Go to listing page

Cyware Weekly Threat Intelligence, February 15 - 19, 2021

Cyware Weekly Threat Intelligence, February 15 - 19, 2021

Share Blog Post

The Good
North Korean hackers have run amok for a number of years and caused damage wherever they could. But, this week the U.S. Department of Justice (DoJ) charged three men who are, allegedly, part of the state-backed Lazarus APT group. Brace yourself for one of the best news of the week. The data leak site of Egregor was brought down by French, Ukrainian, and U.S. law enforcement agencies. We are hoping that it would act as a major deterrent for ransomware affiliates.

  • The U.S. DoJ indicted three North Korean (DPRK) state-sponsored hackers for stealing cryptocurrency and funds from banks worth $1.3 billion. In another indictment, a Canadian man was arrested for helping the DPRK in money-laundering. 
  • French and Ukrainian Police, along with U.S. law enforcement, detained some individuals for providing logistical and financial support to the gang behind the Egregor Ransomware-as-a-Service (RaaS).
  • A Nigerian national has been sentenced to 10 years in prison for reportedly coordinating an international spear-phishing campaign, resulting in a loss of $11 million. The scheme lasted from 2015 to 2019 and targeted Unatrac Holding Limited.
  • The Center for Internet Security is launching Malicious Domain Blocking and Reporting, a no-cost ransomware protection service, available for every healthcare facility through the MS-ISAC.

The Bad
Every week some new detail keeps popping up about the SolarWinds attack. Apparently, 100 organizations were breached and they might be targeted in the future. Following the recent Oldsmar water treatment plant attack, the FBI has warned against the use of outdated software. So, people listen to the FBI.

  • Singtel has revealed that 129,000 customers were impacted by a recently disclosed breach. This also includes some employees, partners, and corporate customers.
  • A new report from the White House has revealed that the SolarWinds hack had breached almost 100 U.S. companies, making them potential targets for follow-up attacks. Moreover, it has been revealed that more than 1,000 hackers rewrote around 4,000 of the millions of lines of code in the SolarWinds Orion update to launch the attack.
  • Kia Motors America has suffered a ransomware attack by the DoppelPaymer gang. Following the attack, the gang has demanded a ransom of $20 million to decrypt files and not leak them online. 
  • Russian internet giant Yandex has revealed a data breach after a malicious insider got access to the accounts of thousands of its customers. The incident has affected around 4,887 mailboxes. 
  • The FBI has warned federal government agencies and private companies about the potential threats posed due to the use of outdated Windows 7 systems and TeamViewer software. 
  • The Cuba ransomware gang launched an attack against the Automatic Funds Transfer Services (AFTS) leading to several data breach notifications from agencies in Washington and California. 
  • Russian-linked threat actor group Sandworm has been linked to a three-year-long stealthy operation that targeted several French entities. The intrusion, which started in late 2017 and lasted until 2020, was carried out by exploiting an IT monitoring tool called Centreon. 
  • Cyberattack on Dutch Research Council (NWO) has forced the organization to suspend its research grants. The attackers had compromised servers and made the networks inaccessible.
  • The website of the U.K cryptocurrency exchange EXMO was knocked offline following a DDoS attack. This had affected the whole network infrastructure, including the website, API, Websocket API, and exchange charts.
  • The FBI, CISA, and Department of Treasury have released a joint alert highlighting the threats posed to cryptocurrency by North Korean hackers. These hackers are targeting companies and individuals alike through the propagation of cryptocurrency trading platforms. 

New Threats
Mac malware has always been less ubiquitous than its Windows counterpart. However, it’s not the case anymore. Hackers have come up with a malware customized for execution on Apple’s new M1 chips. No one’s on the high chair anymore. Anyhoo, macOS wasn’t the only one that got a malware, Windows did too. Heard about the WatchDog botnet before? No? Now you will. Keep your cryptocurrency guarded. 

  • A Safari adware extension called GoSearch22 is the first-ever malware designed to target Macs powered by ARM-based M1 chips. Distributed as an extension, the adware is a variant of the Pirrit advertising malware.
  • Researchers have tracked a cryptojacking campaign that was active for almost two years and involved the use of the WatchDog botnet. The operators had used 33 different exploits to target 32 vulnerabilities in Drupal, Elasticsearch, Redis, SQL Server, ThinkPHP, Oracle WebLogic, and Spring Data Commons.
  • A new variant of the Masslogger trojan is being used in attacks aimed at stealing Microsoft Outlook, Google Chrome, and Messenger service account details. The campaign is currently focused on victims in Turkey, Latvia, Spain, Bulgaria, Hungary, Estonia, Romania, and Italy.
  • The IRS has alerted U.S. taxpayers about an ongoing phishing campaign that steals both personal and financial information. Scammers are using the IRS name and/or logo to dupe people into giving access to their data.
  • Security researchers have detected a new Office malware builder, called ApoMacroSploit, that is capable of evading detection by Windows Defender. 
  • Threat actors have been found abusing the Ngrok platform in a new wave of phishing attacks. Some of the malware samples used in the campaign are Njrat, DarkComet, Quasar, Asynrat, and Nanocore.
  • Security experts are warning of a new COVID-19 vaccine phishing scam that tricks users into handing over their personal and financial information. The recipients are informed that they have been selected for a job based on their family and medical history. 
  • The New York State Department of Financial Services issued an alert against hackers targeting flaws in websites offering instant quotes. The attackers are specifically targeting websites providing auto insurance rates to steal driver’s license numbers and other PII.


watchdog botnet
kia motors america
masslogger trojan
automatic funds transfer services afts
dutch research council nwo
apomacrosploit malware
gosearch22 adware

Posted on: February 19, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite