months.

  • The UK Research and Innovation (UKRI) is dealing with a ransomware attack that encrypted data and impacted two of its services.
  • British services business Serco has been hit by the Babuk Locker ransomware, impacting the firm’s European operations. The ransomware operators have further claimed to copy more than 1TB of data after hacking the network for about three weeks.
  • The data of 3.2 million DriveSure clients was available on Raidforums hacking forum late last month. The information exposed included names, addresses, phone numbers, email addresses, IP addresses, car makers, car service records, dealership records, and car models.
  • Washington’s State Auditor office has suffered a data breach that exposed the personal information of 1.6 million employment claims. Threat actors exploited a vulnerability in a file transfer service from Accellion to breach the data.
  • An unsecured Microsoft Azure blob was found leaking images of hundreds of passports and identity documents of journalists and volleyball players from around the world.
  • Spotify suffered another credential-stuffing attack in a span of three months. Experts surmise more than 100,000 customers could face account takeover.
  • Estate agent Foxtons Group is under pressure due to a data leak incident. Reports claim that thousands of customer card and personal details have been uploaded to a dark web site.
  • Oxfam Australia has launched an investigation after its customer database containing 1.7 million customer details and donor information was put on sale on the dark web.
  • A mysterious hacking group has targeted BigNox, a company that makes the NoxPlayer Android emulator, in a highly-targeted supply chain attack.

New threats
It is an especially warm January, but the new threats that you are going to read in here might give you a chill. The evolution graph of Agent Tesla is on the rise. Trickbot is getting stronger and stronger. Kubernetes clusters are facing new sophisticated threats. You are warmed up enough. Here are other threats that this week sailed through. 

  • A malicious Home Depot advertising campaign has been found redirecting Google Search visitors to tech support scams.
  • Researchers have spotted a new component of the Trickbot malware that performs local network reconnaissance. Named masrv, the component enables threat actors to send a series of Masscan commands to scan the local networks for the further infection process.
  • A malware backdoor named Kobalos has been attacking Linux supercomputers, as well as several privately held servers in North America, Europe, and Asia.
  • The Babyk ransomware operators have launched a new data leak site to publish victim’s stolen data as part of a double extortion strategy.
  • New details have emerged about malicious extensions for Chrome and Edge browsers. These extensions collectively called CacheFlow were found hijacking clicks to links in search result pages to redirect unsuspecting users to phishing sites and ads.
  • A new version of Agent Tesla is targeting Microsoft’s Anti-Malware Software Interface (AMSI) to avoid detection. The new version also has an added capability of deploying a Tor client.
  • Matryosh is a new variant of the Mirai botnet that is primarily designed to launch DDoS attacks. Research claim that the botnet’s command format and its use of TOR C2 are highly similar to that of another botnet called LeetHozer.
  • The TeamTNT threat actor group is deploying a new Hildegard malware in a new cryptojacking operation. The campaign targets Kubernetes clusters to gain initial access.
  • A new way to perform an XS-Leak side-channel attack has been disclosed. The new side-channel attack leverages browser and extension vulnerabilities to trigger cross-site leaks.
  • Scammers are now targeting Discord servers to send private messages to users in a new cryptocurrency giveaway scam. The messages appear to be from new, upcoming cryptocurrency exchanges and promise free Bitcoin or Ethereum.


serco inc
babuk locker ransomware
foxtons group
kobalos backdoor
oxfam australia
xs leaks
credential stuffing attack
hildegard malware
matryosh botnet
trickbot trojan

Posted on: February 05, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.