Go to listing page

Cyware Daily Threat Intelligence, September 21, 2021

Cyware Daily Threat Intelligence, September 21, 2021

Share Blog Post

Several cyberespionage campaigns with a myriad of malicious intentions were reported in the last 24 hours. The Turla APT group is back with a new backdoor dubbed TinyTurla to gain persistence on targeted systems across Germany, the U.S., and Afghanistan. A fileless attack campaign named Water Basilisk used a new variant of HCrypt crypter to distribute numerous RATs to victims’ systems, whereas the z0Miner trojan exploited a flaw in Atlassian Confluence Server to execute its payload.

The BlackMatter ransomware gang also ramped up its attacks by hitting two more organizations over the weekend. The victims are Marketron and New Cooperative. The attackers have demanded $5.9 million in ransom from New Cooperative.

Top Breaches Reported in the Last 24 Hours

DDoS attacks thwarted
Nearly 19 DDoS attacks targeted against Russia’s remote electronic voting system were thwarted in a day. These attacks originated from several countries such as India, China, Brazil, Russia, Germany, Thailand, Lithuania, Bangladesh, and the U.S. In another incident, the website of VoIP.ms was targeted in a DDoS attack, following which the attackers had demanded a ransom from the firm to halt the attack.

BlackMatter’s terror
BlackMatter ransomware gang has added two new organizations—Marketron and New Cooperative—to its list of victims. Both of them were targeted over the weekend. The attackers have demanded $5.9 million in ransom from New Cooperative. 

Unprotected Elasticsearch incident
An unprotected Elasticsearch database exposed the personal details of millions of visitors to Thailand on the internet for an unknown time period before it was fixed in August. The publicly accessible database contained full names, arrival dates, gender, passport numbers, visa information, and Thai arrival card numbers of tourists. 

Simon Eye data breach
Simon Eye is reporting a data breach that impacted more than 144,000 individuals. The possibly compromised data includes names, medical histories, treatment, diagnosis information, and health policy number of patients. The incident had occurred between May 12 and 18.   

Top Malware Reported in the Last 24 Hours

New HCrypt variant
A new fileless attack campaign dubbed Water Basilisk used a new variant of HCrypt crypter to distribute numerous RATs to victims’ systems. As a part of the campaign, the attackers used publicly available file hosting services to host the malware. The new version of HCrypt builder creates various VBScript and PowerShell commands to avoid malware detection.

New TinyTurla backdoor
The newly discovered TinyTurla backdoor is being used in attacks against the U.S., Germany, and Afghanistan. The two primary purposes of the backdoor include dropping payloads and gaining persistence on target systems. The campaign uses DLL side loading technique to evade detection.

z0Miner discovered
A cryptomining trojan z0Miner has been taking advantage of the recently discovered remote code execution flaw in Atlassian’s Confluence server to gain a foothold on target systems. The flaw is tracked as CVE-2021-26048. 

Top Vulnerabilities Reported in the Last 24 Hours

A zero-day flaw in Hikvision camera
A zero-day flaw in Hikvision IoT security cameras can allow an attacker to gain unauthorized access to the devices and possibly host networks. Described as a remote code execution flaw, it has a CVSS score of 9.8. Hikvision has released an advisory for vulnerable versions. 

Vulnerabilities in Apple tvOS
Multiple flaws affecting Apple tvOS have been addressed recently. Most of these are related to buffer overflow issues and can be exploited to gain remote access to systems. 

Bypassing iPhone’s lock screen
A researcher demonstrated an iPhone lock screen bypass that can be exploited to grant attackers access to a user’s notes. This bypass mechanism uses the Apple Siri and VoiceOver services to access the Notes app from behind the screen.

RCE flaw in Apache OpenOffice
An RCE flaw discovered in the Apache OpenOffice (AOO) can be exploited to execute malware on targeted machines. The vulnerability is identified as CVE-2021-33035 and has been fixed in version 4.1.11 of the software.


tinyturla backdoor
hcrypt crypter
hikvision camera
water basilisk campaign

Posted on: September 21, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite