Go to listing page

Cyware Weekly Threat Intelligence, May 31–June 04, 2021

Cyware Weekly Threat Intelligence, May 31–June 04, 2021

Share Blog Post

The Good

Ransomware has become a scourge that is not going away anytime soon. As many organizations are not prepared to respond to such threats, the active involvement of law enforcement authorities can be a major help. Along similar lines, the U.S. Department of Justice has taken steps to prioritize ransomware-related investigations. Public schools are having a hard time with ransomware threats too. Now, IBM has announced a grant to aid K-12 schools in bolstering their defenses.

  • The U.S. DOJ seized two C&C and malware distribution domains that were used as part of a recent phishing attack against the U.S. Agency for International Development (USAID).
  • IBM announced a $3 million grant to U.S. public K-12 schools to help school officials bolster their defenses while proactively responding to cyberattacks, especially by ransomware operators.
  • Under its Operation HAECHI-I, Interpol claimed to intercept $83 million in funds from being transferred from victims' accounts to the attackers behind various financial cybercrimes.
  • The U.S. Department of Justice announced to elevate investigations of ransomware attacks to a similar priority as terrorism in the wake of the recent attacks on critical infrastructure and government agencies.
  • Microsoft brought together 15 policy makers across seven Asia Pacific markets, including South Korea, Singapore, Indonesia, to enable threat intelligence sharing amongst their respective public sectors.

The Bad

Cyberattacks are bad. Period. But, attacks on food supply chains are the worst! The FBI finally found the Sodinokibi gang responsible for the deleterious attack on JBS Foods. After the Scripps Health attack, another hospital network fell victim to a ransomware attack and had to resort to pen and paper. A notable scam—Walmart phishing campaign—has been observed that aims to steal credentials for identity theft. 

  • An unprotected Elasticsearch database caused AMT Games to accidentally leak profiles of nearly six million players associated with the “Battle for the Galaxy” game. The database contained 1.5TB of data. 
  • A misconfigured database, containing names, IP addresses, and payment information of the customers, belonging to DDoS-Guard was put on sale on a cybercrime forum. The entire set is being auctioned off at a starting price of $350,000.
  • The FBI held the Sodinokibi ransomware group responsible for the attacks on JBS Foods. The attack impacted production plants located in the U.S., Australia, and Canada.
  • Google ads are being infected with malicious packages of AnyDesk, Dropbox, and Telegram apps to distribute Redline, Taurus, Tesla, and Amadey trojans. 
  • The Swedish Public Health Agency shut down SmiNet after being the target of several hacking attempts. No evidence of unauthorized parties accessing sensitive information has been found so far; investigation ensues.
  • A subscribe-unsubscribe spam campaign is making the rounds, attempting to confirm valid email accounts that can used in future phishing and spam campaigns. These emails ask the recipients to subscribe or unsubscribe from an unnamed service. 
  • A Walmart phishing campaign is underway that attempts to steal users’ personal information. The ultimate goal of the campaign is to collect information to conduct identity theft attacks.
  • The U.K’s largest independent furniture retailer, Furniture Village, confirmed being hit by a cyberattack. Backend systems, including delivery, phones, and payments systems, still suffer outage.  
  • The Steamship Authority, Massachussets’ largest ferry service, was hit by a ransomware attack, disrupting some operations. 
  • UF Health Central Florida witnessed a blow to its IT network caused due to a ransomware attack. UF Health The Village Hospital and UF Health Leesburg Hospital are incapable of accessing their computer systems and email because of the attack. 

New Threats

While last week we witnessed Nobelium’s attempts to create headlines with new attacks, this week the group went a step further by using a poisoned update installer. Antivirus solutions now have a new enemy in the form of two new attack techniques - Cut-and-Mouse and Ghost Control. Let’s end this section by informing you of two emerging ransomware, called Prometheus and Grief. These two groups have already made their name in the cybercrime world with numerous attacks in recent months.  

  • An ongoing spear-phishing campaign associated with a China-based APT group has been uncovered by researchers. The campaign is targeting the Ministry of Foreign Affairs in a Southeast Asian nation using an unknown backdoor named SharpPanda.
  • The Necro Python botnet got its functionalities updated with new exploits and mining abilities. It targets Linux-based and Windows operating systems. 
  • TheNobelium threat actor group is using a new poisoned update installer in its latest wave of attacks. 
  • A new attack technique dubbed Cut-and-Mouse and Ghost Control can be used to bypass ransomware defense in antivirus solutions. Researchers demonstrated that these twin attacks leverage security weaknesses in popular software applications and can enable attackers to takeover applications.
  • Prometheus and Grief are two emerging ransomware groups to have joined the data extortion game. While the former has ensnared data of 27 organizations, including that of some Mexican government agencies, the latter has affected five firms.
  • A new campaign is propagating TeaBot and FluBot banking trojans on Android phones. The trojans can perform various keylogging activities, steal Google Authentication codes, intercept messaging, and even take control of devices.
  • A new backdoor dubbed Facefish can allow attackers to take over Linux systems and steal sensitive data. It targets Linux x64 systems and can drop multiple rootkits at different times. 
  • A new ransomware named Epsilon Red, similar to the REvil ransomware, targeted a U.S. company in the hospitality sector. Written in Golang, the ransomware is distributed via unpatched Microsoft Exchange servers.


prometheus ransomware
metropolitan transit authority
jbs foods
ghost control attack
facefish backdoor
epsilon red ransomware
cut and mouse attack
necro python botnet

Posted on: June 04, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.