Go to listing page

Cyware Weekly Threat Intelligence July 26–30, 2021

Cyware Weekly Threat Intelligence July 26–30, 2021

Share Blog Post

The Good

Better late than never. Patch your vulnerabilities now as the Five Eyes cybersecurity agencies have issued an advisory about the top 30 most exploited flaws. In another good piece of news, GitLab issued a new open-source tool that would help developers detect malicious code. 

  • Brazil created a cyberattack response network called the Federal Cyber Incident Management Network to promote faster response to cyberattacks and vulnerabilities while establishing coordination between federal government bodies.
  • The CISA, ACSC, FBI, and NCSC released a joint advisory on the top 30 vulnerabilities routinely exploited by threat actors. Some of these flaws affect VPNs from Pulse Secure, Fortinet, and F5-Big IP.
  • Google announced more details about its Safety Section feature in Google Play Store that offers information about the data collected by an Android app.
  • GitLab rolled out a new open-source tool, dubbed Package Hunter, to help developers identify malicious code in their project dependencies. Right now, it includes support for NodeJS modules and Ruby Gems.

The Bad

‘Once burned twice shy,’ the saying goes. However, sometimes that’s not the case as is evident from JustDial experiencing another data breach, which is eerily similar to the one from 2019. Moving away from human errors, we are tired of witnessing attacks and data breaches at healthcare facilities every single day. This week attackers stole sensitive information from Homewood Health. And, BazarCall attackers are back in action. 

  • Cybercriminals stole the confidential data of British Columbians from Homewood Health. The trove contains data related to finances, amendments, agreements, accruals, and projects, among others.
  • IP cameras sold by a dozen vendors are vulnerable to remote assaults due to a myriad of serious and high-severity flaws affecting UDP Technology firmware. Eleven of these flaws are related to remote code execution issues and one authentication bypass vulnerability. 
  • University of San Diego Health underwent a data breach that compromised the personal information of its patients, students, and employees. The incident occurred between December 2, 2020, and April 8, 2021, after hackers gained unauthorized access to some employee email accounts.
  • NFT Ethereum-based game Axie Infinity players were targeted after threat actors infected Google Ads content. The threat actors lured the players into transferring funds from their cryptocurrency accounts.
  • Florida’s Department of Economic Opportunity (DEO) suffered a data breach after threat actors allegedly accessed sensitive information from the CONNECT public claimant portal between April 27 and July 16. The affected data includes social security numbers, driver’s license numbers, bank account numbers, addresses, phone numbers, and birth dates of claimants.
  • An ongoing malicious campaign—BazaCall—is leveraging fake call centers to lure victims into downloading malware. The attacks employ conventional social engineering tactics. 
  • Chinese state benefits app, named Beijing One Pass, has been found laden with spyware-like features. It is mandatory for foreign organizations in China to download the app to handle employee state benefits.  
  • Reports revealed that attackers are using the XAMPP web server solutions stack to host Agent Tesla and Formbook malware. 
  • JustDial once again exposed the personal information—usernames, email addresses, phone numbers, and dates of birth—of over 100 million users due to an unprotected API.
  • LINE accounts of more than 100 Taiwanese politicians and government officials were hacked and data pilfered. Users have been asked to enable their account’s message encryption feature.

New Threats

Cybercriminals are in the race of revamping everything, from malware to entire gangs. DoppelPaymer got rebranded as Grief. Also, researchers believe that a new ransomware gang, BlackMatter, might be the scion of REvil and DarkSide. Scary! Speaking of ransomware, there’s a new ransomware called AvosLocker which is actively looking for affiliates. 

  • A mobile malware Oscorp got revamped as the new UBEL Android botnet and is on sale for a price of $980 on underground forums. It is capable of reading and sending SMS, stealing audio recordings, and installing and deleting applications, among others.
  • A new Android RAT, dubbed Vultur, is exploiting screen recording features to steal credentials and other sensitive data from compromised devices. So far, Vultur has infected between 5,000 and 8,000 users.
  • DoppelPaymer ransomware got rebranded as Grief in an attempt to expand the group’s attack surface. DoppelPaymer had gone underground in mid-May, only to re-emerge as Grief ransomware in June. 
  • In a new revelation, the Imperial Kitten threat actor group was found masquerading as an aerobic instructor ‘Marcella Flores’ for years. Its aim was to distribute a malware dubbed LEMPO onto the infected machines. 
  • Researchers have identified a ransomware called Haron that borrows its code and tactics from Thanos and Avaddon ransomware. On another tangent, the new BlackMatter ransomware is expanding is recruiting affiliates and is claimed to be the successor of the now-defunct DarkSide and REvil ransomware.
  • Mustang Panda, a Chinese cyberespionage group, was spotted using a new variant of PlugX RAT. The RAT was used to target Microsoft Exchange Servers in March.
  • After studying the cyberattack on Iran’s train system, SentinelOne linked the incident to a new threat actor they named MeteorExpress, a hitherto unknown wiper.
  • Sygnia researchers reported a new APT group—Praying Mantis or TG1021—targeting Microsoft IIS web servers to reach victims’ internal networks to steal sensitive data.
  • Experts warn of a new ransomware variant called AvosLocker whose activities suggest that the group is actively looking for partnership in the underground markets.
  • A phishing campaign was observed using a unique tactic to pilfer PayPal credentials. It leverages carefully designed emails that seem to be legitimate until a recipient decides to check out the links and headers. 


blackmatter ransomware
grief ransomware
meteorexpress campaign
haron ransomware
uc san diego health
vultur malware
praying mantis
ubel botnet

Posted on: July 30, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.