Go to listing page

Cyware Weekly Threat Intelligence, December 06–10, 2021

Cyware Weekly Threat Intelligence, December 06–10, 2021

Share Blog Post

The Good

While cybercriminals continue to innovate their tactics, researchers are no behind in taking them over. Glupteba, the blockchain-enabled, modular botnet was torn down by Google’s TAG team. In the same line, Microsoft confiscated 42 domains by Nickel, a prolific China-based cyberespionage gang. The group was active across several countries. *Sigh of relief*

  • Google’s TAG dismantled the Glupteba botnet, which compromised around 1 million Windows and IoT devices. The blockchain-enabled botnet grows at the pace of thousands of new devices every day and propagates via malicious documents, fake YouTube videos, fake pirate software, and traffic distribution systems, among others. TAG terminated 63 million Google docs, 1,313 Google accounts, 908 cloud projects, and 870 Google Ads accounts.  
  • Microsoft seized 42 domains used by Chinese cyberespionage group Nickel, aka APT15. The actors were involved in harvesting intelligence on foreign ministries, human rights organizations, and think tanks. Nickel was active in the U.S., Argentina, Chile, Barbados, Bosnia, Brazil, Herzegovina, Ecuador, and the Czech Republic, among several other nations.  
  • Iowa State University joined hands with the University of Illinois to lead a coalition of industry and government partners to develop cybersecurity talent in the Midwestern U.S. Dubbed ReCIPE, the coalition has received a two-year grant funding of $2 million from the NSA.
  • The Justice Department and FBI indicted a Canadian national for his supposed involvement in multiple ransomware attacks. Named Matthew Philbert, the perpetrator was arrested on counts of conspiracy to commit fraud and related activity associated with computers. However, officials have not revealed which ransomware gang the cybercriminal belonged to.
  • The U.K and Singapore finalized negotiations on a digital economy agreement that emphasizes digital trade, cybersecurity, and data flow. The pact necessitates both countries to implement interoperable systems for digital payments and identities and secure data flow.
  • The CISA’s new Binding Operational Directive (BOD) necessitated federal agencies to patch almost 300 known vulnerabilities. The directive is applicable for all hardware and software on both internet- and non-internet-facing systems. The BOD establishes that agencies have two weeks to close bugs disclosed this year and six months for older ones, some even dating back to 2014.  

The Bad

We are afraid to inform you that this week witnessed several data leaks due to unsecured databases and web servers. While a French transportation company blurted out the data of almost 60,000 employees, a Florida-based healthcare tech company revealed the details of 30,000 U.S. healthcare workers. Cryptocurrency exchange platforms are still under attack with Bitmart being the latest victim.

  • A Desktop Services Store file was exposed on a publicly accessible web server belonging to Microsoft Vancouver. The metadata stored on the file hinted at several WordPress database dumps, containing multiple administrator usernames, email addresses, and hashed passwords for Microsoft Vancouver’s WordPress website. Public access to the file was finally disabled on December 2, after being exposed in September.
  • State-sponsored Chinese hacking groups have been targeting government and private sector organizations across Southeast Asia. The targets included the Indonesian and Philippine navies, the Thai Prime Minister’s office and the Thai army, Malaysia’s Ministry of Defense, and Vietnam’s national assembly, and the central office of its Communist Party. The entities have been compromised by hackers via custom malware families such as Chinoxy and FunnyDream, which are not available publicly. 
  • Régie Autonome des Transports Parisiens (RATP), a state-owned French transportation company, inadvertently leaked the data of almost 60,000 employees due to an unsecured HTTP server. The exposed records included employees’ full names, email addresses, logins, and MD5-hashed passwords. The server also contained source code related to RATP’s employee benefits portal.
  • Mobile payment provider LINE Pay disclosed a breach wherein around 133,000 users' payment details were mistakenly published on GitHub for around three months between September and November. The leaked data included the date, time, and amount of transactions, as well as user and franchise store identification numbers. The information comprised 51,000 Japanese users and 82,000 Taiwanese users and was accessed 11 times during the time it was available online. 
  • Convenience store chain SPAR was forced to close some of its stores in the U.K after a cyberattack on its IT systems, including staff email accounts. Out of its nearly 2,600 stores located across the U.K, 330 SPAR shops in northern England were crippled. The affected stores were unable to process payments made using credit or debit cards. While some stores have reopened, they are only accepting cash payments.
  • French national cybersecurity agency ANSSI warned that the Russia-linked Nobelium APT group has been targeting French organizations since February. The state-sponsored threat actor compromised email accounts belonging to French organizations and used them to launch spear-phishing campaigns at foreign institutions. Nobelium, furthermore, targeted French public organizations with spoofed emails from servers belonging to foreign entities. 
  • Colorado-based Delta-Montrose Electric Association was hit by a ransomware attack that resulted in the loss of company records spanning two decades. Additionally, the company’s billing systems were disrupted due to the incident. The electricity utility company lost 90% of its internal network functions, although its finer network and power grid remain undisturbed. 
  • A security researcher discovered a database owned by Gale Healthcare Solutions that was left unsecured online. The database contained the personal information of over 30,000 U.S. healthcare workers, including names, emails, home addresses, photos, and, in some cases, SSNs and tax documents. The company claimed that the database was a “temporary environment for an internal system test.”
  • Crypto trading platform Bitmart suffered a breach wherein the hackers apparently withdrew tens of millions of dollars worth of cryptocurrency assets from one of its hot wallets. Bitmart confirmed the hack and said that the stolen assets amounted to about $196 million in value. The platform stated that it would reimburse the victims with its own money.
  • In a new notice, the FBI reported that the Cuba ransomware group has attacked 49 organizations across five critical infrastructure sectors and collected around $44 million in ransom payments. The group is believed to be targeting the financial, government, healthcare, manufacturing, and information technology sectors while using the Hancitor malware to gain entry to Windows systems.
  • Researchers revealed that Karakurt, a sophisticated, financially motivated threat actor, has compromised over 40 victims between September and November and posted downloadable stolen file packs on its sites. The group primarily focuses on data exfiltration and extortion and does not use ransomware. 95% of the victims are located in North America and the rest is distributed across Europe.

New Threats

The cybersecurity world was at peace when Emotet was taken down, however, since its return, Emotet has become a massive cause of pain in the neck. While we are on the topic of malware, a new cryptominer has reared its head and is targeting QNAP NAS devices. In other news, phishing campaigns have started using Omicron-themed lures to target students in dozens of universities across the U.S.

  • The Dark Mirai-based botnet campaign, also referred to as MANGA, is targeting a vulnerability in TP-Link Home Wireless Routers, particularly the TL-WR840N EU (V5) model. The flaw is tracked as CVE-2021-41653. MANGA is capitalizing on the gap between the time of vulnerability disclosure and the application of the patch.  
  • Researchers from Cryptolaemus recently reported a change in the tactics used by Emotet operators. The infamous malware now directly installs Cobalt Strike beacons to get access to targeted networks. The conventional attack chain involved installing Trickbot or Qbot on infected systems, which would eventually deploy Cobalt Strike. 
  • Researchers discovered a new ransomware family that has adopted the Cerber name previously used by a different ransomware dating back to 2016. The new Cerber version targets Atlassian Confluence and GitLab servers by exploiting remote code execution vulnerabilities. The new ransomware doesn’t have any code similarities with the older family and uses Crypto++ library instead of Microsoft CryptoAPI libraries.
  • A new strain of cryptomining malware is targeting QNAP Network-Attached Storage (NAS) devices, as per a security advisory issued by QNAP. Once the malware infects a NAS device, it creates a process named “[oom_reaper]” that eats up around 50% of the total CPU usage for cryptomining purposes. The company has urged users to update their devices’ operating systems and change all NAS account passwords. 
  • Fortinet researchers observed numerous payloads exploiting a vulnerability in Hikvision products to probe the status of devices or extract sensitive data from victims. Tracked as CVE-2021-36260, the bug is related to remote code execution. One of the payloads was observed dropping a downloader that executes Moobot, a Mirai-based DDoS botnet. 
  • In a new phishing campaign, Twitter verified accounts are being targeted while taking advantage of Twitter’s recent removal of the verified badge from numerous verified profiles. The phishing emails request the targets to verify their identity to maintain their verified status. The links in the emails take users to compromised pages that are modified to steal their credentials.
  • Proofpoint uncovered a new phishing attack that leverages the concern around the Omicron variant of COVID-19 to target student data in U.S. universities. This threat actor was observed shifting from Delta variant themed lures to Omicron themes following the latter’s discovery. The campaigns use both attachments and URLs and leverage threat actor-controlled infrastructure to host credential theft web pages using similar domain name patterns. 
  • Researchers spotted 14 new types of cross-site data leakage attacks against several web browsers, such as Mozilla Firefox, Tor browser, Google Chrome, Opera, Microsoft Edge, and Apple Safari, among others. Collectively known as XS-Leaks, these flaws allow a malicious website to pilfer personal information from its visitors while they interact with other websites in the background. 


fbi official
cryptomining malware
nobelium apt
cisa advisory
cuba ransomware gang
line pay
the southeast asia
microsoft vancouver
chinese hacking group
glupteba botnet

Posted on: December 10, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.