Go to listing page

Cyware Weekly Threat Intelligence, May 03–07, 2021

Cyware Weekly Threat Intelligence, May 03–07, 2021

Share Blog Post

The Good

While you anxiously wait for the weekend, here’s a bit of good news to cheer you up. As industrial systems are witnessing increased cybercrime activities, the NSA has provided guidance on securing the connections between IT systems and OT systems. In similar news, the U.S. Attorney's Office for the District of Maryland seized a fake vaccine domain pretending to develop COVID-19 vaccines.  
 
  • Maryland law enforcement shut down a fraudulent website—freevaccinecovax[.]org—that claimed to be a biotech company developing COVID-19 vaccine.
  • The NSA issued an advisory recommending ways to strengthen operational technology (OT) systems security, specifically regarding their connection with IT systems.
  • A researcher from HSE University proposed a new algorithm, to assess vulnerabilities in encryption programs, leveraging a brute-force search of possible options of symbol deciphering.


The Bad

Not everything is sunshine and rainbows in the cyberworld, just like the physical world right now. The Avaddon ransomware gang was pretty busy this week, extorting unfortunate victims. Victims of the Codecov supply chain attack keep popping up almost every week; this week it was Twilio. In other news, there has been a bounty of data breaches. One of the most significant data breaches is that of USAGM.

  • Avaddon ransomware gang threatened to release sensitive information, including passport images, driver’s licenses, and employment contracts, belonging to the NSW Labor Party after gaining access to its computer network in a major cyberattack. 
  • Recently patched flaws in Peloton’s bike software may have leaked sensitive information of customers following several issues in its APIs. The flaws resulted in information leaks even for users in privacy mode. 
  • More than 200 organizations in Belgium were affected by a DDoS attack that took the country’s internet offline. The affected organizations include government, parliament, universities, and research institutes. 
  • The U.S. Agency for Global Media (USAGM) disclosed a data breach that exposed the personal information of current and former employees and their beneficiaries. The data breach was caused in December 2020 following a successful phishing attack.
  • The Codecov supply chain attack claimed Twilio as its latest victim. Several Twilio projects use Codecov Bash Uploader tool that was previously altered.
  • Avaddon ransomware gang claimed to have stolen tens of thousands of SIM cards belonging to Telstra
  • Scripps Health technology servers were hacked, disrupting patient portals. Some patients were forced to reschedule their appointments as a result of the hack.
  • Around 345,000 files from the solicitor-general of the Philippines were made publicly available for almost two months before they were taken down. These files included sensitive information for ongoing legal cases, internal passwords and policies, staffing payment information, and staff training documents.
  • A high-severity vulnerability found in Qualcomm’s Mobile Station Modem (MSM) chips could enable attackers to access text messages, call history, and private conversations of users. The flaw is tracked as CVE-2020-11292 and affects roughly 40% of mobile phones.
  • An Iranian hacker group identified as N3tw0rm threatened to release 110GB of data belonging to H&M Israel. The group is suspected to be affiliated with the Iran-linked Pay2Key.


New Threats

We were blessed, unfortunately, with several new malware strains this week. Researchers found a new threat actor that launched a cyberespionage campaign deploying three new malware. Call it a triple whammy, if you may! The latest Buer loader now comes written in Rust and efficiently evades detection. In the same vein, we should inform you about a new variant of an Android malware—Ghimob—that is on the prowl to steal your banking credentials.

  • Three new malware, DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK, were associated with a massive cyberespionage campaign that targeted many organizations in the U.S. Launched via phishing emails, the attacks were carried out by a new uncategorized group - UNC2529.
  • A new cryptocurrency stealer variant, Panda Stealer, has been found targeting individuals across the U.S., Australia, Japan, and Germany. It is being spread through a global spam campaign that leverages Discord channels. 
  • A malware tracked as Javali, is being widely used to target users in Latin America and Europe. The malware is distributed via phishing emails that pretend to be a delivery notice.
  • The new Buer malware loader variant is being propagated via phishing emails. Dubbed RustyBuer, the new strain is written in Rust language and is capable of delivering Cobalt Strike Beacon as a second-stage payload.
  • A new Windows malware called Pingback has been found using DLL hijacking attack to target Microsoft Windows 64-bit systems. The malware takes advantage of ICMP for its C2 activities.
  • Researchers have demonstrated a new attack technique, dubbed TBONE, that can enable attackers to hack Tesla and other cars remotely without any user interaction. The abuses two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices.
  • A newly revealed DNS bug, dubbed TsuNAME, can now be used by threat actors as an amplification vector in massive reflection-based DDoS attacks against authoritative DNS servers. 
  • Moriya, a previously unknown rootkit, is being used by unknown threat actors to execute passive backdoors on public-facing servers. It enables the attackers to spy on victim network traffic. This rootkit is part of the TunnelSnake campaign. 
  • A new Android malware named Ghimob is impersonating third-party apps to steal and spy on user data. It mainly targets cryptocurrency and online banking.


 Tags

doubledrag
javali trojan
moriya rootkit
panda stealer
pingback malware
tbone attack
tsuname vulnerability
ghimob banking trojan
rustybuer

Posted on: May 07, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite