Go to listing page

Cyware Weekly Threat Intelligence, January 04 - 08, 2021

Cyware Weekly Threat Intelligence, January 04 - 08, 2021

Share Blog Post

The Good

With attackers leaving no stone unturned to make the cyberworld chaotic, government agencies also try to keep pace by issuing guidelines and mitigations for improving organizations’ security posture. While the White House released the standards for the U.S. maritime transportation system for threat information sharing, the NSA issued guidelines for network security analysts and system administrators to mitigate risks posed by weak encryption protocols.

  • A National Maritime Cybersecurity Plan was rolled out that will set standards for the U.S. maritime transportation system for threat information sharing, creating a cybersecurity workforce, and establishing a risk framework in ports.
  • The NSA released guidance to help network security analysts and system administrators in detecting and replacing outdated Transport Layer Security (TLS) protocol versions with up to date and secure variants.
  • The U.S. government announced Hack the Army 3.0 bug bounty program—scheduled to take place between January 6 and February 17—with a goal of helping the U.S. Army secure its digital assets against cyberattacks.

The Bad

With good, comes the bad. On one hand, Nissan and Microsoft disclosed incidents that resulted in source code leaks, while on the other, more than 200 million records of Chinese citizens were put on sale on a Russian dark web forum. Further, ransomware incidents and phishing scams from the week reflected the rugged cybersecurity posture of a few firms. 

  • A threat actor posted data of 10,000 American Express credit card holders on a hacker forum for free. The data exposed includes names, full addresses, phone numbers, and dates of birth of customers.
  • Nissan this week revealed leaking the source code of mobile apps and internal tools due to a misconfiguration issue in one of its Git repositories, a Bitbucket instance. Hackers shared it in the form of torrent links on Telegram channels and hacking forums.
  • During an ongoing investigation into the Microsoft supply chain attack, the firm revealed that the hackers were able to view unspecified source code during the attack. The attacks that allegedly began around March were linked to Russian state-sponsored cyberespionage gang APT29 (aka Cozy Bear).
  • Security researchers reported that the China-based APT27 threat actor group is behind ransomware attacks that encrypted several core servers for at least five companies in the online gambling sector.
  • ShinyHunters is now selling databases comprising data of over 10 million users belonging to three more Indian companies on a dark web forum. The affected companies are ClickIndia, ChqBook, and WedMeGood. Earlier, the hacker group was responsible for the data breach at Juspay.
  • Over 200 million records related to Chinese citizens have been put on sale on a Russian dark web forum. Researchers claim that the data might have been stolen from multiple popular Chinese services, including Gongan, County, Weibo, and QQ.
  • Around 3GB archive of data belonging to the U.S.-based auto parts shop, NameSouth, was publicly leaked by the NetWalker gang, following a failed ransom negotiation. The trove contained financial and accounting data, credit card statements, employee PII, and various legal documents.
  • Security researchers stumbled across a scammer group that has been impersonating Singapore government officials in an attempt to pilfer banking information from users. The group claims to be impersonating government agencies such as the police or Ministry of Manpower over the calls or texts.
  • Security experts found the Ben-Gurion University of the Negev compromised and in the hands of cybercriminals that had already impacted several servers during a routine scan at the facility.
  • A hacker group, dubbed Spiderz, allegedly hacked into Hezbollah's Al-Qard Al-Hassan financial organization and laid bare sensitive information of several clients and the organization’s annual budget. 
  • The PYSA ransomware actors released data they, allegedly, stole from the Hackney Council, London, during an attack from last year. This includes sensitive personal data of staff and residents.

New Threats

The new year has brought a flood of new threats. In the first week of the year, researchers discovered a new RAT called ElectroRAT that can target Windows, Linux, and macOS systems. Moreover, the first new ransomware family of 2021, Babuk Locker, was identified which has compromised the Windows Restart Manager of corporate victims.

  • Rock RMS, a relationship management system for churches has patched a pair of critical vulnerabilities that can lead to account takeover and remote code execution issues. These flaws are tracked as CVE-2019-18642 and CVE-2019-18643 and score a rating of 9.8 on the CVSS scale.
  • Security researchers have observed the first attempts of exploiting Zyxel devices using a recently disclosed vulnerability, CVE-2020-29583. The flaw, that affects several Zyxel firewalls and WLAN controllers, arises due to the hardcoded credentials stored in the firmware.
  • Researchers have detected a new RAT named ElectroRAT that is capable of targeting Windows, Linux, and macOS. A new malspam campaign that purports to contain an inappropriate video of the U.S. President was spotted distributing QRAT malware.
  • Google has announced fixes for 42 vulnerabilities affecting its Android devices, as part of January 2021 security updates. Four of these flaws are rated critical and affect Android’s system component and Media Framework.
  • An untrusted deserialization vulnerability discovered in the Zend Framework can be exploited by attackers to achieve remote code execution on PHP sites. The vulnerability, tracked as CVE-2021-3007, impacts some instances of the Laminas project, a successor of Zend.
  • Researchers have released a PoC for a previously discovered reCAPTCHA v3 attack method that uses voice-to-text to bypass CAPTCHA protection. The attack method can be leveraged by attackers to collect sensitive data from browsers.
  • Fortinet has issued security patches for several potentially serious vulnerabilities discovered in the FortiWeb web application firewall. The flaws could be abused to expose corporate networks to attacks. The flaws are tracked as CVE-2020-29015, CVE-2020-29016, CVE-2020-29019, and CVE-2020-29018.
  • The TA551 threat actor group, which is known for extensively using information-stealing malware families such as Ursnif and Valak, has switched to IcedID malware after mid-July, 2020. The infection chain starts with a malicious email that includes a password-protected zip archive.
  • Nvidia has warned gamers about patching 16 CVEs across its graphics drivers and vGPU software that pose serious threats including DDoS attacks, privilege escalation, and data tampering.
  • Multiple malware authors are relying on Golang-based Ezuri crypter and memory loader to make their code undetectable to antivirus software. Although the tactic is widely used across Windows malware, threat actors now use Ezuri for infiltrating Linux environments.
  • Babuk Locker was identified as the first new ransomware family of 2021. Upon launching, it abuses the Windows Restart Manager to spread across network resources. 
  • Security experts uncovered an attack campaign, suspected by the Earth Wendigo group, that has been exfiltrating emails from government agencies, academic centers, and universities in Taiwan. 
  • North Korean hacking group APT37 has been found using the RokRat trojan in a fresh wave of campaigns against the South Korean government. A VBA self decoding technique is being used to hide the malware on impacted systems.
  • ThreatNix reported a new campaign leveraging Facebook ads to steal victims’ login credentials. Hackers, so far, have claimed more than 615,000 users in multiple countries.


babuk locker ransomware
icedid malware
rokrat trojan
earth wendigo
ezuri crypter

Posted on: January 08, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.