InForce Cyber

Threat Report February 2021

The month of February was the month of the Data L attacks. Here are some topics to support this statement:

Comcast US

Security researcher Jeremiah Fowler discovered an unprotected database belonging to the company. The database was 477.95GB in size and contained 1,507,301,521 records. Exposed data included technical logs and the email addresses and hashed passwords of Comcast’s Development team, as well as error logs, alerts, and job scheduling records, and more. The database has since been secured.            

Washington State Auditor

Accellion informed the Office of the Washington State Auditor (SAO) its files had been accessed due to a flaw in Accellion’s file transfer service. The unauthorised access reportedly occurred in late December 2020. The SAO stated that the impacted data includes information from the Employment Security Department, such as names, Social Security numbers, bank account numbers, and more. The files of other state agencies and some local governments have also reportedly been impacted.

Amazon and Ebay

CyberNews researchers observed a hacker selling data supposedly taken from Amazon or eBay accounts from 2014 to 2021 in 18 countries. Leaked data is said to include customers’ full names, postal codes, delivery addresses, and shop name, as well as 1.6 million phone records. The researchers stated it remains unclear where the attacker obtained the data, and Amazon found no data breaches.

Probe of credit card fraud at Senate will include banks–Win

BANKS, specifically “unauthorized” transactions involving them, would be included in an investigation on credit card fraud currently pursued at the Senate.

Senator Sherwin T. Gatchalian, vice chairman of the Senate Committee on Banks, Financial Institutions and Currencies, said last Wednesday they are focusing the probe into efforts of the Bangko Sentral ng Pilipinas (BSP) and private banks to safeguard the interests of bank clients.

Gatchalian observed that since he was victimized by credit card racketeers, the complaints from other scan victims continue to mount, as his office continue to receive complaints from similar victims of “unauthorized on-line bank fund transfers and credit card transactions.”

Apple users targeted by ‘mysterious’ malware

About 30,000 Mac devices have been infected with a mysterious piece of malware.

The „unusual“ Silver Sparrow strain silently affected systems in more than 150 countries around the world.

It was discovered by researchers at security company Red Canary, who have yet to determine its purpose.

Apple says it has taken steps to restrict the potential damage the malware, which targets devices with its new M1 chip, could cause.

Its actions effectively prevent any new devices from being infected.

Hackers hit 10,000 mailboxes in phishing attacks on FedEx and DHL Express

Researchers reported Tuesday that they found two email phishing attacks targeting at least 10,000 mailboxes at FedEx and DHL Express that look to extract a user’s work email account.

In a blog released by Armorblox, the researchers said one attack impersonates a FedEx online document share and the other pretends to share shipping details from DHL. The phishing pages were hosted on free services such as Quip and Google Firebase to trick security technologies and users into thinking the links were legitimate.

According to the researchers, the two email attacks employed a broad range of techniques to get past traditional email security filters and pass the “eye tests” of unsuspecting end users:

Social engineering. The email titles, sender names, and content did enough to mask their true intention and make victims think the emails were from FedEx and DHL. Emails informing users of FedEx scanned documents or missed DHL deliveries are common, so most users tend to take quick action on these emails instead of studying them in detail. 

Brand impersonation. In the FedEx attack, the final phishing page spoofs an Office 365 portal packed with Microsoft branding. Requiring Microsoft account credentials to view an invoice document also passes the “logic test” because most people get documents, sheets, and presentations from colleagues every day that consists of the same workflow. The DHL attack payload uses Adobe for its impersonation attempt, with the same underlying logic.

Hosted on Quip and Google Firebase. The FedEx attack flow has two pages, the first one hosted on Quip and the final phishing page hosted on Google Firebase. The inherent legitimacy of these domains lets the email  get past security filters built to block known bad links and files.

Link redirects and downloads. The FedEx attack flow has two redirects, and the DHL attack includes an HTML attachment rather than a URL for its phishing goals. These modified attack flows obfuscate the true final phishing page, another common technique used to fool security technologies that attempt to follow links to their destinations and check for fake login pages.

Hackers Exploit Accellion Zero-Days in Recent Data Theft and Extortion Attacks

Cybersecurity researchers on Monday tied a string of attacks targeting Accellion File Transfer Appliance (FTA) servers over the past two months to data theft and extortion campaign orchestrated by a cybercrime group called UNC2546.

The attacks, which began in mid-December 2020, involved exploiting multiple zero-day vulnerabilities in the legacy FTA software to install a new web shell named DEWMODE on victim networks and exfiltrating sensitive data, which was then published on a data leak website operated by the CLOP ransomware gang.

But in a twist, no ransomware was actually deployed in any of the recent incidents that hit organizations in the U.S., Singapore, Canada, and the Netherlands, with the actors instead resorting to extortion emails to threaten victims into paying bitcoin ransoms.

Data Breaches
More than 6,700 VMware servers exposed online and vulnerable to major new bug
Proof-of-concept exploit code has been published online earlier today, and active scans for vulnerable VMware systems have been detected already.More than 6,700 VMware vCenter servers are currently exposed online and vulnerable to a new attack that can allow hackers to take over unpatched devices and effectively take over companies’ entire networks.Scans for VMware vCenter devices are currently underway, according to threat intelligence firm Bad Packets.
Npower app attack exposed customers’ bank details
Energy firm Npower has closed down its app following an attack that exposed some customers’ financial and personal information.Contact details, birth dates, addresses and partial bank account numbers are among details believed stolen.The firm did not say how many accounts were affected by the breach, which was first reported by MoneySavingExpert.com.But the affected accounts had been locked, Npower told the BBC.“We identified suspicious cyber-activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website. This is known as ‘credential stuffing’,“ the firm said in a statement. 
45, 000 patients at Covenant HealthCare potentially exposed by data breach
SAGINAW, Mich. (WJRT) – Covenant HealthCare in Saginaw is working tonotify 45,000 of its patients who may have been affected by a data breach.The move comes after two employees email accounts were compromised in May 2020.In a written statement, hospital officials say they aren’t aware ofany reports of identity theft, fraud or improper use of any patient’sinformation after an extensive forensic audit was completed inDecember.The hospital says the FBI discovered someone was attempting to selllogin and password access to Covenant’s network on the dark web.Two employees’ emails were compromised for less than one hour when thebreach happened. Those email accounts contain personal information,including names, addresses, Social Security numbers and othersensitive information.
Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malware
Latin American Javali trojan weaponizing Avira antivirus legitimate injector to implant malwareIn the last few years, many banking trojans developed by Latin American criminals have increased in volume and sophistication. Although exists a strong adoption of technologies with the goal of protecting the final user such as plugins, tokens, e-tokens, two-factor-authentication mechanisms, CHIP, PIN cards, and so on, online fraud is still on the rise and every day implementing new tactics, techniques, and procedures (TTP) to evade antivirus and Endpoint Detection & Response systems.In this article, we will into the details of the Javali trojan banker, introduced and tracked by the Kaspersky Team, and targeting Latin American countries, including Brazil and Mexico banking and financial organizations.

Trending Malware By Threat Actors

Attack Type mentions in Critical Infrastructure


  1. Following Microsoft critical vulnerabilities, update all vulnerable services
  2. Only allow traffic to necessary and well secured ports
  3. Update AV solutions
  4. Phishing training for the employees.
  5. Regular pentests would identify possible weak points
  6. Encrypt data in transit and in rest