Go to listing page

Cyware Daily Threat Intelligence, October 20, 2021

Cyware Daily Threat Intelligence, October 20, 2021

Share Blog Post

Security experts are trying to solve a mysterious espionage campaign that went undetected for more than six months. The targeted victims included organizations in defense, healthcare, and ICT sectors across Southeast Asia and the toolset involved a modular backdoor, a keylogger, and an exfiltration tool. However, it is not yet clear which threat actor group was behind this attack.

A new threat to telecommunications companies at a global scale has emerged with the discovery of a new hacking group named LightBasin. The hackers harvested mobile network data from at least 13 telecom companies in the past two years. Meanwhile, researchers added one more malware to the growing list of ransomware families. Dubbed Karma, a relatively new ransomware shares similarities with Nemty variants.

Top Breaches Reported in the Last 24 Hours

LightBasin strikes telcos
A mysterious group of hackers called LightBasin has come to the spotlight for compromising mobile telecommunication systems for the past five years. The threat actor group has been active since at least 2016, targeting Linux and Solarix servers with an aim to steal subscriber information and call metadata.

PDA hit
Professional Dental Alliance (PDA) is notifying patients about a cyberattack that occurred between March 31 and April 1. The attack took place after an attacker gained unauthorized access to email accounts. The healthcare provider claims that there is no evidence of any actual misuse of personal information.

Quickfox VPN leaks data
Researchers discovered a critical data leak of at least one million users using the Quickfox VPN. The issue occurred due to insufficient ELK (Elasticsearch, Logstash, Kibana) stack security. The exposed data includes names, phone numbers, email addresses, and device data of users.

Southeast Asia companies targeted
A newly found espionage campaign targeted defense, healthcare, and ICT sectors across Southeast Asia. The campaign appeared to have begun in September 2020 and ran at least until May 2021. The toolset used in the campaign included loaders, a modular backdoor, a keylogger, and an exfiltration tool.

Top Malware Reported in the Last 24 Hours

New Karma ransomware
Experts analyzed the new Karma ransomware and found many similarities with Nemty variants. Some of the similarities include the exclusion of extensions and folders and the presence of debug messages. Similar to other ransomware operations, the Karma gang has set up a leak site to publish victims’ data.

Magnitude EK evolves
The operators of the Magnitude exploit kit added a new attack chain targeting the Chrome web browser. Named PuzzleMaker, the exploit can be used to abuse two vulnerabilities, CVE-2021-21224 and CVE-2021-31956, affecting Chromium-based browsers.

VNC malware spotted
An investigation revealed that the TinyNuke and TightVNC malware were installed via AppleSeed remote control malware. The AppleSeed backdoor is one of the tools associated with the North Korea-linked Kimsuky threat actor group.

Q-logger skimmer
A digital skimmer identified as q-logger has been linked with Magecart Group 8. The skimmer has been found being loaded directly into compromised e-commerce sites.

Top Vulnerabilities Reported in the Last 24 Hours

Oracle releases 419 security patches
Oracle has released a total of 419 security patches as part of this month’s Patch Tuesday. Thirty-six of these are critical vulnerabilities, with one of them having a CVSS score of 10. Fifty-six of these vulnerabilities can be exploited remotely without authentication.

A flaw in Squirrel language
An out-of-bounds read vulnerability found in the Squirrel programming language can be exploited by attackers to bypass sandbox restrictions and execute arbitrary code. Tracked as CVE-2021-41556, the flaw endangers millions of  Counter-Strike: Global Offensive and Portal 2 players.

Top Scams Reported in the Last 24 Hours

Fake unemployment benefit scam
The FBI warned that scammers are making use of fake unemployment benefit platforms to steal users’ financial and private data. Around 385 such domains have been identified that are being used for the same purpose. Out of these, eight are associated with government websites.


the southeast asia
quickfox vpn
nemty variants
magnitude ek
professional dental alliance pda

Posted on: October 20, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.