Go to listing page

Cyware Daily Threat Intelligence, June 04, 2021

Cyware Daily Threat Intelligence, June 04, 2021

Share Blog Post

A relatively unsophisticated attack that caused a days-long shutdown of Colonial Pipeline was indeed a wake-up call about the rising threat of ransomware. To add more twists to the tale, threat actors have now started taking undue advantage of the incident to launch phishing attacks. Target audiences are being redirected to fake sites that ultimately cause the download of Cobalt Strike.

FreakOut botnet is back in action with an upgraded version. This time, it includes exploits for new vulnerabilities, along with a worm-like module to target vulnerable VMware servers. Meanwhile, in another innovative tactic, Ryuk operators started deploying PowerShell commands as a part of their infection process.

The rising craze for investments in ICO has given a new ray of hope to scammers focusing on cryptoscams on Discord. They are creating fake ICO communities to lure users into making small investments in exchange for huge returns.

Top Breaches Reported in the Last 24 Hours

20/20 Hearing Care Network breached
Threat actors gained access to the Amazon cloud storage bucket of 20/20 Hearing Care Network. This affected the personal and health information—names, addresses, social security numbers, dates of birth, and health insurance—of almost 3.3 million individuals. 

UF Health Central Florida suffers an attack
The UF Health Central Florida suffered a ransomware attack that forced two of its hospitals to shut down a portion of their operations. As a result of the attack, the healthcare network has suspended access to some of its systems, including emails, and implemented backup procedures.

Cox Media affected
Radio and TV stations owned by the Cox Media Group have gone down following a ransomware attack. This has also impacted the internal networks and live streaming capabilities for Cox Media properties.

Colonial Pipeline phishing attack
INKY customers reported receiving emails masquerading as updates on the Colonial Pipeline ransomware attack. These emails contain links to two domains that look legitimate, ultimately leading to the download of Cobalt Strike.

Top Malware Reported in the Last 24 Hours

FreakOut botnet updated
A new version of the FreakOut botnet includes a worm-like module to target vulnerable VMware servers. In addition to that, several new exploits that can work against vulnerabilities in VestaCP, Genexis, SCO Openserver, ZeroShell, and OTRS have also been included in this upgraded version.

New SkinnyBoy malware 
Researchers have discovered a new SkinnyBoy malware that was used in spear-phishing campaigns attributed to the Russia-based APT28. The malware is used to collect information about the victim and retrieve the next payload from the Command-and-Control (C2) server.

Ryuk ransomware updated
In a new update, the operators of Ryuk ransomware are now adopting PowerShell commands to launch their infection process. Apart from this, they are exploiting the WMIC and BitsAdmin to conduct the infection process.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco issues patches
Cisco has shipped fixes for three severe vulnerabilities that affect Webex Player, SD-WAN software, and ASR 5000 series software. The flaws are tracked as CVE-2021-1526, CVE-2021-1502, and CVE-2021-1503. The last two flaws can be exploited to achieve arbitrary code execution on an affected system.

CODESYS automation software has disclosed ten critical vulnerabilities that can be exploited to execute arbitrary code on PLCs. The main cause of the vulnerabilities is insufficient verification of input data. Six of these flaws are identified in the CODESYS V2.3 web server component used by CODESYS WebVisu.

Top Scams Reported in the Last 24 Hours

Discord cryptoscam
Scammers have created fake cryptocurrency communities in Discord in an attempt to attract users to make small investments. One such instance came to light after researchers spotted a fake version of the Mina project. Visitors lured to this project were redirected to a fake site that asked them to complete the registration process and make small payments in order to receive huge returns.


cox media group
colonial pipeline attack
freakout botnet
cobalt strike
ryuk operators

Posted on: June 04, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite