Go to listing page

Cyware Weekly Threat Intelligence, March 08 - 12, 2021

Cyware Weekly Threat Intelligence, March 08 - 12, 2021

Share Blog Post

The Good
In the cyber world, the fight against major security threats and risks requires organizations to work together. This week, we witnessed the combined efforts of a U.S. federal government agency and dozens of states to bust a multi-million dollar fraud operation. The open-source community also saw the launch of a new project aimed at improving the adoption of secure code signing.

  • The Linux Foundation rolled out the sigstore project to offer a secure environment to the software supply chain by enabling the easy adoption of cryptographic software signing by developers.
  • The U.S. Department of Justice confiscated the fifth domain faking the official site of Regeneron Pharmaceuticals involved in COVID-19 vaccine development.
  • The FTC collaborated with nearly 40 U.S. states to put an end to a major charity fraud operation that scammed victims of more than $110 million via deceptive charitable fundraising calls.

The Bad
Meanwhile, SolarWinds attacks have taken a backseat, while the Accellion breach has become the mega-breach of the week. Amidst all this, it is raining attacks on Microsoft Exchange servers, with the Norwegian Parliament getting breached for the second time in a span of six months. Sometimes the line between hacktivism and cybercrime gets extremely blurred, which happened in the case of Verkada security cameras breach.

  • The Norwegian Parliament suffered an attack for the second time in six months. The attack was carried out by exploiting a vulnerability in Microsoft’s Exchange software. 
  • An attack by Ryuk ransomware affected more than 700 government agencies across Spain. While the agencies are working on restoring the affected systems, officials claimed that personal data, payroll, and unemployment benefits were not affected by the attack.
  • A ransomware attack paralyzed the systems at Oloron-Sainte-Marie hospital in Southwest France. The incident took place on March 8, following which the gang is demanding a ransom of $50,000 in Bitcoin.
  • The European Banking Authority (EBA) is another victim affected by the exploitation of vulnerabilities in Microsoft Exchange. As a part of security measures, the firm had pulled its email servers offline to contain the attack.  
  • The University of Texas suffered a network outage due to a malicious intrusion. Emails and the server hosting the university’s website were affected by the incident, forcing faculty and students to communicate via blackboard. 
  • Flagstar Bank was added to a list of companies breached due to an Accellion software zero-day vulnerability. So far, the reported victims include Qualys, the Reserve Bank of New Zealand, the Australian Securities and Investment Commission, and Transport for New South Wales, among others.
  • Video surveillance and AI security-based firm Verkada was allegedly breached by a member of the hacktivist group APT 69420 Arson Cats. Video feed from almost 150,000 cameras around the world was leaked. The videos were later posted on Twitter with the OperationPanoticon hashtag.
  • The University of Central Lancashire, along with the University of Highlands and Queen’s University, was hit by a series of cyberattacks. This had affected the systems and other communication devices of these universities.
  • At least 30,000 U.S. organizations have been hacked in a widespread attack that abused four previously known zero-day vulnerabilities found in Microsoft Exchange Server. The flaws are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

New Threats
Several new threats emerged this week featuring the use of new tactics and techniques. A new malware popped up that has been written in the Nim programming language. A hybrid malware with both cryptominer and ransomware capabilities became the double trouble as it infected thousands of devices in just two months.

  • A new sophisticated backdoor malware dubbed RedXOR has been found masquerading as a polkit daemon to target Linux endpoints and servers. Believed to be the work of Chinese nation-state actors, the malware shares similarities with the malware associated with the Winnti umbrella threat actor.
  • The TA800 threat actor group is distributing a malware loader called NimzaLoader in an ongoing highly-targeted spear-phishing email campaign. Written in Nim language, the malware is used to gain initial access to target systems. 
  • A hybrid malware that includes both cryptominer and ransomware capabilities has hit 20,000 machines in the last 60 days. The malware impersonates an ad blocker and OpenDNS service to spread across systems. In February, the Monero Miner cryptocurrency ransominer was propagated in the form of an antivirus installer.
  • The U.K NCSC is warning online shoppers of scams ahead of Mother’s Day. The agency has asked users to be careful of emails and social media messages that may contain links designed to deploy malware or harvest credentials and personal information. 
  • Malicious actors are targeting the Coinbase platform in a new phishing campaign that attempts to steal users’ account credentials. The ultimate purpose is to steal funds from cryptocurrency wallets.
  • z0Miner botnet has been upgraded to take control of Jenkins and Elasticsearch servers to mine Monero. The new botnet variant is now exploiting remote code execution vulnerabilities in Elasticsearch and Jenkins servers to infect devices. 
  • A new ransomware known as Sarbloh is being distributed through malicious Word documents that contain a political message in support of Indian farmers. When executed, the ransomware encrypts files on the computer and appends the .sarbloh extension to the file’s name.  
  • Researchers have discovered that Intel’s CPU ring interconnects are vulnerable to side-channel attacks. This can allow attackers to leak encryption keys, along with other sensitive information. 
  • A new variant of the Gafgyt botnet, that solely relies on Tor, was found actively targeting vulnerable D-Link and IoT devices.


sarbloh ransomware
monero ransominer
microsoft exchange server
flagstar bank
proxylogon vulnerabilities
z0miner botnet
european banking authority
redxor backdoor
norwegian parliament

Posted on: March 12, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.