Go to listing page

Cyware Weekly Threat Intelligence, June 14–18, 2021

Cyware Weekly Threat Intelligence, June 14–18, 2021

Share Blog Post

The Good

“You're gonna clap your hands, Gonna wanna dance when you hear it.” Because we have loads of good news to give your morning a fresh start. Another ransomware has locked up its business and sent the decryption keys for its victims. A change of heart? Perhaps not! In a latest technological advancement researchers developed a smart home system that doesn’t eavesdrop on your conversations. There cannot be a good end to the week without cybercriminals being punished for their deeds. Microsoft broke up the cloud infrastructure used by BEC scammers.

  • The NSA has released mitigations and best practices for system admins to follow in order to secure Unified Communications (UC) and Voice and Video over IP (VVoIP) call-processing systems. 
  • Thousands of online marketplaces parading as pharmacies were taken down by Interpol in Operation Pangea XIV. These marketplaces pushed fake and illicit medicines and drugs as well as fake COVID-19 testing kits.
  • One of the most prolific ransomware of our times—Avaddon—announced shutting down its operations and providing a decryption tool for free. The file was sent to BleepingComputer and had decryption keys for all 2,934 victims.
  • Ukrainian police allegedly busted members of the Cl0p ransomware gang that extort money from foreign businesses, located specifically in the U.S. and South Korea.
  • Researchers at the University of Rochester devised an approach called TimeCache that protects against side-channel attacks like evict+reload and Spectre, with a tiny performance impact.
  • Microsoft researchers disrupted the cloud-based infrastructure used by BEC scammers in a recent large-scale attack campaign aimed at Office 365 users.
  • Researchers at the University of Michigan developed a system called PrivacyMic that can filter out audible sounds, thereby offering more security and privacy to users of smart home systems.


The Bad

When an organization is repeatedly hit by cyberattacks, it raises some serious questions about its security posture and what it is doing to protect sensitive information. Take the case of Carnival Corporation. The firm has been hit with security breaches multiple times in the past couple of years, with the latest one this week. Once again, we cannot escape from the news of misconfigured databases as Cognyte left bare billions of records exposed. The monumental SITA breach has finally been attributed to the APT41 threat actor.  

  • The Polish parliament stated that individuals and institutions were targeted in a series of cyberattacks. The incident follows the breach of the private email account of the head of the prime minister’s office.
  • Around 20GB of confidential files containing personal information—full names, physical addresses, purchase details, phone numbers, and email addresses—of retail customers was exposed due to an unprotected Amazon AWS bucket. In the same vein, a misconfigured database belonging to Cognyte had exposed more than 5 billion records for three days before security professionals secured it. 
  • An online database containing 204GB of data belonging to CVS Health disclosed over a billion records due to a misconfiguration issue. The data includes production records of visitor IDs, session IDs, and device access information.
  • The TA402 threat actor group, also known as Molerats and GazaHacker, was found responsible for a cyberespionage campaign targeting government agencies in the Middle East. 
  • Scammers were spotted sending fake replacement devices to Ledger customers affected in a recent data breach in an attempt to steal from their cryptocurrency wallets. Although the device looked legitimate, the printed circuit board was modified.
  • Taobao, Alibaba’s shopping operation, suffered a data breach exposing the usernames and phone numbers of a billion users. The information was lifted from the site by a crawler developed by an affiliate marketer.
  • NFT creators and digital artists were targeted in a Redline malware campaign, enabling the threat actor to swipe the former’s profits. According to reports, the attacker impersonated NFT creators and approached Twitter users with business deals that tricked them into downloading and running a malware-laced file.
  • A security vulnerability in the Peloton Bike+ and Peloton treadmill equipment could expose gym users to a variety of cyberattacks. The flaw has no CVE details and can allow a hacker to gain remote root access to the Peloton’s tablet. A patch has been issued.
  • The data breach at SITA, a global IT service provider for 90% of airlines worldwide, was traced back to the Chinese state-sponsored threat actor APT41 by the Group-IB team.
  • Carnival Corporation suffered a data breach wherein attackers gained access to its email accounts and customer and employee data. The data included names, addresses, phone numbers, dates of birth, passport numbers, health information, and in some special cases, social security numbers. 


New Threats

Well well well, what do we have here? A novel malware has been discovered that doesn’t fit any typical malware motive, as of now. It instead tries to ban software piracy! A new Mirai variant has been found that scans Tenda routers for uncommon flaws. Finally, we have an opportunistic hacker trying to fly under the name of DarkSide to misdirect the defenders.
  
  • The new DarkRadiation ransomware targets RedHat and CentOS Linux distributions. The ransomware is under active development. 
  • The BelialDemon threat actor was found advertising a new malware-as-a-service called Matanbuchus Loader on dark web markets and Telegram channels. The malware can drop second-stage malware payloads from C2 infrastructure.
  • A pretty complex malware named DirtyMoe is being used in cryptojacking and DDoS attacks. Linked to Chinese threat actors, the malware is currently being deployed via the PurpleFox exploit kit.
  • A new SEO poisoning tactic is propagating the SolarMaker malware via PDF documents filled with keywords and malicious links. The backdoor malware is capable of stealing data and credentials from browsers.
  • A Mirai variant Moobot was discovered scanning Tenda routers for known but uncommon vulnerabilities. This malware strain primarily targets exposed and vulnerable Docker APIs to include them in its DDoS botnet. 
  • Experts revealed a new phishing campaign wherein actors abuse Google Docs to deliver malicious links aimed at stealing victims’ credentials.
  • A faux DarkSide threat actor is sending threatening emails to several organizations in the energy and food sector, claiming to have breached their network. The actor is demanding a ransom of 100 BTC in lieu of public disclosure of sensitive data. 
  • The newly discovered Vigilante malware aims at piracy by preventing unauthorized downloading of pirated software or games. It also tries modifying the victims’ computers so that they can’t access pirate sites. 


 Tags

apt41
molerats
dirtymoe malware
seo poisoning tactic
redline stealer
avaddon ransomware gang
darkradiation ransomware
vigilante malware
moobot

Posted on: June 18, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.