Go to listing page

Cyware Daily Threat Intelligence, September 16, 2021

Cyware Daily Threat Intelligence, September 16, 2021

Share Blog Post

Extortion attempts are touching new heights in the era of ransomware 2.0. Another ransomware gang has joined the bandwagon of cybercriminals that claim to destroy victim’s data if any kind of help is sought from data recovery agencies. After Ragnar Locker, it is the Grief ransomware. 

That’s not all. The scale of the threat has become more sophisticated as cybercriminals are increasingly resorting to unique programming languages to fly under the radar. In a new discovery, researchers have uncovered a new malware dubbed Capoae that is being used against WordPress and Linux systems. Additionally, the discovery of the new Operation Harvest cyber-espionage campaign, which went undetected for a long time, has raised concern about the security of organizations.

Top Breaches Reported in the Last 24 Hours

Desert Wells Family loses data
Desert Wells Family Medicine has reportedly lost all data entered into its EHR systems due to a cyberattack on May 21. The compromised data includes names, birth dates, addresses, billing account numbers, medical record numbers, and treatment information of patients.

Flawed Travis exposes data
A security flaw in Travis CI has potentially exposed the secrets of thousands of open source projects. Tracked as CVE-2021-41077, the flaw is present in Travis CI’s activation process and impacts certain builds created between September 3 and September 10.
TTEC attacked
TTEC has fallen victim to a ransomware attacks during the weekend. This caused a system outage impacting access to network, applications, and customer support. It is believed to be the work of Ragnar Locker ransomware. 

Operation Harvest campaign
A newly discovered advanced persistent threat campaign dubbed Operation Harvest has been linked to a Chinese threat actor group. The attackers used privilege escalation and DLL sideloading techniques, among others, to deploy the PlugX backdoor.  

Grief ransomware’s new strategy
Grief ransomware has become the latest cybercriminal gang to warn its victims about deleting their files if they make attempts to call data recovery agents. 

Epik suffer a breach
A group of hackers has claimed to have stolen gigabytes of data from Epik. This includes the data of several of its clients, including Parler, Texas GOP, Gab, and 8chan. 

Top Malware Reported in the Last 24 Hours

Decryptor for REvil ransomware 
A free master decryptor to decrypt files locked by REvil ransomware has been released by Bitdefender. This will allow all victims to recover the files encrypted by the ransomware before mid-July. 

New Capoae malware
A new Capoae malware, written in Go language, is being used by threat actors to launch attacks against WordPress and Linux systems. The malware takes advantage of remote code execution vulnerabilities in Oracle WebLogic server and ThinkPHP to spread across the targeted systems.
Top Vulnerabilities Reported in the Last 24 Hours

Drupal issues patches
Drupal has issued security patches for five vulnerabilities that can be exploited to access data or upload arbitrary code. The flaws are related to CSRF, authentication bypass, and code injection issues. All of these issues have been fixed in versions 9.1 and 9.2 of Drupal.

Unpatched legacy IBM servers
Two IBM server models, that reached EOL in 2019, remain vulnerable to a command injection flaw. This can enable adversaries to execute arbitrary commands on either server model’s operating system via an Integrated Management Module (IMM) application.

Update on Windows Zero-day exploit
A new investigation reveals that the WIZARD SPIDER threat actor group is associated with the recent exploitation of a Windows Zero-day vulnerability related to the MSHTML browsing engine. The attack was carried out via malicious documents that delivered a customized version of Cobalt Strike Beacon.  

PoC for Seventh Inferno released
Netgear has released PoC for a critical flaw dubbed Seventh Inferno that affects its smart switches. The flaw can be abused by an attacker to execute malicious code and take control of vulnerable devices. Security patches to address the flaw have been issued by the firm.  

Top Scams Reported in the Last 24 Hours

Scammer impersonate DOT
Scammers impersonated the U.S Department of Transportation (USDOT) in a two-day phishing campaign. The attackers mimicked the website of the department and lured the victims in fake bidding for projects recently passed by Congress. Once the victims landed on the phishing site, they were asked to provide their login details.  


revil ransomware
grief ransomware
travis ci
windows zero day exploit
capoae malware
ibm servers
operation harvest

Posted on: September 16, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.