Go to listing page

Cyware Weekly Threat Intelligence, August 16–20, 2021

Cyware Weekly Threat Intelligence, August 16–20, 2021

Share Blog Post

The Good

The weekend is almost here and it is time to go over some of the positive developments from cyberspace this week. The CISA published much-valued guidelines for organizations on how to respond to a ransomware attack. The guideline also comes with recommendations for how to stay safe from ransomware attacks. The World Bank launched a new cybersecurity fund under its broader digital development umbrella program.

  • Facebook rolled out end-to-end encryption for voice and video calls on Messenger. It also updated its expiring message feature that lets users auto-delete their texts from chats.
  • The World Bank launched a new Cybersecurity Multi-Donor Trust Fund under the broader Digital Development Partnership umbrella program.
  • GitHub urged its users to enable 2FA after enforcing passwordless authentication. 
  • The CISA issued a new resource guide that provides organizations guidance for how to respond to a ransomware attack.  
  • The DHS is funding a program led by Cyber.org to bridge the infosec gap by teaching young children about cybersecurity. A framework of standards has been released, which details what needs to be taught to children until 12th grade. 

The Bad

This year has witnessed one big breach after another. While we are still trying to recover from some of the most recent cyberattacks, T-Mobile fell prey to one. This breach is something that we cannot ignore as the hackers claim to have accessed over 50 million records. While we are on the topic of data breaches, it comes as a shock that the U.S. Census Bureau was the victim of a cyberattack last year. Time and again, malicious apps have found their way into Google Play Store. This time, eight fake cryptomining apps were removed from the app store.  

  • Hackers robbed Liquid Global of crypto-assets worth at least $90 million from warm wallets. The firm has published cryptocurrency addresses from which the criminals exfiltrated their funds.
  • Abnormal Security identified and blocked some emails from a hacker who attempted to recruit insiders to infect their employers’ networks with ransomware. The threat actor allegedly has ties with the DemonWare group.
  • Servers of the U.S. Census Bureau were breached in a cyberattack last year. Luckily, it didn't involve the 2020 census. Officials said the bureau failed to detect and disclose the attack on time.
  • Kiber Partizany (Cyber Partisan), a secretive hacking group, claimed to have accessed heaps of confidential data, including phone calls from supporters and opponents, from a ministry network of the Belarus government.
  • Continued investigation of the T-Mobile breach revealed that over 40 million records of former or prospective customers were stolen, along with the personal data of about 7.8 million current postpaid customers. The same threat actor is selling 70 million AT&T user records containing full names, email addresses, dates of birth, and social security numbers. 
  • New botnet HolesWarm has been abusing over 20 known vulnerabilities on Windows and Linux servers to deploy cryptomining malware since June, according to Tencent Security.
  • Patient care services at Memorial Health System were disrupted owing to a ransomware attack by the Hive group. Clinical and financial operations also suffered.
  • According to Check Point Research, the Indra APT group was behind crippling Iran’s transport ministry and national train system in a cyberattack last month.
  • Google kicked out eight fraudulent apps from its Play Store. The fake cryptomining apps were laced with the FakeMinerPay and FakeMinerAd malware.

New Threats

Seems that the Conti gang has embraced adversity and is taking advantage of the leak of its training materials. How? Read along. A critical new threat has been demonstrated by security researchers which can result in massive DDoS attacks that are orders of magnitude larger than the status quo. In other news, the BadAlloc flaws are here to rock the boat again, as federal authorities issued a warning.  

  • A new malware campaign is distributing njRAT and AsyncRAT and targeting travel and hospitality facilities in Latin America. Techniques used in this campaign bear a resemblance to those of the Aggah group. 
  • Conti ransomware affiliates have resorted to an interesting tactic, which involves using the legitimate Atera remote access software is being used as a backdoor for continued persistence. 
  • InkySquid, a North Korean APT group, ensnared one of the top North Korea-focused news sites, the Daily NK, to launch a watering hole attack and infect visitors with malware.
  • The CISA and FDA warned against BadAlloc security flaws in BlackBerry’s QNX RTOS used by critical infrastructure organizations, including healthcare, aerospace and defense, and industrial networks.
  • The new version of the Neurevt trojan comes with spyware and backdoor features. The version of the trojan targets Mexican financial institutions. 
  • Experts at The DFIR Report revealed that Trickbot is deploying a fake 1Password installer to sniff around compromised systems and launching Cobalt Strike to collect data.
  • The Mozi botnet came up with a new version that can manipulate victims’ web traffic. It is capable of HTTP session hijacking and DNS spoofing. 
  • Cybercriminals are increasingly deploying CAPTCHA-protected malicious URLs to bypass security walls while adding counterfeit login for lottery and survey pages, according to researchers at Palo Alto Networks.
  • New research explains how firewalls and other network middleboxes can be exploited by cybercriminals to launch massive TCP-based DDoS reflection amplification attacks.


conti ransomware affiliates
cisa advisory
ddos reflection amplification
holeswarm botnet
t mobile
mozi botnet
us census bureau
neurevt trojan
memorial health system
indra apt
liquid cryptocurrency exchange

Posted on: August 20, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.