Go to listing page

Cyware Weekly Threat Intelligence, April 05 - 09, 2021

Cyware Weekly Threat Intelligence, April 05 - 09, 2021

Share Blog Post

The Good
No preambles, let’s just dive right into the good news for this week. Memory safety bugs in Android might just become an issue of the past, or at least be reduced, by a recent development by Google. In another vein, Microsoft released an open-source cyberattack simulator to help developers experiment with AI-controlled cyber agents.

  • The open-source version of Android will have some OS parts that can be built on Rust, announced Google. This comes as an initiation to reduce memory safety bugs.  
  • An open-source cyberattack simulator has been developed by Microsoft that would allow developers to create simulated environments to play against AI-controlled cyber agents. Dubbed CyberBattleSim, this Python-based Open AI Gym Interface models the way intruders spread laterally on a network.
  • The Australian Capital Territory government will be investing $700,000 in the Canberra Cyber Hub with the purpose to transform Canberra into the cyber capital of Australia.
  • Google Chrome is now blocking HTTP, HTTPS, and FTP access to TCP port 10080 to prevent ports from being abused in NAT Slipstreaming 2.0 attacks. 

The Bad
Tick tock on the clock, but the threat party don’t stop. Only that the party is hosted by cybercriminals and nobody else is having any fun. Attacks on educational institutions seem to be never-ending. We don’t need to tell you how important it is to keep your credit card info to yourself. Visa has asked users to be extra careful amidst increasing web shell attacks. Also, better check your smartphone as it may have come loaded with some pesky adware straight from the manufacturer.

  • A data breach affected Michigan State University as a side-effect of a cyberattack on an Ohio law firm Bricker & Eckler LLP. 
  • A massive cryptojacking attack campaign, delivering a UPX-packed cpuminer, is targeting U.S-based educational organizations. The first attack was spotted on February 16. 
  • Global payment processor VISA warned that threat actors are increasingly deploying web shells, to inject malicious scripts, on compromised servers to exfiltrate credit card information from online customers. 
  • A misconfigured Elasticsearch server belonging to Office Depot Europe leaked nearly one million records, including customer names, phone numbers, home and office addresses, and marketplaces logs. 
  • Gigaset mobile device users are encountering unwanted apps that are downloaded via a pre-installed system update app named com.redstone.ota.ui. Three different versions of a trojan, capable of sending SMS and WhatsApp messages, redirecting users to malicious game sites, and downloading additional malware-laced apps, are installed by the app
  • OnlyFans suffered a breach of hundreds of private videos and images after a shared Google Drive was posted online. 
  • Data of 533 million Facebook users were posted on a cybercrime forum. The leaked data includes phone numbers, Facebook IDs, birth dates, gender, and location. 
  • Conti ransomware claimed to have attacked Broward County Public schools and demanded a $40 million ransom. More than 1TB of data has been stolen that includes social security numbers, addresses, birth dates, and contact information. 

New Threats
The frustrations for security teams have come to a head as this week brought us a bounty of very scary, very real new threats. REvil got another upgrade in the form of its encryption method. Will it ever stop? The Lazarus APT group is back with a new malware, which was already used against a South African logistics firm. Last but definitely not least, a new maldoc builder has entered the threat landscape and comes in two different versions.

  • Iran-based APT34 threat actor group was found to be responsible for a cyberespionage campaign against organizations in Lebanon. The campaign deployed a new backdoor called SideTwist and was propagated via phishing emails.
  • New methods involving malicious Android apps disguised as TikTok and offers for free Lenovo laptops are being used to disseminate adware on smartphones. Users are being lured via SMSes and WhatsApp messages.
  • A large-scale tech support scam that warns users to renew their antivirus subscriptions was unveiled. The scam is widespread on sites using low-quality ad networks. 
  • REvil ransomware operators added a new version of Safe Mode encryption that automatically logs Windows into Safe Mode before performing the encryption process. 
  • Cring ransomware is well on its way to exploit a vulnerability in Fortigate VPN servers. Although Fortinet issued a security patch to fix the vulnerability last year, cybercriminals are deploying the exploit against networks that are yet to be patched.
  • The new backdoor malware Vyveva was used by the Lazarus APT group against a South African freight and logistics firm. The backdoor can exfiltrate files, collect data from infected machines and drives, connect to a C2 server remotely, and execute arbitrary code.
  • Dubbed FlixOnline, this newly discovered Android malware lures users by promising free Netflix subscription. The malicious software steals WhatsApp conversation data and spreads false information.
  • Brazilian organizations are under attack by a new banking trojan dubbed Janeleiro. The trojan is similar other trojans such as Casbaneiro, Grandoreiro, and Mekotio, and is distributed via phishing emails.
  • A new malicious document builder known as EtterSilent is being used to run cybercriminal schemes. The tool comes in two versions: one that exploits a vulnerability in Microsoft Office, and another one that imitates the digital signature product DocuSign.
  • A cyberespionage campaign, which was launched against dozens of organizations in Vietnam, saw the distribution of two new malware named FoundCore and DropPhone. The threat actor has been loosely tied to the Chinese Cycldek threat actor group.


janeleiro trojan
cring ransomware
vyveva backdoor

Posted on: April 09, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite