Go to listing page

Cyware Weekly Threat Intelligence July 05–09, 2021

Cyware Weekly Threat Intelligence July 05–09, 2021

Share Blog Post

The Good

The positive news for today is the positive steps taken by the Japanese government to better tackle the challenges posed by the changing cyber threat landscape. In other news, Interpol and other law enforcement agencies took big strides in bringing an infamous threat actor to justice.

  • INTERPOL detained a hacker known as Dr. Hex in underground marketplaces, under its Operation Lyrebird. The accused was involved in attacks on 134 websites from 2009–2018 across multiple regions.
  • ENISA highlighted 12 high-level recommendations for SMEs on how to fortify the security infrastructure of their businesses.
  • A Texan resident was sentenced to more than seven years of prison stay for being a part of business and romance scams since at least 2015. The scams made a profit of $2.2 million for the culprit. 
  • The Japanese Ministry of Defense announced plans to onboard at least 800 cybersecurity staff by the end of March 2022 to help defend against increasingly sophisticated attacks.

The Bad

Today, the world witnessed another series of security breaches followed by rushed hotfixes and phishing attacks, which led to potentially thousands of individuals and companies suffering monetary consequences and losing sensitive data; another typical day in the 21st-century cybersphere. The Kaseya ransomware attack is blowing out of measure now that some attackers have launched malspam campaigns to take advantage of the crisis. 

  • Threat actors stole over $350,000 from users in a widespread scam involving over 170 fake mobile apps. These apps—BitScams and CloudScams—promised to perform cryptocurrency mining on behalf of subscribers.
  • Microsoft’s released an out-of-band security update for the PrintNightmare vulnerability. While researchers initially claimed that the patches do not completely fix the issues, Microsoft clarified that the issue was correctly addressed.
  • A ransomware attack on Wiregrass Electric Cooperative temporarily blocked the customers from accessing their account information. 
  • A misconfigured database at Northwestern Memorial HealthCare (NMHC) providers exposed the private medical information of patients. Unknown threat actors gained access to the database owned by Elekta and stole patients’ names, dates of birth, social security numbers, health insurance information, and medical record numbers.
  • A hacker leaked confidential data from the Twitter-like social media platform GETTR. The data—users’ email addresses, birth years, and locations—was dumped on the RAID hacking forum.
  • About 1,500 firms worldwide may have been affected by the REvil ransomware attack that compromised Kaseya’s cloud-based RMM platform. The Kaseya ransomware attack is now being used to launch a malspam campaign that drops Cobalt Strike. 
  • Users of Android and iOS versions of the Formula 1 racing app received an unexpected notification on the Austrian Grand Prix after a hacker hijacked the app.  
  • A global cryptojacking scheme that targeted over 1,300 organizations was recently revealed. It targeted organizations in the health, tourism, media, and education sectors in the U.S., Vietnam, and India. 
  • Morgan Stanley confirmed the compromise of the personal information of some of its clients as a third-party vendor was breached in the Accellion FTA service. 
  • A leading U.S. insurance company CNA Financial Corporation notified customers of a data breach due to an attack by the Phoenix CryptoLocker ransomware in March. Data—names and social security numbers—of 75,349 individuals were compromised. 

New Threats

The new threats that have surfaced show a trend of specialization in niche target groups, be it individuals or companies, leading to better-veiled malware and phishing attacks. The relentless growth of cybersecurity threats has to be matched by growth in countermeasures. In some instances, threat actors are hitting the human element to avoid any existing defenses. For instance, the North Korea-based Lazarus group has launched a new attack campaign to target job seekers in the defense sector.  

  • A new malware called Bandidos, an upgraded variant of Bandook malware, is part of an ongoing espionage campaign that targets corporate networks in Spanish-speaking countries. It is disseminated via phishing emails containing a malicious PDF attachment. 
  • The WildPressure APT group resurfaced with new versions of Milum trojan for both Windows and macOS systems. Dubbed as Guard and Tandis, the trojans enable the threat actors to gain remote control of the compromised device. 
  • The SideCopy cyberespionage group is propagating several custom RATs to target Indian government officials. The malware used by the group include CetaRAT, DetaRAT, ReverseRAT, MargulasRAT, njRAT, Allakore, ActionRAT, Lilith, and Epicenter RAT. 
  • Lazarus APT launched a new attack campaign against job applicants and employees across the U.S. and Europe. The campaign is carried out via phishing emails that lure victims with job opportunities at Boeing and BAE systems. 
  • Zloader has been found to be implementing a new infection technique that has no malicious code embedded in the initial attached macro. 
  • The Hancitor malware adopted a new technique that uses cookies to avoid URL scraping. It is also capable of sending malicious emails and deploying Cobalt Strike beacons.  
  • Scammers are now impersonating customers contacting live-chat agents and luring them into opening malicious attachments. This is yet another addition to various phishing schemes. 
  • Two new spam campaigns are deploying the Qbot and IcedID banking trojans.


hancitor trojan
lazarus apt
kaseya ransomware attack
wildpressure apt
bandidos malware
printnightmare vulnerability
wildpressure apt group
operation sidecopy

Posted on: July 09, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.