CyberIntelMag's Threat report

Weekly Cyber Threat Report, April 26-30

Welcome to CyberIntelMag’s weekly roundup! A place where you can find the most important stories in the cybersecurity world from the past week.

From the good news:

This week, we learned about Emotet’s final destruction and a new open-source tool from Adobe among other stories.

  • The notorious Emotet botnet has self-destructed on all infected devices with the help of a special module delivered in January by German law enforcement to devices worldwide. Emotet was responsible for one of the biggest email spam campaigns in recent history.
  • Following the demise of Emotet, the FBI has expanded the Have I Been Pwned (HIBP) database of compromised credentials with over 4.3+ million email addresses that had been stolen by the botnet. Users can now use the HIDP service to check if their email addresses have been compromised by the botnet.
  • Adobe rolled out a new open-source tool that promises improved data processing and threat analysis of log data. Dubbed One-Stop Anomaly Shop (OSAS) is a “one-stop shop” for data processing that should help security teams to easier discover anomalies in datasets.
  • Following a ban by Linux for submitting malicious code to the Linux Project last week, researchers from the University of Minnesota apologized for intentionally sending code updated with vulnerabilities which they did because they knew the maintainers of Linux would not have granted them permission. “While our goal was to improve the security of Linux, we now understand that it was hurtful to the community to make it a subject of our research,” researchers said. Nevertheless, the University had been banned from contributing to the Linux project in the future.

From the bad news:

This week brought reports about new malware strains, data breaches from DigitalOcean and other companies, new ransomware attacks, and other important stories you can’t miss.

  • Brazil’s Court system, Tribunal de Justiça do Estado do Rio Grande do Sul (TJRS), was hit with REvil ransomware. The gang encrypted employee’s files and forced the courts to shut down their network. The attack was reported by a Brazilian security researcher Brute Bee. REVil gang demands a $5,000,000 ransom to decrypt files.
  • FluBot botnet is gaining momentum infecting more and more Android devices making mobile operators Three and Vodafone and the UK’s National Cyber Security Centre (NCSC) issued warnings. Attacks start with messages about a package delivery via DHL, Asda, Amazon, or Argos. 
  • Financial services company First Horizon Corp. reported a data breach in which an unauthorized party had accessed customer accounts and stolen funds with the help of login credentials stolen from an unknown source. The hacker compromised about 200 customer bank accounts and fraudulently obtained nearly $1 million.
  • Palo Alto Networks Unit 42 described a new commodity cryptocurrency stealer WeSteal and Commodity RAT WeControl. Unit 42  researchers named an Italian malware coder known as “ComplexCodes” as a co-conspirator and actual author of this malware. “ComplexCodes” has been advertising WeSteal on underground forums since February 2021 and WeSupply – since May 2020. 
  • Kaspersky cybersecurity firm detected new malware that it believes is linked to the US Central Intelligence Agency (CIA). Analysis of the collected malware samples revealed coding patterns, style, and techniques that bear similarities to the code of Lambert APT (aka Longhorn APT).
  • Scammers impersonated Chase in two email attacks in an attempt to steal login credentials. One attack claimed to contain a credit card statement, and the other a notice that the victim’s access to the account had been restricted due to unusual login activity. The attacks successfully bypassed native Microsoft email security controls – Exchange Online Protection (EOP), Microsoft Defender for Office 365 (MSDO) – and hit about 9,000 organization’s mailboxes.
  • Microsoft has disclosed several memory allocation issues in its Internet of Things (IoT) and operational technology (OT) devices that could lead to code execution. Dubbed BadAlloc, the bugs impact various devices from Google Cloud, Amazon, Arm, Red Hat, Texas Instruments, and Samsung Tizen. The full list of affected products is available in this advisory.
  • A new hacker group tracked by Mandiant as UNC2447 breached SonicWall SMA 100 Series VPN via a zero-day vulnerability. Researchers noted UNC2447’s malware similarity to HelloKitty ransomware.
  • Reverb, a popular musical instrument marketplace, has disclosed a data breach that exposed customer information. A cybersecurity researcher Bob Diachenko discovered an unsecured Elasticsearch server that is probably responsible for exposing the data. The server contained over 5.6 million customer records.
  • DigitalOcean has disclosed a data breach in which attackers got away with customers’ billing information due to a “flaw.” The attack took place between April 9th, 2021, and April 22nd, 2021. The cloud hosting company says only a small fraction of its customers have been impacted.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.