Go to listing page

Cyware Weekly Threat Intelligence June 28–July 02, 2021

Cyware Weekly Threat Intelligence June 28–July 02, 2021

Share Blog Post

The Good

Finally, some good news to get you ready for the day! DoubleVPN servers have been confiscated by law enforcement agencies from several countries. Systems attacked by Lorenz ransomware have a piece of good news as researchers developed a decryptor. 

  • The CISA released a new module for its Cyber Security Evaluation Tool (CSET) called Ransomware Readiness Assessment to help an organization gradually improve its cybersecurity posture.
  • Law enforcement agencies from the U.S., the U.K, Germany, Netherlands, Canada, Switzerland, and other countries obtained personal information, logs, and statistics of all the customers of DoubleVPN and confiscated its servers. The service was leveraged by hackers to evade detection during attacks.
  • Researchers from cybersecurity firm Tesorion analyzed the recently discovered Lorenz ransomware and developed a decryptor that is to be launched soon.
  • Google and the Open Source Security Foundation (OSSF) launched the OpenSSF Security Scorecards. This automated tool produces a risk score for open-source programs. 
  • The U.S. Secret Service issued a list of 10 most wanted fugitives in connection with financial cybercrimes. The agency is offering rewards of up to $1 million for information on these cybercriminals.

The Bad

While the SolarWinds attacks witnessed a fallout, another Kremlin-linked hacker group has also upped its malicious activities. Cybersecurity authorities from the U.S. and the U.K issued a joint advisory warning hundreds of organizations about ongoing brute force attacks by the Fancy Bear group. Human errors continue to plague the healthcare sector as UofL Health ended up leaking the PHI of thousands of patients.

  • A threat actor was found using the leaked Babuk Locker builder tool to target victims across the world. The ransomware demands .006 Bitcoins in ransom from the victims to decrypt their files.
  • U.K Police warned against a WhatsApp fraud campaign that tricks users into sharing their verification code for the purpose of stealing their accounts. 
  • UofL Health, Kentucky, is notifying more than 40,000 patients about a data breach that affected their PHI. The incident occurred after the healthcare system erroneously sent sensitive data to an email address outside its network.
  • Russia-linked Nobelium APT group compromised Denmark’s central bank and had access to its network for more than six months. This was an aftermath of the SolarWinds supply chain attack.
  • An ongoing malware campaign is leveraging famous dating and instant messaging apps to distribute a version of PJobRAT spyware. The campaign is active since January and targeting Indian military personnel. 
  • Data of 700 million LinkedIn users have been leaked on RaidForums dark marketplace. The hacker claims to have posted the records that include full names, gender, email addresses, phone numbers, and industry information. 
  • The U.S. and the U.K warned businesses about a global threat campaign that leverages brute force tactics and hundreds of organizations have already fallen victim to these attacks. The attacks have been attributed to the Russian GRU. 

New Threats

Some threat actors strive on expanding their capabilities to wreak havoc on as many as organizations possible. One such threat actor, REvil, came up with a Linux version of its ransomware. The TA543 threat actor also revamped its malware and is using that to target organizations in various industries. The week also witnessed a new ransomware that has been linked to the TrickBot gang and shares quite a few similarities with the Conti ransomware.

  • The China-based IndigoZebra threat actor group is leveraging Dropbox cloud storage service to launch attacks against the Afghan National Security Council by sending phishing emails. The attack leverages the BoxCaon backdoor to steal confidential data.
  • Indexsinas or NSABuffMiner worm is targeting Windows systems to launch cryptojacking attacks. It uses EternalBlue, DoublePulsar, and EternalRomance exploits to distribute across systems.
  • Researchers have discovered a Linux version of the REvil ransomware that targets VMware ESXi virtual machines. This new edition is a part of its evasion tactic. 
  • A new spear-phishing campaign is targeting aviation companies with a malicious link to disseminate AsyncRAT. The email pretends to be from the federal aviation authority and is carefully crafted to create a sense of urgency among the recipients.
  • Yoroi researchers discovered a new 'WayBack' attack campaign delivering over 900 pieces of malware. Active since 2019, the campaign targets European organizations and uses new serverless techniques to evade traditional security infrastructure.
  • A new Hive ransomware group allegedly leaked stolen files from real estate software solutions firm Altus Group.
  • TA543 cybercrime group was found deploying a new JSSLoader variant to target hundreds of organizations across a wide range of industries, including finance, manufacturing, healthcare, and transportation.
  • The new Diavol ransomware variant has been linked to the Wizard Spider gang. Diavol shares similarities with Conti ransomware. 
  • The new Lil’ Skimmer malware has been identified on a number of compromised websites that impersonate Google. The skimmer has been around for a year and was used for stealing credit card data.
  • A new version of the Babuk Locker ransomware is back to targeting corporate networks. The gang has moved its operations to a new leak site that already has some victims listed on it.


babuk locker
nsabuffminer worm
diavol ransomware
nobelium apt group
indigozebra apt
lil skimmer
hive ransomware

Posted on: July 02, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.