Cyware Weekly Threat Intelligence, January 18 - 22, 2021

Share Blog Post

The Good
A chink of optimism was visible this week in the cybersecurity landscape. Cybersecurity awareness is witnessing a rise and the quote by Brandon Wales, Acting CISA Director, “Together, we can defend today and secure tomorrow,” should be trending, in our opinion.  

  • The CISA launched a new public awareness campaign to defend against ransomware attacks targeting the government and education sectors. 
  • DarkMarket, the world’s largest underground marketplace, was taken down via the joint efforts of law enforcement authorities from the U.K, the U.S., Germany, Denmark, Australia, Ukraine, and Moldova.
  • Along with a report detailing the techniques employed by SolarWinds threat actors, FireEye researchers rolled out a free tool on GitHub - Azure AD Investigator

The Bad
“No day so clear but hath dark clouds.” The week saw some huge data breaches and invasion of privacy. Lots of personal data found themselves in the quagmire of the dark web. Apart from this, phishing, vishing, and smishing attacks were on the rise. 
 
  • Hackers leaked a 14GB database containing the names, email addresses, and passwords of more than 77 million Nitro PDF user records for free. 
  • The sensitive data of 325,000 users of the BuyUCoin cryptocurrency exchange was leaked on the dark web. It included the users’ names, e-mails, mobile numbers, encrypted passwords, user wallet details, order details, bank details, KYC details, and deposit history.
  • AnyVan, a European online marketplace has confirmed a cyberattack that involved the theft of customers’ personal data. The incident occurred after attackers gained unauthorized access to its user database.
  • 1.9 million Pixlr user records belonging to Pixlr have been leaked on a hacker forum by the ShinyHunters threat actor group. The database has been shared for free on the forum. 
  • After FireEye, another cybersecurity firm Malwarebytes has revealed being targeted by SolarWinds hackers.
  • According to researchers at Trend Micro, hundreds of networks are still affected by VPNFilter malware. Believed to be operated by the Sofacy threat actor group, the malware is capable of exfiltrating data, encrypting communications with C2 server, and exploiting endpoints.  
  • IObit, a Windows utility developer, was hacked to infect a number of its forum users with DeroHE ransomware. 
  • A data breach originating from the Fleek social media app has been identified by researchers. The exposed information includes explicit content of users.
  • After a month of the attack, the ransomware gang has published around 1.2 GB of data stolen from the Scottish Environment Protection Agency (SEPA) on the internet. 
  • The FBI has issued a notification of ongoing vishing attacks that are aimed at stealing corporate accounts and credentials for network access and privilege escalation from employees worldwide.

New Threats
Times are for sure unprecedented as new threats plague the security landscape. 

  • Researchers reported the return of the attackers behind the CursedGrabber malware family, which utilizes brandjacking and typosquatting techniques against software supply chains. The attackers published three new malicious NPM packages designed to steal information.
  • NVIDIA patched three security flaws in its Shield TV, which could lead to denial of service, escalation of privileges, and data loss. 
  • A new large-scale, global phishing campaign was found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and steal credentials belonging to over a thousand corporate employees. 
  • Interpol has warned of a new investment scam that targets mobile dating apps. The modus operandi involves scammers taking advantage of people’s vulnerabilities who are looking for a potential match and lure them into sophisticated fraud schemes.  
  • A number of vulnerabilities discovered in the 123contactform-for-wordpress WordPress plugin can allow attackers to arbitrarily create posts and inject malicious files into the website without any form of authentication.
  • Researchers have uncovered a new hacking tool named Raindrop that was used in the recent SolarWinds supply chain attack. The tool was installed on some systems in an effort to spy on them.
  • Researchers have uncovered a series of attacks against Linux devices by the FreakOut botnet. The attacks are aimed at devices running either TerraMaster Operating System, Zend Framework, or Liferay Portal.
  • New York State drivers are being targeted in a new smishing scam that attempts to steal their personal information. 
  • Several Magecart groups are hiding their JavaScript skimmers, phishing domains, and other malicious tools behind a bulletproof hosting service called Media Land.
  • Cybercriminals are using Windows RDP systems to amplify DDoS attacks. Systems in which RDP authentication is enabled on UDP port 3389 on top of the standard TCP port 3389 are susceptible to these attacks.


 Tags

fleek app
scottish environment protection agency
freakout botnet
iobit
cursedgrabber malware
anyvan
pixlr
nitro pdf
credential phishing campaign
investment scam
raindrop malware
malwarebytes
buyucoin

Posted on: January 22, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!