Go to listing page

Cyware Daily Threat Intelligence June 29, 2021

Cyware Daily Threat Intelligence June 29, 2021

Share Blog Post

Looks like virtual machines are the new gold for ransomware attackers. One of the most infamous ransomware named REvil aka Sodinokibi has been found using a Linux encryptor to target and encrypt VMware ESXi virtual machines.

Aviation companies are the latest target of cybercriminals aiming to steal credentials and other sensitive data. Researchers have uncovered that such companies are being targeted in a widespread spear-phishing campaign that distributes AsyncRAT. Meanwhile, the digital skimmer threat landscape continues to evolve as details about a skimmer malware called Lil’ Skim resurface.

Top Breaches Reported in the Last 24 Hours

LinkedIn data leaked
Data for 700 million LinkedIn users have been leaked on RaidForums dark marketplace. This is the work of a hacker who goes with the online name ‘GOD User TomLiner’. The hacker claims to have posted the records that include full names, gender, email addresses, phone numbers, and industry information. According to LinkedIn, no breach of its networks has occurred this time. However, the investigation is ongoing.

Top Malware Reported in the Last 24 Hours

Linux version of REvil detected
Researchers have discovered a Linux version of the REvil ransomware that targets VMware ESXi virtual machines. This new addition is a part of its evasion tactic. The new variant is in the form of an ELF64 executable with configuration options similar to those utilized by other common Windows executables.

AsyncRAT spotted
A new spear-phishing campaign that targets aviation companies is using a malicious link to distribute AsyncRAT. The email pretends to be from the federal aviation authority and uses a spoofed sender address that matches with a ‘foreign operators affairs’ email address. The content is carefully crafted to create a sense of urgency among the recipients.

Lil’ Skim malware
A skimmer malware named Lil’ Skim has been identified on a number of compromised websites that impersonate Google. The skimmer has been around for a year and was used for stealing credit card data.

Top Vulnerabilities Reported in the Last 24 Hours

PoC for Windows Print Spooler leaked
The PoC for a vulnerability in the Windows Print Spooler service that can allow a total compromise of Windows systems has been accidentally leaked. Tracked as CVE-2021-1675, the flaw was patched in the Microsoft June 2021 Patch Tuesday security updates. It is a remote code execution issue.

Phoenix Contact issues fixes
Germany-based Phoenix Contact has issued fixes for 10 vulnerabilities identified across several of its products. Some of the affected products include Phoenix Contact’s TC router, FL MGUARD modules, ILC 2050 BI building controllers, and PLCNext. The vendor has addressed some of these issues with firmware updates, and in some cases, it has provided mitigation measures.

Unpatched vulnerability reported
An unpatched vulnerability in Google’s Compute Engine platform can be abused to take over virtual machines on cloud networks. This is done by impersonating the metadata server from the targeted virtual machine’s point of view. The issue was first reported in September 2020, but the patch has not been released yet.


revil sodinokibi ransomware
lil skim
spear phishing campaign

Posted on: June 29, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.