Go to listing page

Cyware Weekly Threat Intelligence, May 10 - 14, 2021

Cyware Weekly Threat Intelligence, May 10 - 14, 2021

Share Blog Post

The Good

Good cybersecurity comes by putting the right strategies and processes into practice and the U.S. government is taking steps to bolster the cybersecurity posture of various public sector organizations. With a new presidential executive order, the country has rolled out several proactive measures to bolster its cybersecurity defense systems. On the other side of the pond, the U.K's NCSC announced a cyber threat warning tool to enable proactive security measures.
  • The U.S. President has signed an executive order on strengthening the country’s cybersecurity defenses. The order comes as a response to the recent SolarWinds and other significant attacks carried out by foreign threat actors.
  • Google, Mozilla, and security firm Cure53 are in the process of developing an API that sanitizes HTML input strings and prevents cross-site scripting (XSS) attacks. The API will be integrated into future versions of Mozilla Firefox and Google Chrome browsers.
  • The U.K’s National Cyber Security Center has announced a free cyber threat warning tool that gives timely notification about possible incidents and security issues. The tool, called Early Warning, is the latest Active Cyber Defence service from the NCSC.
The Bad

Well, all is not good in the cyber threat landscape as long as ransomware gangs continue to wreak havoc on organizations. This week, the threat just grew stronger as two big organizations ended up paying ransoms amounting to millions of dollars to recover decryption keys. What’s worse is that researchers dug up data leak sites of 34 ransomware groups that included data for 2,103 organizations, which emphasizes the scale of this threat.

  • The University of California confirmed being affected by the breach involving the Accellion FTA service. As a result, the hackers accessed a heap of personal information on students, current and former employees, and other individuals who participated in UC programs.
  • Babuk ransomware claimed to breach and steal PII of employees, product schematics, financial data, and more from Yamabiko. In other ransomware attacks, two business giants —Colonial Pipeline and Brenntag—reportedly paid over $4 million each in return for decryption keys. Additionally, Volue, a Norwegian software company, reportedly became a victim of a ransomware attack that led to the shut down of the affected applications.
  • Medical records of roughly 200,000 U.S. military veterans were exposed online by United Valor, a North Carolina-based firm working for the Veterans Administration.
  • The City of Tulsa was crippled by a ransomware attack, impacting the government’s network and knocking off their official websites offline. Moreover, Ireland’s Health Service Executive (HSE) was forced to shut down its computer systems after it suffered a cyberattack. The attack is being characterized as a ransomware hack
  • A group of researchers tracked down data leak sites for 34 ransomware groups who have, so far, leaked the data for 2,103 organizations.  
  • Microsoft warned about a massive BEC campaign that targeted over 120 organizations across industries with a gift card scam that involves typo-squatted domains.
  • A cryptocurrency scam that hit some members of Reddit’s WallStreetBets forum resulted in a loss of $2 million. Criminals misled people in a fake transaction on Telegram.
  • ATC Transportation experienced a data incident involving theft of personal information of some current and former employees and applicants.

New Threats

Adding more headache for researchers, a new Android banking trojan called TeaBot and the new Lorenz ransomware were spotted in new campaigns across several countries to accomplish their operators’ malicious motives. Last but not least, WiFi devices are now at more risk as the new FragAttacks come under the scrutiny of security experts.

  • Cybersecurity researchers found a new Android banking trojan called TeaBot that hijacks user credentials and text messages to distribute fraudulent activities targeting banks in Spain, Germany, the Netherlands, Belgium, and Italy.
  • A total of 12 design and implementation flaws, dubbed FragAttacks, in IEEE 802.11 technical standards leave all WiFi devices vulnerable to attacks. These flaws can be exploited by attackers within the radio range of the target.
  • A new and stealthy malware loader called Snip3 is part of an ongoing phishing campaign that targets aerospace and travel organizations. The malware loader has been used to drop Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT on compromised systems.
  • Fraudsters are exploiting Telegram groups to dupe people with fake COVID-19 vaccination cards by collecting names and vaccine batch numbers. 
  • Researchers spotted 167 malicious banking, trading, cryptocurrency, and foreign exchange apps, mimicking trusted and legitimate brands—such as Kraken, Binance, Gemini, Barclays, and TDBank—on Android and iOS platforms.
  • APT36, also known as Transparent Tribe, created fake domains to impersonate military and defense firms and disseminate malware-laced documents to infect victims with ObliqueRAT and CrimsonRAT.
  • Users of wallet mobile apps Trust Wallet and MetaMask were targeted in Twitter phishing attacks that aimed at stealing cryptocurrency funds from wallets.
  • In a new technique, the Magecart group 12 was identified hiding web shells known as Smilodon or Megalodon inside website favicons. These web shells were used to dynamically load JavaScript skimming code via server-side requests into online stores.
  • Threat actors abused the Microsoft Build Engine (MSBuild) to deploy RATs and fileless information-stealing malware as part of an ongoing campaign. So far, the software has been used to push Remcos RAT, Quasar RAT, and RedLine Stealer payloads.
  • Lorenz is a newly discovered ransomware that targets enterprises worldwide. The Lorenz ransomware encryptor is the same as the ThunderCrypt operation. 
  • Researchers observed an updated version of Lemon Duck cryptomining botnet that targeted unpatched Microsoft Exchange servers and attempted to execute payloads for Cobalt Strike DNS beacons.


us presidential executive order
snip3 crypter
lemon duck malware
lorenz ransomware
colonial pipeline
php web shell
transparent tribe apt

Posted on: May 14, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.