Go to listing page

Cyware Monthly Threat Intelligence, July 2021

Cyware Monthly Threat Intelligence, July 2021

Share Blog Post

The Good

Governments and private firms are concerned with cybercriminals’ most daring intrusions in recent times and doing all they can to contain their impact. A new open-source tool by GitLab now helps detect malicious code in open source software components. U.S. officials launched a new website to help organizations mitigate ransomware threats. Another group of experts devised a method to encrypt photos on leading cloud-storage platforms, including Google Photos, Apple, and Flickr.
  • GitLab rolled out a new open-source tool, dubbed Package Hunter, to help developers identify malicious code in their project dependencies. Right now, it includes support for NodeJS modules and Ruby Gems.
  • ENISA highlighted 12 high-level recommendations for SMEs on how to fortify the security infrastructure of their businesses, such as improving internet services, adopting cloud services, upgrading websites, and enabling staff to work remotely.
  • The DoJ, along with other federal partners, launched a new site StopRansomware.gov. It claims to offer partners and stakeholders ransomware detection, protection, and response guidance, all from a single source.
  • A study by Columbia Engineering revealed the first way to encrypt personal images in cloud photo services. Dubbed Easy Secure, the system encrypts images uploaded on the cloud and deters attackers and services from decrypting the images.
  • Brazil created a cyberattack response network called the Federal Cyber Incident Management Network to promote faster response to cyberattacks and vulnerabilities while establishing coordination between federal government bodies.

The Bad

From the Pegasus scandal to Beijing One Pass, spyware grabbed the spotlight in July. Still, sensitive breaches kept sending shockwaves across organizations and their stakeholders. A zero-day flaw at Saudi Aramco was exploited for millions. Officials in Florida, Taiwan suffered data leaks. Besides, there was a cryptomining campaign engaging servers from at least 1,300 global organizations.

  • Chinese state benefits app called Beijing One Pass was found laden with spyware-like features. It is mandatory for foreign organizations in China to download the app to handle employee state benefits.
  • ZeroX claimed to have stolen 1TB of sensitive data from Saudi Aramco, to which the victim weeks later acknowledged. While the stolen data was up for sale on multiple hacking forums, hackers allegedly demanded $50 million as part of the extortion attempt.
  • The Cuba ransomware hit Forefront Dermatology and impacted the personal details of 2.4 million patients and employees. Around 47MB of data stolen was dumped on the threat actor’s darknet site.
  • A consortium of media houses exposed NSO’s Pegasus malware to claim that it was misused to target activists, journalists, business executives, and politicians. The spyware was used to potentially steal all types of data from more than 50,000 smartphones.
  • Florida’s Department of Economic Opportunity (DEO) suffered a data breach after threat actors allegedly accessed sensitive information from the CONNECT public claimant portal between April 27 and July 16. The affected data includes social security numbers, driver’s license numbers, and bank account numbers, among others.
  • LINE accounts of more than 100 Taiwanese politicians and government officials were hacked and data pilfered. Users have been asked to enable their account’s message encryption feature.
  • NFT Ethereum-based game Axie Infinity players were targeted after threat actors infected Google Ads content. The threat actors lured the players into transferring funds from their cryptocurrency accounts.
  • An SQL database belonging to Humana leaked highly sensitive data—patients’ names, IDs, email addresses, password hashes, Medicare Advantage Plan listings, and medical treatment data—of over 6,000 patients on a hacker forum. 
  • The Iran-linked TA453 threat actor group, also known as Charming Kitten, was found impersonating British scholars in a recent attack campaign. Dubbed Operation SpoofedScholars, the motive of the campaign was to steal credentials from senior professors from well-known academic institutions and experts focusing on the Middle East. 
  • Threat actors stole over $350,000 from users in a widespread scam involving over 170 fake mobile apps. These apps—BitScams and CloudScams—promised to perform cryptocurrency mining on behalf of subscribers.
  • A global cryptojacking scheme that targeted over 1,300 organizations was revealed last month. It reportedly targeted organizations in the health, tourism, media, and education sectors in the U.S., Vietnam, and India.
  • A leading U.S. insurance company CNA Financial Corporation notified customers of a data breach due to an attack by the Phoenix CryptoLocker ransomware in March. Data—names and social security numbers—of 75,349 individuals were compromised.

New Threats

As observed, a majority of cyber adversaries had an even greater interest in innovating and experimenting with new tools. Malware used to target European banking applications was upgraded and offered on dark web forums. Some new ransomware groups, including the Haron and BlackMatter groups, attempted to make strides in the threat landscape. Meanwhile, experts warned against security loopholes in smart cameras.

  • Mobile malware Oscorp was revamped as the new UBEL Android botnet and is on sale for a price of $980 on underground forums. It is capable of reading and sending SMS, stealing audio recordings, and installing and deleting applications, among others.
  • Researchers identified new ransomware called Haron that borrows its code and tactics from Thanos and Avaddon ransomware. On another tangent, the new BlackMatter ransomware was spotted recruiting affiliates and is claimed to be the successor of the now-defunct DarkSide and REvil ransomware.
  • A new malware strain dubbed MosaicLoader targeted systems via cracked installers and propagated sets of sophisticated malware such as Glupteba. The malware includes several anti-analysis techniques to slip past antivirus software.
  • A new Android RAT, dubbed Vultur, was found exploiting screen recording features to steal credentials and other sensitive data from compromised devices. So far, Vultur has infected between 5,000 and 8,000 users.
  • Microsoft released an out-of-band security update for the PrintNightmare vulnerability in Windows Print Spooler. Amid the rumors of released patches not completely addressing the issue, security researchers uncovered other local privilege escalation bugs.
  • The ANSSI issued an alert bulletin warning against a new series of attacks against many French organizations. The campaign was allegedly being coordinated by the China-sponsored APT31 group.
  • The Hancitor malware adopted a new technique that uses cookies to avoid URL scraping. It is also capable of sending malicious emails and deploying Cobalt Strike beacons.
  • The SideCopy cyberespionage group propagated several custom RATs to target Indian government officials. The malware used by the group includes CetaRAT, DetaRAT, ReverseRAT, MargulasRAT, njRAT, Allakore, ActionRAT, Lilith, and Epicenter RAT.
  • The WildPressure APT group resurfaced with new versions of Milum trojan for both Windows and macOS systems. Dubbed as Guard and Tandis, the trojans enable the threat actors to gain remote control of the compromised device.
  • An undocumented Python-based backdoor called BIOPASS RAT took advantage of Open Broadcaster Software (OBS) Studio’s live-streaming app to pilfer the screen of its victims. The malware is under active development.
  • IP cameras sold by a dozen vendors were found vulnerable to remote assaults due to a myriad of serious and high-severity flaws affecting UDP Technology firmware. Eleven of these flaws are related to remote code execution issues and one authentication bypass vulnerability.


blackmatter ransomware
hancitor trojan
wildpressure apt
haron ransomware
vultur malware
biopass rat
pegasus spyware
saudi aramco
operation sidecopy
ubel botnet

Posted on: August 02, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.