Go to listing page

Cyware Daily Threat Intelligence July 28, 2021

Cyware Daily Threat Intelligence July 28, 2021

Share Blog Post

Ransomware is growing at an alarming rate and that raises the stakes for everyone. Researchers have shared details about a new Haron ransomware and the previously disclosed BlackMatter ransomware wreaking havoc in the cybercrime ecosystem. Haron is claimed to have borrowed its code from Thanos and Avaddon ransomware, which makes it extremely sophisticated ransomware. Coming to BlackMatter, the ransomware is in the process of expanding its operations as it recruits more affiliates. 

A new tactic adopted by a new version of LockBit 2.0 ransomware has also come to the light. It uses Active Directory group policies to automate the encryption process of a Windows domain.

Top Breaches Reported in the Last 24 Hours

University of San Diego Health affected
University of San Diego Health has disclosed a data breach that resulted in the compromise of the personal information of its patients, students, and employees. The incident occurred between December 2, 2020, and April 8, 2021, after hackers gained unauthorized access to some employee email accounts.

More deets on Facebook attack
In a new revelation, the Imperial Kitten threat actor group had spent years masquerading as an aerobic instructor ‘Marcella Flores’ to distribute a malware dubbed LEMPO onto the infected machines. The campaign was designed to target people and companies in the aviation sector in the U.S.

Axie Infinity Players targeted
Players of NFT Ethereum-based game Axie Infinity were targeted after threat actors poisoned Google Ads content. The ultimate purpose of threat actors was to trick players into transferring funds from their own cryptocurrency accounts.

Florida’s DEO affected
Florida’s Department of Economic Opportunity (DEO) suffered a data breach after threat actors allegedly accessed sensitive information from the CONNECT public claimant portal between April 27 and July 16. The affected data includes social security numbers, driver’s license numbers, bank account numbers, addresses, phone numbers, and birth dates of claimants.

JustDial leaks data again
JustDial has once again exposed the personal information of over 100 million users due to an unprotected API. The leaked data includes usernames, email addresses, phone numbers, and dates of birth.

LINE accounts hacked
The LINE accounts of more than 100 Taiwanese politicians and government officials were hacked and data has been exfiltrated from their devices. The company has notified users of the intrusion and urged them to enable their account’s message encryption feature.

Misconfigured COVIDCert NI app
Northern Ireland’s Department of Health has temporarily suspended its COVID-19 vaccine certification service following a misconfiguration issue in the COVIDCert NI app. The issue allowed a limited number of users to view the data of other users.

Raven Hengelsport exposes data
Raven Hengelsport exposed details of around 246,000 customers due to a misconfigured Microsoft Azure Blob server. The leaky server contained 18GB of data containing names, addresses, genders, phone numbers, and email addresses of users.

Top Malware Reported in the Last 24 Hours

Ransomware havoc
Researchers have identified a ransomware called Haron that borrows its code and tactics from Thanos and Avaddon ransomware. The gang behind the ransomware is believed to have created a leak site to list the names of its victims that deny paying ransom. On another tangent, BlackMatter ransomware is claimed to be the successor of the now-defunct DarkSide and REvil ransomware as it expands its operation by recruiting affiliates.

New PlugX variant
A new variant of PlugX RAT has been observed to be used by a Chinese cyberespionage group, named PKPLUG Group or Mustang Panda. The new RAT variant was used to target Microsoft Exchange Servers in March.

Top Vulnerabilities Reported in the Last 24 Hours

A flaw in Sunhillo Aerial product
An unauthenticated OS command injection vulnerability in the Sunhillo Sureline application could allow attackers to execute arbitrary code with root privileges. Tracked as CVE-2021-36380, the flaw has been patched with the release of Sunhillo SureLine version

Joint advisory of top vulnerabilities
The CISA, ACSC, FBI, and NCSC released a joint advisory on the top 30 vulnerabilities that are routinely exploited by threat actors. Some of these flaws affect VPNs from Pulse Secure, Fortinet, and F5-Big IP. Other top flaws are found in products from Citrix, Atlassian, Microsoft, and Netlogon.

Flaws in Zimbra Webmail Solution fixed
Zimbra Enterprise Webmail solution has fixed two critical vulnerabilities that could allow attackers to compromise and establish persistence on business email accounts. Tracked as CVE-2021-35208 and CVE-2021-35209, the flaws exist in the Zimbra 8.8.15 version. Both the vulnerabilities could be exploited by sending a single malicious email to the targeted user.


blackmatter ransomware
zimbra webmail solution
sunhillo aerial product
raven hengelsport
plugx variant

Posted on: July 28, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.