Go to listing page

Cyware Daily Threat Intelligence, April 08, 2021

Cyware Daily Threat Intelligence, April 08, 2021

Share Blog Post

REvil ransomware operators never cease to surprise security researchers. With an intent to evade detection while encrypting files, attackers have come up with a refined version of the Safe Mode encryption method. The new change illustrates how ransomware gangs are continuously evolving their tactics to successfully encrypt target devices.   

While REvil ransomware is undergoing evolution, another new ransomware dubbed Cring is being used in the wild to compromise networks that employ vulnerable Fortigate VPN servers.

The Lazarus APT is back in the spotlight for distributing a new malware dubbed Vyveva. The backdoor malware strain has been spotted in an attack against a South African freight and logistics firm.

Top Breaches Reported in the Last 24 Hours

PHP repository hacked
The maintainers of the PHP programming language have issued an update about a security incident that came to light last month. Following the attack, the attackers may have got hold of a user database containing passwords to make unauthorized changes to the repository.

Top Malware Reported in the Last 24 Hours

Web shells steal credit cards
Global payment processor VISA warned that threat actors are increasingly deploying web shells on compromised servers to exfiltrate credit card information from online store customers. The web shells are used to inject malicious scripts, known as credit card skimmers, into hacked online stores.

REvil ransomware evolves
The operators of REvil ransomware have added a new Safe Mode encryption method that automatically logs Windows into Safe Mode before performing the encryption process. With this new sample, the ransomware will change the user’s password to ‘DTrump4ever.’

New Cring ransomware
The newly discovered Cring ransomware is being used in attacks that exploit a vulnerability in Fortigate VPN servers. Fortinet issued a security patch to fix the vulnerability last year, however, cybercriminals can still deploy the exploit against networks that are yet to apply the security update.

New Vyveva backdoor spotted
The Lazarus APT group has been tied to a new backdoor malware dubbed Vyveva that was used against a South African freight and logistics firm. The backdoor can exfiltrate files, collect data from infected machines and drives, connect to a C2 server remotely, and execute arbitrary code.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerable Domain Time II network
A vulnerability residing in the ‘Domain Time II’ network time solution can lead to Man-on-the-Side (MotS) attacks. This can enable attackers to intercept the UDP query and deliver their own URL to the software. A patch to address the issue has been released with Domain Time II version 5.2.b.20210331.

Cisco fixes a flaw
Cisco has released security updates for several vulnerabilities affecting SD-WAN vManage Software’s remote management component. One of these is a critical pre-authentication RCE vulnerability tracked as CVE-2021-1479. The other two high-severity vulnerabilities are CVE-2021-1137 and CVE-2021-1480.                                                                                                                                                                                                                       

Top Scams Reported in the Last 24 Hours

Fake Trezor app steals crypto coins
Several Trezor users have been duped by a fake app that stole more than $1 million worth of crypto coins. The app was available on the App Store for at least two weeks and downloaded 1,000 times before it was taken down.

Phishing through legitimate services
Cybercriminals are increasingly using legitimate services, such as Google Forms and Telegram bots, to steal user data from phishing websites. These services are used by threat actors to generate web pages mimicking online services.


revil ransomware
fake trezor app
telegram bots
cring ransomware
vyveva backdoor

Posted on: April 08, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite