Ransomware remains a growing and increasingly problematic threat to organizations across all industries. Posing a significant and increasing threat throughout 2021, ‘Big game hunter’ ransomware campaigns, orchestrated by highly sophisticated organized cybercriminal groups, continue to compromise and extort high-value ransoms from victim organizations across all industries.

Following December 9th, 2021, the news of a Log4j Remote Code Execution (RCE) vulnerability began to grow (Figure 1). In addition to various malware families that already have utilized this vulnerability and added it to their delivery methods arsenal, more vulnerabilities related to this case were published, making Log4j, once simple Java-based logging utility, “the talk of the internet” these days.

On Dec. 9, 2021, a remote code execution (RCE) vulnerability in Apache log4j 2 was identified, (Dubbed “Log4Shell” by researchers), affecting massive amounts of servers all over the world. As this vulnerability gains high traction worldwide, it’s important to note, that not only internet facing java applications are vulnerable, as user input can traverse to another non-internet facing machines and exploit these as well.

Known to be one of the most useful popular and dangerous threats, Emotet, firstly seen in 2014, is a Malware-as-a-Service (MaaS), that used to operate as a banking trojan targeting banks in Germany, Austria and Switzerland. Since 2017, Emotet has done a shift into a loader and took parts in campaigns, setting up for Trickbot delivery, deployment of ransomware such as Conti and Ryuk, and other malwares such as QuakBot, Azorult, SilentNight and more.

True Login phishing kits are continuously being developed by threat actors to improve their TTPs in luring victims. By using true login kits, the phishing operators have a higher chance of making potential victims believe they are logging into the real website. True login kit developers are abusing publicly available APIs of the banking company to be able to query login information to be shown to potential victims, in turn luring the victim even further into the operations.

During the past month, the following notable high-severity vulnerabilities have been observed. It is recommended that those using affected products take immediate action to assess their exposure and patch and/or remediate as necessary.

Previously used the Thumbler and Faceit gaming platforms to access dynamic configuration from threat actors, new campaigns of Vidar Stealer's more recent versions suggesting a new venue where Vidar receives dynamic configurations and dropzone information for downloading and uploading files.

Details of a high severity remote code execution (RCE) vulnerability in Microsoft's proprietary browser engine 'MSHTML', also known as 'Trident', were released by Microsoft on September 7, 2021, and promptly followed by reports of active exploitation in the wild.

CVE-2021-26084, a critical vulnerability (CVSS score 9.8) in Atlassian Confluence Server and Confluence Data Center, is currently being actively and widely exploited by threat actors.

Cyberint Research observed several unsolicited malicious email (malspam) campaigns in August 2021 through which Masslogger was delivered. First noticed around April 2020, Masslogger is a popular.NET credential stealer used to gather credentials from victims for various applications, and is readily available to purchase on cybercriminal forums for around $100 (US).