Go to listing page

Cyware Weekly Threat Intelligence July 19–23, 2021

Cyware Weekly Threat Intelligence July 19–23, 2021

Share Blog Post

The Good

This week brings Kaseya attack victims a fresh piece of good news in the form of a universal decryptor. Seems like the nightmare is finally over. Arrests of cybercriminals always set us in the right mood for the weekend. The individual responsible for the mega-Twitter hack last year has been arrested from a Spanish town. 

  • The CISA, FBI, and NSA issued a joint cybersecurity advisory against rising Chinese state-sponsored cyber activities and offered mitigation steps to protect the federal government.
  • After securing a court order, Microsoft will be taking down malicious homoglyph domains that scammers or hackers register to spoof legitimate sites of various businesses and brands.
  • Kaseya received a universal decryptor for the victims of REvil ransomware to help them recover and restore their systems.
  • A U.K citizen was arrested in Estepona, Spain, for his involvement in the Twitter hack in July 2020, which resulted in the compromise of 130 high-profile accounts. 
  • Group-IB and the Dutch National Police tracked down alleged members of the cybercrime group named Fraud Family. The group develops, sells, and rents sophisticated phishing frameworks. 
  • A study by Columbia Engineering revealed the first way to encrypt personal images in cloud photo services. Dubbed Easy Secure, the system encrypts images uploaded on the cloud and deters attackers and the services from decrypting the images. 

The Bad

Commercial spyware has always been a cause of concern in the cyber landscape. One such spyware—Pegasus— was used to target thousands of smartphones to pilfer confidential information. The Olympics are here and hackers are busy taking advantage of it. Data from the Tokyo Olympic ticket gateway were posted on a leak forum. Identity theft is not a joke, especially not when hackers exploit the recent condo-collapse tragedy to steal the identity of the deceased.

  • Italy-based TicketClub fell victim to a security breach and the data of over 300,000 users are put on sale on RaidForums marketplace. The threat actor responsible goes by the online name of bl4ckt0r.
  • An SQL database belonging to Humana leaked highly sensitive data—patients’ names, IDs, email addresses, password hashes, Medicare Advantage Plan listings, and medical treatment data—of over 6,000 patients on a hacker forum. 
  • Cloudstar was hit by ransomware that disrupted its systems. Presently, only the Office 365 mail services, the email encryption offering, and some support services are fully operational.
  • Cybercriminals are taking advantage of the recent tragic condo collapse incident in South Florida to steal the identities of deceased members. 
  • A malspam campaign was found delivering Remcos RAT via financially-themed emails. The types of attachments used to lure users are related to transaction invoices, appraisal reports, and payment advice, among others.
  • Scammers launched multiple fake American Rescue Plan Act signup sites to harvest credentials and personal information from users. The fake sites imitate government websites and ask for names, social security numbers, and photos of drivers’ licenses from targets.
  • ZeroX claimed to have stolen 1TB of sensitive data from Saudi Aramco. The stolen data has been put up for sale on multiple hacking forums. Saudi Aramco denied the hack.
  • Pegasus malware has been linked to worldwide espionage attacks that targeted activists, journalists, business executives, and politicians. The spyware was used to potentially steal data from more than 50,000 smartphones.  
  • User IDs and passwords for the Tokyo Olympic ticket gateway were posted on a leak website, following an alleged breach. The data also include names, addresses, and account numbers of people who bought Paralympic tickets. 

New Threats

A new cyberespionage campaign was initiated this week. The campaign is conducted by a new group dubbed TA2721, which is spreading Bandook. Threat actors, time and again, try to come up with new attack devices. In one such case, they were found disseminating 11 apps on Google Play Store that were propagating the Joker malware. Although crypto scams are nothing new, however, now an advance fee scam has been observed that promises crypto riches via a WhatsApp conversation.  

  • A new XCSSET malware variant has been found targeting macOS 11 systems in a new attack campaign. This variant can pilfer data from Telegram and other apps. 
  • A new malware strain dubbed MosaicLoader is targeting systems via cracked installers and propagating sets of sophisticated malware such as Glupteba. The malware includes several anti-analysis techniques to slip past antivirus software. 
  • The new Dmechant is being disseminated via phishing emails. The malware steals crypto wallet information and credentials from the victims’ infected devices. 
  • Bandook has been linked to a new espionage campaign that targets Spanish citizens via phishing emails. The campaign is carried out by a new group identified as TA2721.
  • An Olympics-themed wiper malware was discovered targeting Japanese PCs. The malware is capable of wiping files on infected systems and specifically targets files created with the Ichitaro app.  
  • A new strain of the Joker malware was recently spotted being propagated via 11 apps on the Google Play Store. 
  • The ANSSI issued an alert bulletin warning against a new series of attacks against many French organizations. The campaign is being coordinated by the China-sponsored APT31 group. 
  • A new crypto scam that promises users huge returns has been spotted. It further asks the recipients to connect via WhatsApp for more details and guidelines.


dmechant malware
joker malware
remcos rat malware
pegasus spyware
saudi aramco
fraud family
data wiper
xcsset malware

Posted on: July 23, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.