What were seeing today 16 Feb 2021


Today activity has been moderate. We have observed a large phishing campaign as well as several malware families activity including APT28, Sandworm and APT33. Our daily report has been added to our threat intelligence platform and there will be many updates throughout the day as new events are being processed.



Activity Observations

  • Phishing activity on JP Morgan Chase, PayPal, Bank of the West, Western Union, Salesforce, Docusign (Large targeted campaign), American Express, Capital One, USPS, and Adobe themes

  • Daily report is being worked on currently with more updates

  • Pyvil and Evilnum activity

  • List of defacements has been published

  • Aggregate feeds are also up to date

  • Web server attack patterns

  • VPN scans for targeting Fortinet VPN and unpatched VPN vulnerabilities

  • Russian phishing activity uptick

  • Noted uptick in CEV-2012-3152 - we are not sure why this older vulnerability is being targeted

  • Strange activity from 169[.]50[.]13[.]61, 191[.]101[.]5[.]183, 68[.]65[.]122[.]109 and 198[.]202[.]242[.]72 which includes malware payloads and other malicious scanning

  • Malicious ads (tracking) for Home Depot ads through Google Ads

  • Chinese malware capaigns targeting Alibaba users

  • Matryosh Botnet

  • Chopper Web Shell utilization in targeted attacks

  • Trickbot masrv activity

  • Charming Kitten new techniques (Targeting Iran)

  • Fake Whatsapp application distribution noted

  • Fake Google Chrome installers

  • Most active CVE attacks and scans CVE-2021-25276, CVE-2021-25274 and CVE-2021-25275 are all being actively exploited

  • ICS attacks on CVE-2020-10145 vulnerabilities in several sectors

  • We recommend blocking habr[.]ru as we are finding code there that is being utilized to hack into php deployments as well as code that is used to build webshell from source that can be built remotely once an exploit is successfully executed

  • South Korea notes North Korean hacking activity targeting Pfixer vaccine

  • Some security experts are saying that the Solar Winds activity may have been going on for over 3 years, this matches the data we have observed with updates and CDN so we concur with this assessment

In addition we added the following documents for reference

AA21-042A: Compromise of U.S. Water Treatment Facility

AA21-008A: Detecting Post Compromise Threat Activity in Microsoft Cloud Environments


Some of our ISAC partners have also provided additional context on some of the above listed events that has been included in our threat intelligence data.


Other Notes

We have been letting customers know to monitor DNS and CDN network activity since 2017. We believe with the Solar Winds Orion incident and others similar to this story by show that we can expect continued targeting of supply chain on companies that would be presumed to have network level access at these companies. We have previously warned that DNS RPZ could be used to backdoor companies computing systems as well as the strange and sometimes unbelievable backdoors in common software observed on the CDN networks. Stay vigilant as we are seeing more and more of this activity. We will be publishing an in dept report on this in the coming days outlining specific examples, samples and other data that will allow you to make your own conclusions.


These are some of the most recent observations. In addition we are still seeing CDN and DNS manipulation that points to malware infections locations. It is not known whom is responsible for these as they are distributed far and wide.


Last Updated: 4:06 PM EST




2 views0 comments

Recent Posts

See All