Go to listing page

Cyware Weekly Threat Intelligence, January 11 - 15, 2021

Cyware Weekly Threat Intelligence, January 11 - 15, 2021

Share Blog Post

The Good

The cybersecurity space witnesses its fair share of ups and downs every week. However, slowly but steadily, researchers and law enforcement authorities are gaining ground on threat actors. In one positive development, Europol cracked down on the largest illicit underground marketplace known as DarkMarket.

  • Europol cracked down on DarkMarket, allegedly one of the world’s largest illegal marketplace on the dark web. The group has arrested an Australian citizen living in Germany in connection to the case.
  • A free decryptor for the DarkSide ransomware will allow victims to recover their files without paying a ransom. The ransomware has been active since August 2020 and has generated millions of dollars for its operators.

The Bad

While we have all left 2020 behind, threat actors are still on a constant prowl. This week witnessed several high-profile security incidents impacting the likes of the United Nations, Reserve Bank of New Zealand, and private firms like Capcom and Ubiquiti. 

  • A group of researchers was able to gain access to the repositories of the United Nations as part of the Vulnerability Disclosure Program. This resulted in the leak of several user credentials, including over 100,000 private records for the United Nations Environmental Programme employees.
  • New Zealand’s central bank underwent a data breach after an attacker gained unauthorized access to a third party file sharing service used by it.
  • Ubiquiti suffered a security breach that occurred due to unauthorized access to some of its systems. The exposed information includes name, email address, phone number, home address, and one-way encrypted passwords.
  • Chinese social media firm Socialarks suffered a data leak leading to the exposure of over 400GB of personal data due to an unsecured Elasticsearch database.
  • Capcom suffered a security breach by Ragnar Locker, affecting the personal data of up to 400,000 gamers.
  • The European Medicine Agency (EMA) revealed that some of the Pfizer/BioNTech COVID-19 vaccine data stolen from its servers in December were leaked online.
  • A campaign dubbed Operation Spalax is using a trio of remote access trojans to steal confidential information from Columbian companies.
  • A website named SolarLeaks was found selling data claimed to be stolen from companies affected by the SolarWinds attack. The stolen data on the website allegedly belongs to Microsoft, Cisco, FireEye, and SolarWinds.
  • Conti ransomware struck again, this time affecting OmniTRAX. Following the attack, the threat actors have leaked around 70GB of the stolen data.
  • An unsecured Microsoft Azure Blob belonging to Nohow International was exposed online for a week before it was secured. The database contained sensitive documents of over 12,000 U.K workers.

New Threats

The year has barely started and with it came along various new threats. Several attack campaigns and malware saw new updates for greater damage, including the OSAMiner, Rogue RAT, and Ursnif trojan. A Chinese APT group was associated with a new campaign against organizations in Hong Kong and Russia.

  • A newly uncovered Russia-based cybercrime operation dubbed Classiscam has helped classified ads scammers steal more than $6.5 million from users in the U.S., Europe, and former Soviet states.
  • The investigation of the XHunt campaign resulted in the discovery of two new backdoors called TriFive and Snugy. In addition to this, researchers also decoded that BumbleBee web shell and SSH tunnels were used for moving laterally across the compromised networks.
  • A new variant of OSAMiner is targeting macOS users with an aim to mine cryptocurrency. The variant uses three run-only AppleScript files to deploy the mining process on an infected macOS machine.
  • A new variant of Ursnif trojan was spotted in the wild targeting users in Italy. The campaign spreads via phishing emails written in the Italian language and masquerades as a payment reminder.
  • Researchers have released details about a new Rogue RAT capable of reading victims’ messages, stealing passwords, taking screenshots, and even recording calls.
  • Google Project Zero researchers have uncovered sophisticated hacking campaigns that used Windows and Android zero-day vulnerabilities. Threat actors had leveraged these n-days vulnerabilities to exploit two servers delivering different exploit chains via watering hole attacks.
  • Researchers have discovered some similarities between the Sunburst malware and Kazuar backdoor in a recent investigation. The backdoor in question appears to have been used by the Russian-linked threat actor group Turla. Researchers claim that there are several possibilities that Sunburst malware is a creation of the same threat actor group.
  • Researchers disclosed a series of attacks by undocumented Chinese malware against firms in Hong Kong and Russia. The campaign has been attributed to Winnti or APT41.
  • An unpatched zero-day fault in Windows 10 allows threat actors to abuse an NTFS-formatted hard drive with a one-line command. The command can be hidden inside a shortcut file, batch file, and archive, among others.


ubiquiti networks
rogue rat
kazuar malware
ursnif trojan
reserve bank of new zealand

Posted on: January 15, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.