Go to listing page

Cyware Daily Threat Intelligence, October 18, 2021

Cyware Daily Threat Intelligence, October 18, 2021

Share Blog Post

The notorious REvil ransomware gang disappears again! The mysterious development comes after it was reported that unidentified actors took control of the gang’s Tor payment portal and data leak website. It is unknown for how long the gang will remain underground but its re-emergence will surely pose a threat for organizations across the globe.

The lesser-known Lyceum APT is on a mission to gaining a foothold with its re-appearance. The gang has been associated with two attack campaigns launched against entities in Tunisia.  Furthermore, the group has added two new malware variants dubbed ‘James’ and ‘Kevin’ to its arsenal. The TA505 threat actor group has lately shifted to a new malware named MirrorBlast in a newly detected email phishing campaign.     

Top Breaches Reported in the Last 24 Hours

Accenture confirms data breach
Accenture confirmed that its services were affected by LockBit ransomware in August. The attackers gained unauthorized access to the firm’s service providers’ systems. The gang claimed 6TB of data and demanded $50 million in ransom. 

REvil ransomware’s Tor sites hacked
REvil ransomware appears to have shut down its operations again after an unknown individual allegedly hacked its Tor payment gateway and data leak blog. However, the group will let affiliates continue extorting their victims by providing a decryptor only if a ransom is paid. 

Sinclair Broadcast Group affected
TV stations owned by the Sinclair Broadcast Group went down during the weekend across the U.S. following a ransomware attack. The attackers had managed to impact many TV stations via Sinclair’s corporate Active Directory domain.

Lyceum APT emerges
Researchers have uncovered two attack campaigns associated with the Lyceum threat actor group. The attacks were targeted against two entities in Tunisia. Additionally, the group has been held responsible for two new malware variants dubbed ‘James’ and ‘Kevin’.  

Top Malware Reported in the Last 24 Hours

MirrorBlast malware
A new MirrorBlast malware was detected in a phishing email campaign that was tentatively linked with the TA505 and PYSA groups. The email contained a malicious Excel file named ‘Bericht’. The Excel file requests the user to ‘Enable Content’, which ultimately activates the macro embedded within the file. 

Decryptor for BlackByte ransomware
Trustwave has made a BlackByte decryptor available for download at GitHub. This Windows-based ransomware takes advantage of the double extortion technique after targeting its victims. 

Top Vulnerabilities Reported in the Last 24 Hours

Tactics refined to exploit zero-days
A new report shows that cybercriminals are continuously evolving their tactics, techniques, and procedures to launch attacks by exploiting zero-day vulnerabilities. In one of the incidents observed, threat actors exploited the zero-day CVE-2021-40444, a remote code execution vulnerability in the MSHTML browser engine, by tricking victims into previewing a malicious Office document in File Explorer.


lyceum apt
sinclair broadcast group
revil ransomware gang
blackbyte ransomware

Posted on: October 18, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.