Go to listing page

Cyware Weekly Threat Intelligence, February 22 - 26, 2021

Cyware Weekly Threat Intelligence, February 22 - 26, 2021

Share Blog Post

The Good
Stop what you are doing as I have brought some fresh baked good news for you. We all need hope and optimism in our daily lives and here comes your weekly dose of the same. Android users rejoice as now they get the Password Checkup feature. Researchers invented means to detect hidden cryptomining malware and they are in the search for a partner to bring the solution to the market. Let’s toast to a better cyberplace.

  • Google and the Linux Foundation joined hands to form a plan where the former would fund Linux kernel developers to work entirely on security.
  • The House Foreign Affairs Committee approved the foundation of a new bureau of international cyberspace policy at the State Department as part of the Cyber Diplomacy Act.
  • Ten strategic organizations, including the Scottish Government and Police Scotland, have joined hands to collaborate and enhance cyber-resilience while educating organizations and individuals on cybersecurity.
  • Researchers from the Idaho National Laboratory invented a way to quickly identify hidden cryptomining malware.
  • The Password Checkup feature was introduced for Android devices, as a part of the Autofill with Google mechanism. This feature will check stored passwords against a database containing records from public data breaches to see if the password was previously leaked.

The Bad
The week found itself among a whole heap of cyberattacks. Bombardier got bombarded with a data breach and some of its sensitive data was leaked online. Although unfortunate, it’s not very shocking as ransomware attackers are constantly posting stolen information on dedicated leak sites. Google alerts have become a convenient tool for attackers to spread malware on victim systems.

  • Cybercriminals are increasingly targeting QuickBooks in an attempt to deliver malware and exploit the accounting software. The credentials from QuickBooks databases are later put on sale on the dark web.
  • Reports of threat campaigns attempting to fool Turkish social media users into downloading Android apps containing the Cerberus and Anubis banking trojan have surfaced.
  • French authorities are warning the country’s healthcare sector of the discovery of stolen credentials, apparently belonging to hospital workers. The credentials are put for sale on the dark web. 
  • The Clop ransomware gang has leaked online the screenshots of blueprints allegedly stolen from aerospace giant Bombardier. The gang had abused the vulnerability in the Acellion’s legacy file-transfer software to gain access to the networks of Bombardier.
  • Ukrainian security and defense websites suffered massive attacks that began on February 18. The threat actor attempted to compromise the websites to deploy a DDoS bot.
  • Texas-based Austin Energy has issued a warning about a scam that threatens customers to pay their pending bills. The scammers pretend to be from the company and warn customers that their utilities will be disconnected if they don’t make immediate payment.
  • Threat actors are leveraging Google Alerts to promote a fake Flash Player updater that installs other unwanted programs on users’ computers. The modus operandi includes threat actors creating fake stories with titles containing popular keywords that index on Google Search. 
  • The IRS and Security Summit financial industry partners are warning about scams that are aimed at stealing personal information from taxpayers.

New Threats
New threats are always around the corner. And this week is nothing special. But, something worrying came up. Four new ICS threat actors emerged just like the four horsemen riding into the battlefield. A new malware called Silver Sparrow affecting Apple M1-powered Macs has been uncovered and I’d suggest you get some reading done about it so that you don’t become a victim in the long list of victims.

  • Four new ICS threat actors—Kamacite, Stibnite, Vanadinite, and Talonite—were identified by Dragos. These groups were spotted targeting energy and manufacturing sectors. 
  • Malicious hackers have started scanning the internet for VMware vCenter servers that are vulnerable to a critical remote code execution vulnerability. The flaw is tracked as CVE-2021-21972 and can be exploited by attackers to execute malicious commands with elevated privileges.
  • Chinese cyberespionage gang TA413 launched attacks against Tibetan organizations using a malicious Firefox add-on. Dubbed FriarFox, this add-on allowed the hackers to steal Firefox and Gmail browser data, along with delivering malware on infected computers.
  • A botnet used for cryptocurrency mining activities is abusing Bitcoin blockchain transactions to stay under the radar. As a part of the campaign, the threat actors have been found abusing remote code execution vulnerabilities (CVE-2015-1427 and CVE-2019-9028) in Hadoop Yarn and Elasticsearch.
  • Botnet operators are abusing VPN servers provided by Powerhouse Management to bounce and amplify junk traffic as part of DDoS attacks. The root cause of the attack is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.
  • Researchers have detected a new variant of MINEBRIDGE RAT that includes new TTPs and social engineering lure. The malware, which is linked to the TA505 threat actor group, uses a job resume theme to attract recipients.
  • Researchers are warning of recent phishing attacks targeting at least 10,000 Microsoft email users. The emails appear to come from popular mail couriers such as FedEx and DHL Express.
  • Think tanks in the U.K are warning about a silent stealing fraud that targets online users. The modus operandi of the fraud involves stealing £10 each from 100,000 customers rather than stealing a large amount directly from a bank. 
  • Researchers have demonstrated a new class of attacks called Shadow attacks that could let attackers replace content in digitally signed PDF documents. The attack is successful on 16 PDF viewers, including Adobe Acrobat, Foxit Reader, Perfect PDF, and Okular.
  • Security researchers have discovered a new malware called Silver Sparrow on nearly 30,000 Apple Macs. The malware comes with a mechanism to self-destruct itself. 
  • An ongoing espionage campaign aimed at the defense industry has been tracked by researchers. Tied to the North Korea-based Lazarus group, the attack involves the use of ThreatNeedle malware that exfiltrates sensitive information.


shadow attacks
lazarus apt
vmware vcenter
french hospitals
minebridge rat
powerhouse vpn servers
silver sparrow

Posted on: February 26, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.