CyberIntelMag's Threat report

Weekly Cyber Threat Report, May 17-21

Welcome to CyberIntelMag’s weekly roundup! A place where you can find the most important stories in the cybersecurity world from the past week.

From the good news:

This week, we’ve learned about five security bills in the US, several ransomware gangs shutting down, hacker forums banning ransomware posts among other stories.

  • On Monday, the U.S. House Committee on Homeland Security has adopted five bills designed to bolster the state’s cyber defenses. Designed to improve protection against exploitation of critical vulnerabilities in company networks, the bills followed high-profile cyberattacks against U.S. this year. 
  • Following the disruption and increased attention from law enforcement and media caused by the Colonial Pipeline attack, the REvil and Avaddon ransomware operators said they would stop using forums, would operate “privately,” and would avoid targeting certain entities. Then the Qlocker ransomware gang has shut down which likely, was due to fears of increased law enforcement activity. Some ransomware gangs, including Ako (Razny) and Everest, decided to shut down, too. 
  • Following the Colonial Pipeline attack, a few major hacking forums have banned ransomware posts, among them XSS and Exploit.
  • Comcast has deployed RPKI on its network to protect against BGP hijacks and route leaks, networking problems that can potentially cause a surge of misdirected internet traffic and even a Denial of Service (DoS). Resource Public Key Infrastructure has primarily been designed to secure Border Gateway Protocol (BGP), a backbone of the Internet.
  • Researchers at SeccurityAffairs described the differences between Judge and NoCry ransomware, a new variant of the Stupid ransomware, and confirmed their decryptor for Judge also works for NoCry ransomware.

From the bad news:

This week has brought reports about new high-profile breaches by DarkSide, a new Codecov victim, a fake Microsoft Authenticator app, attacks on Toyota subsidiaries, and other important stories you can’t miss.

  • has disclosed a breach in the Codecov supply-chain attack. Unauthorized actors had gained access to a read-only copy of their source code. There is no evidence it had been tampered with; and there is no indication that customers’ data had been compromised.
  • A UK insurance company One Call Insurance has been hit by ransomware from the DarkSide gang. The attack took place on May 13th, a few days after the Colonial Pipeline attack on 7 May and a day before the ransomware gang announced it would be shutting down. The company received a £15m ransom demand.
  • Toyota has confirmed a pair of cyber-attacks this week. A ransomware attack hit its European subsidiary Daihatsu Diesel Company, although no ransom demand was made or reported. The second attack, also with ransomware, hit Toyota’s US subsidiary Auto Parts Manufacturing Mississippi.
  • Proofpoint research shows how threat actors are cashing in on the rapid shift to the cloud by masquerading as services from Microsoft, Google, and others. In the first three months of 2021, attackers sent 7 million malicious emails from Microsoft 365 and 45 million from Google’s infrastructure. 
  • Tessian researchers described how attackers are targeting the booming market for meal-kit delivery services with phishing SMS messages that fake popular brand names, including HelloFresh and Gousto. Researchers note the rise in popularity of meal kits coincides with a spike in “smishing” attacks.
  • Dragos has found that a Florida water treatment plant, where hackers attempted to poison the town’s water earlier this year — was potentially involved in another breach at the same time. The company said they were confident the breach did not directly compromise any organization, “but it does represent an exposure risk to the water industry.”
  • Google Project Zero security researcher says three weeks after Google released the May 2021 Android security update, four of the patched vulnerabilities were already under attack. The four bugs affect Qualcomm’s GPU and the Arm Mali GPU. Qualcomm commented the flaws affect an enormous number of Qualcomm chipsets but require local access to be exploited.
  • A Japanese online marketplace Mercari has disclosed a major data breach incident becoming another victim of the Codecov supply-chain attack. Mercari has recently expanded into the United States and the United Kingdom. Customer data records in tens of thousands, including financial information, had been stolen by threat actors.
  • Chinese identified have found five vulnerabilities in Mercedes-Benz smart cars, four of which allowed for remote code execution. The bugs are in the latest Mercedes-Benz User Experience (MBUX) infotainment system.
  • Check Point Research team found 23 popular mobile apps that due serious cloud misconfigurations exposed Android app data belonging to over 100 million users.
  • A bogus Chrome extension pretending to be “Microsoft Authenticator” on Chrome Store tricked hundreds of people into downloading it. The extension was used by threat actors for phishing purposes.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.