Cybersecurity Weekly: Exchange malware, Trickbot surges, new Nim malware

March 17, 2021 by Sam Fay

Hackers are targeting Microsoft Exchange servers with ransomware. TrickBot takes over after cops kneecap Emotet. Researchers spotted malware written in Nim programming language. All this, and more, in this week’s edition of Cybersecurity Weekly.


1. Hackers targeting Microsoft Exchange servers with ransomware

Intelligence agencies and cybersecurity researchers warn that unpatched Exchange Servers could open the pathway for ransomware infections in the wake of swift escalation of the attacks since last week. Cybercriminals are now leveraging the heavily exploited ProxyLogon Exchange Server flaws to install a new strain of ransomware called DearCry.
Read more »


2. TrickBot takes over after cops kneecap Emotet

A massive malicious spam campaign, along with the global takedown of Emotet, vaulted the TrickBot trojan to the top of the Check Point’s list of the most popular malware among cybercriminals for February. Following the worldwide law-enforcement effort to take down Emotet in January, cybercriminals pivoted to TrickBot.
Read more »

3. Researchers spotted malware written in Nim programming language

Cybersecurity researchers unwrapped an interesting email campaign undertaken by a threat actor that has taken to distributing a new malware written in Nim programming language. Dubbed NimzaLoader by researchers, the development marks one of the rare instances of Nim malware discovered in the threat landscape.
Read more »

4. New browser attack allows tracking users with JavaScript disabled

Researchers discovered a new side-channel that can be reliably exploited to leak information from web browsers that could then be leveraged to track users even when JavaScript is completely disabled. This is a side-channel attack which doesn’t require any JavaScript to run, which means script blockers cannot stop it.
Read more »


5. ProxyLogon PoC exploit released

The U.S. CISA and the FBI on Wednesday issued a joint advisory warning of active exploitation of vulnerabilities in Microsoft Exchange on-premises products by nation-state actors and cybercriminals. The attacks have primarily targeted local governments, academic institutions, non-governmental organizations and businesses.
Read more »


6. Critical preauth RCE flaw found in F5 Big-IP platform

Last week, F5 Networks published an advisory warning of four critical vulnerabilities impacting multiple products that could result in a denial of service attack and even unauthenticated remote code execution on target networks. The four critical flaws affect BIG-IP versions 11.6 or 12.x and newer.
Read more »


7. Molson Coors brewing operations disrupted by cyberattack

In a Form-8K filed with the SEC last week, Molson Coors disclosed that they suffered a cyberattack on March 11th, causing significant disruption to their operations, including the production and shipment of beer. Although the company is actively managing this cybersecurity incident, it caused a delay to parts of the company’s business.
Read more »


8. OVH data center fire likely caused by faulty UPS power supply

Last week, OVH founder and chairman Octave Klaba provided an explanation for the fire that had burned down OVH data centers in Strasbourg, France. OVH customers were advised at the time to enact their disaster recovery plans after the fire had rendered multiple data centers unserviceable, impacting websites around the world.
Read more »


9. Another Google Chrome zero-day bug found actively exploited in the wild

Google has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month. While the update contains a total of five security fixes, the most important flaw rectified by Google concerns a use after free vulnerability in its Blink rendering engine.
Read more »


10. Malspam campaign uses icon files to delivers NanoCore RAT

Researchers at Trustwave spotted a new malspam campaign that is abusing icon files to trick victims into executing the NanoCore remote access Trojan. The messages claim to be from a purchase manager of organizations that are being spoofed by attackers, and they use an attachment named NEW PURCHASE ORDER.pdf*.zipx which is actually an image binary file.
Read more »

Posted: March 17, 2021
Sam Fay
View Profile