Go to listing page

Cyware Weekly Threat Intelligence, May 17–21, 2021

Cyware Weekly Threat Intelligence, May 17–21, 2021

Share Blog Post

The Good

As we wait for the return of normalcy in our lives, we need good things in life. Like the smell of freshly brewed coffee and the news of ransomware gangs shutting down operations. Yes, that happened! Another notorious ransomware actor shut down shops and we are cheering! In other news, the CISA announced a new initiative to tackle security flaws a layer beneath the operating system.

  • The Qlocker ransomware gang shut down its operation after earning $350,000 in a month. The ransomware was infamous for exploiting vulnerabilities in QNAP devices. 
  • Researchers released a decryptor for Judge ransomware that also decrypts files encrypted by the very similar NoCry ransomware. It creates a mutex to prevent multiple instances from running in parallel, provides sandbox detection, and deletes system restore points.
  • Officials from the U.S. CISA announced a new initiative to fight firmware vulnerabilities which made more than 2.5% of the National Vulnerability Database over the last five years.
  • The Biden Administration ordered an overhaul that focuses on cybersecurity spending, including helping companies upgrade cybersecurity measures as part of its $2.3 trillion infrastructure spending.
  • Microsoft released an open-source lab environment SimuLand that will help test and strengthen Microsoft 365 Defender, Azure Sentinel, and Azure Defender against real attack scenarios. 

The Bad

However, the respite is short-lived. The week saw an unnerving case of mixed-up video feeds because of an internal server flaw. Although poorly secured databases keep getting buried under other attacks, they continue to be a massive pain point for organizations. More than 20 apps were found leaking the personal information of tens of millions of users. It will be an injustice to end this blurb without talking about scams. This time families of missing people came under the radar of scammers. 

  • Personal data—names, email addresses, dates of birth, chat messages, location, and payment details—of over 100 million Android users was exposed due to unprotected databases used by 23 apps. Some of the apps are Logo Maker, Astro Guru, and T’Leva.
  • An internal server bug in Eufy home security cameras enabled strangers to view, pan, and zoom in on victims’ home video feeds. 
  • Australian digital real estate business Domain Group fell victim to a phishing attack that targeted its users by asking them to pay a deposit to secure rental property on a website nominated by the scammer. 
  • Most of the IT services of New Zealand’s Waikato District Health Board (DHB) were knocked offline following a ransomware attack. As a result, patient notes became inaccessible, clinical services were disrupted, and surgeries postponed.
  • Meal kit delivery scams impersonating well-known companies like Gousto and HelloFresh have surged. The scam leverages SMS and WhatsApp messages to reach its targets.
  • Taxpayers in South Korea, Australia, and the U.S. are being targeted in a phishing campaign pretending to be accounting ledgers. The campaign is used to distribute RATs.
  • The FBI warned about scammers actively targeting the families of missing persons to make quick money between $5,000 and $10,000. Hackers are leveraging social media posts to gather information about the missing person.
  • Avaddon ransomware gang added Acer Finance to its list of victims. The gang gave the firm 240 hours for negotiation before it starts leaking the stolen valuable company documents.
  • A pair of attacks hit Toyota. While the first one attacked Daihatsu Diesel, a subsidiary of Toyota; the other one was launched against Auto Parts Manufacturing Mississippi, another subsidiary. 
  • Betenbough Homes fell victim to an attack by REvil ransomware, following which the threat actor added the attack to its data leak site. 

New Threats

Leaked source codes serve as a base for the development of many new malware strains. One such instance this week was the new Simps botnet built using the codes of Mirai and Gafgyt. The MountLocker ransomware got a pretty nasty update and has come back with enhanced capabilities. Also this week, Magecart threat actors made news (again). 

  • Researchers unveiled a fake Microsoft Authenticator extension that can dupe users into sharing their account details. The extension has been downloaded 448 times.
  • The Royal Mail delivery firm, once again, came into the crosshairs of scammers aiming to evade security checks in a new phishing scam. The scam is initiated with recipients receiving SMS messages claiming that a parcel has been redirected to the local post office due to an unpaid shipping fee.
  • A new malware campaign has been spotted by Microsoft that spreads the Strrat RAT masquerading as ransomware. It aims to steal victims’ data. 
  • The new Simps botnet that conducts DDoS attacks has been linked to the Keksec group. The botnet borrows its code from Mirai and Gafgyt botnets.
  • A cyberespionage campaign, active since February, was discovered using the new RIG exploit kit propagating a new variant of WastedLocker ransomware. The campaign targets unpatched IE browsers using known VBScript flaws.
  • The MountLocker ransomware got an update and now uses enterprise Windows Active Directory APIs to spread laterally across victim networks. This enables the ransomware to find devices part of the compromised Windows domain and encrypt them using stolen domain credentials.
  • A new object injection vulnerability in the PHPMailer library—versions between 6.1.8 and 6.4.0—can allow attackers to conduct attacks such as code injection, SQL injection, path traversal, and application denial of service. 
  • A new wave of web skimming attacks by Magecart Group 12 threat actors was found stealing card details from Magento 1 websites.


qlocker ransomware
simps botnet
strrat malware
domain group
mountlocker ransomware
web skimming attacks
acer finance
nocry ransomware

Posted on: May 21, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.