Weekly Cyber Threat Report, Mar 1-5

Weekly Cyber Threat Report, Feb 22-26

Welcome to CyberIntel Magazine’s weekly roundup! A place where you can read the most important stories in the cybersecurity world from the past week.

This week we’ve seen Microsoft open-sourcing its anti-SolarWinds toolkit, more Accellion-related attacks, how invitation-only Clubhouse audio chats can be hijacked, more than 6,700 VMware vCenter servers exposed online, and more.

From the good news:

Google adds an easy way for Android users to check the security of their passwords

Google’s new password checkup feature in Android will give users an easy way to check if the passcodes they’re using have been compromised. Password Checkup works by searching a database of billions of credentials that had been leaked in website breaches over recent years.

ENISA published new cloud security guidelines for the healthcare industry

European Union Cybersecurity Agency (EUCA) issued cloud security guidelines with best practices for the healthcare sector. The set of practices aims to help IT professionals in the healthcare cybersecurity sector.

Microsoft open-sourced CodeQL queries to root out SolarWinds malware

Microsoft praised by security researchers for open-sourcing its CodeQL queries. Organizations now can use the open-source toolkit to analyze if they have been compromised in the SolarWinds attacks.

From the bad news: 

China-backed APT31 group cloned NSA Equation Group’s “EpMe” hacking tool

The big surprise came from the Check Point’s researchers who showed that the China-linked APT31 group cloned NSA Equation Group’s “EpMe” hacking tool and have been using it for years. According to Kaspersky who discovered the “EpMe” tool in 2015, it has been in the wild since at least 2001. It was cloned by APT31 sometime in 2014.

Chinese APT Group Cloned NSA Hacking Tool Years Before It Was Leaked Online by Shadow Brokers Group

VMware flaw with a severity rating of 9.8 reported and patched by the company

A remote code execution flaw in VMware’s vSphere HTML5 hybrid cloud suite – CVE-2021-21974 – with a severity rating of 9.8 out of 10 left more than 6,700 VMware vCenter servers exposed and vulnerable online. Besides that, VMware disclosed a few other vulnerabilities (CVE-2021-21972 and VE-2021-21973) that could allow hackers to take over unpatched devices and companies’ entire networks. The three bugs have been patched by the company this week.

10K Microsoft email accounts hit in FedEx & DHL phishing attacks

Researchers at Armorblox are warning of recent phishing attacks targeting at least 10,000 Microsoft email users in which attackers disguise themselves as mail couriers FedEx and DHL Express. Phishing web pages hosted on legitimate domains, including those from Quip and Google Firebase, – allowed the emails to slip by security filters effectively tricking victims into providing their credentials.

10K Microsoft Email Accounts Hit In FedEx & DHL Phishing Attacks

Accellion-related attacks hit over 100 companies, Steris Corporation is the latest victim

A ransomware gang Clop claims responsibility for stealing an unspecified amount of information from Steris Corporation. Steris touted as the latest victim of Accellion attacks that have resulted in 100 companies being attacked and data stolen from 25 of them. Attackers abuse flaws in the Accellion file transfer product which hasn’t been updated due to its reaching end of life. 

Malicious Amazon Skills can bypass the security vetting process

German and US researchers warn Amazon’s voice assistant Alexa is vulnerable to malicious third-party Skills. Hackers could publish a Skill under any developer name and make backend code changes after app approval to phish out sensitive information. The security-threat claims have been toned down by Amazon.

Malicious Amazon Alexa Skills Can Easily Bypass Security

T-Mobile discloses data breach after SIM swapping attacks

An American telecommunications provider reported a data breach in which an undisclosed number of customers had been affected by SIM swap attacks. These attacks allow bad actors to steal user credentials, take over their online service accounts, and more. This makes it the fifth data breach disclosed by T-Mobile during the last four years.

Malicious Firefox extension allowed hackers to hijack Gmail accounts

TA413 Chinese-linked APT group targeted several Tibetan organizations in a cyber-espionage campaign using a malicious Firefox extension designed to hijack Gmail accounts and deploy malware. The series of attacks lasted January through February, according to a Proofpoint report.

Chinese Hackers Use Firefox Extension to Spy On Tibetan Organizations

The Kroger grocery store suffered a data breach

Another Accellion-related victim, Kroger reported a data breach. The grocery store says no fraud or misuse of financial or personal information has been detected but out of caution, Kroger arranged to offer credit monitoring to all affected individuals at no cost to them.

Four new hacking groups are targeting critical infrastructure, Dragos warned

Cybersecurity researchers at Dragos identify four new hacking groups that have been targeting industrial systems mostly in the US and Europe in the past year. The groups named by the researchers as Stibnite, Talonite, Kamacite, and Vanadinite have links to the Sandworm group, Dragos reports.

Ukraine accuses Russia-backed hackers of hacking into web-based state document system

Ukraine’s National Security and Defence Council accused Russian hackers of planting malicious documents on the System of Electronic Interaction of Executive Bodies document system. Ukraine did not disclose whether any damage had been caused.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.