Go to listing page

Cyware Weekly Threat Intelligence, June 07–11, 2021

Cyware Weekly Threat Intelligence, June 07–11, 2021

Share Blog Post

The Good

The world can be a bit hard sometimes and that’s why we have this weekly dose of good news from the cyber world. For starters, we have this amazing news in which the U.S. Department of Justice (DoJ) and other law enforcement authorities seized servers belonging to one of the largest online marketplaces for stolen credentials. For entrée, the CISA released best practices for mapping threat actor behavior to the MITRE ATT&CK framework. Dessert comes in the form of approximately $2.3 million in bitcoin ransom seized by the DoJ.

  • The DoJ seized approximately $2.3 million in BTC that was supposed to reach as a ransom payment to the members of DarkSide, the group behind the Colonial Pipeline attack.
  • According to Europol, law enforcement authorities made more than 800 arrests in raids at 700 locations worldwide under Operation Trojan Shield, wherein the police followed upon criminals’ activities via AN0M, an encrypted chat platform.
  • One directive from President Joe Biden’s executive order on cybersecurity established a Cyber Safety Review Board (CSRB) in the Department of Homeland Security to investigate major cyber incidents involving government systems.
  • The CISA released best practices for MITRE ATT&CK mapping. This guide will help analysts map adversary behavior to the MITRE ATT&CK framework while encouraging a common language in threat actor analysis.
  • The DoJ announced that law enforcement agencies from the U.S., Germany, the Netherlands, and Romania took down Slillpp, the largest online marketplace for stolen credentials. The multinational operation seized the servers that hosted Slillpp’s infrastructure and domain names.
  • Toshiba researchers successfully sent quantum information for 600-kilometer-long quantum fibers. This development paved the way for the secure exchange of information without scrambling the fragile quantum data encoded in the particles. 

The Bad

However, threat actors were at it again with their malicious activities this week. Stolen credentials once again proved to be a threat as 8.4 billion passwords were uploaded on a hacker forum. Gaming companies are still under threat from cybercriminals. One such game publisher suffered an attack wherein the source code for some of its games was stolen. Organizations in Ukraine were targeted in a huge spear-phishing campaign conducted by Russian hackers.

  • Private companies operating in multiple critical infrastructure sectors are being targeted in BEC attacks by scammers impersonating construction companies, warned the FBI. 
  • An attack by the Ragnar Locker ransomware forced the memory and storage manufacturer ADATA to take its system offline. The attack occurred on May 23, following which the firm took preventive measures to contain the infection.
  • An ongoing phishing campaign purporting to be from FINRA is targeting users in an attempt to steal personal details. FINRA has recommended users not to click on any link or image from unsolicited emails to stay safe from these attacks.
  • Around 8.4 billion entries of passwords were disclosed on a popular hacker forum. The compilation—comprises a 100GB TXT file and goes by the name RockYou2021—was stored in plain text.
  • Spammers are leveraging online casino websites—Ducky Luck, Raging Bull Casino, and Sports and Casino—to send deceptive emails to users in an attempt to spread malware. These emails lure the victims into believing that they have won the ‘Grand Prize’ and will receive the amount only after they confirm their account.
  • Ukrainian public and private sectors were targeted in a massive spear-phishing attack carried out by Russian threat actors. The attack was conducted via emails claiming to be from representatives for the Kyiv Patrol Police Department. 
  • A ransomware breach at U.S. constituent engagement software vendor iConstituent impacted at least 60 members of the U.S. Congress, preventing victims from sending emails to their constituents for days.
  • Hackers stole around 780GB of data from the video game publisher Electronic Arts (EA). The intrusion is under investigation and no player data was accessed, claimed the firm. 
  • A ransomware attack forced the Foodservice supplier Edward Don to shut down parts of its network to stop the attack from propagating. The attack disrupted the company’s phone systems, network, and email. 

New Threats

Ransomware was on our minds as the new BlackCocaine ransomware was found responsible for the attack on Nuclear Software. Diplomatic entities across the Middle East and Africa are in trouble with the emergence of a cyberespionage APT actor. The attacks have traced back to as early as 2017. This newsletter would be incomplete without mentioning this deplorable development as a pernicious malware has been spotted targeting Kubernetes clusters via Windows containers. This malware is the first of its kind. 

  • Researchers connected the Gelsemium threat actor with the supply-chain attack against BigNox. Currently, the group is associated with new campaigns carried out against governments and electronics manufacturers in East Asia and the Middle East.
  • An unnamed malware conducted a data heist on 3.2 million Windows computers. It disseminated via trojanized Adobe Photoshop versions, pirated games, and Windows cracking tools. The stolen information includes 6.6 million files and 26 million credentials and 2 billion web login cookies. 
  • A new vulnerability in the Transport Layer Security (TLS) protocol allows the theft of session cookies and enables cross-site scripting attacks. Dubbed ALPACA (Application Layer Protocol Confusion), the vulnerability has been successfully exploited at a major Bitcoin exchange website and the Government of India’s webmail service.
  • A new malicious campaign that targets Kubeflow, is being used to deploy cryptocurrency mining workloads. These pipelines run a modified version of Google’s TensorFlow open-source library to mine cryptocurrency.
  • The newly discovered BlackCocaine ransomware was held responsible for the attacks on Nucleus Software. Written in Golang, the ransomware uses AES and RSA algorithms to encrypt files. 
  • SteamHide malware has been found using Steam profile images to evade security checks. The recently discovered malware is currently in active development.
  • Siloscape is the first known malware targeting Kubernetes clusters through Windows containers. This heavily obfuscated malware opens a backdoor into poorly configured clusters to launch malware.
  • A newly discovered APT group, dubbed BackdoorDiplomacy, has been connected to successful attacks against Ministries of Foreign Affairs in the Middle East, Africa, Asia, and several African nations. The attacks also targeted telecom firms in Africa and at least one charity outfit in the Middle East.


siloscape malware
cryptojacking attacks
alpaca attacks
gelsemium hacker group
kubernetes clusters
steamhide malware
blackcocaine ransomware

Posted on: June 11, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.