Go to listing page

Cyware Weekly Threat Intelligence, October 11–15, 2021

Cyware Weekly Threat Intelligence, October 11–15, 2021

Share Blog Post

The Good

Federal agencies have amped up their cybersecurity defenses as cybercriminals continue to run rampant. The CISA issued a guide that federal agencies can follow to secure their networks and block unauthorized remote users. In this week’s update of who arrested who, Ukrainian law enforcement arrested an individual responsible for turning thousands of devices into a botnet. 

  • The U.K's NCSC released updated guidance for employees using their personal devices for work. It encompasses the zero trust architectural approach and security challenges with BYOD.
  • The White House sanctioned an order allowing the CISA to assess existing endpoint security deployments across federal agencies.
  • The CISA released a new guidance document for federal agencies on how to secure networks while blocking remote users from illegally accessing internal resources.
  • The Australian government laid out its Ransomware Action Plan, featuring a new set of standalone criminal offenses for ransomware actors, including those who target critical infrastructure.
  • Ukrainian police detained a cybercriminal accused of turning 100,000 devices into a botnet to launch DDoS attacks and other malicious activities on behalf of his clients.
  • Researchers at Purdue University created a self-aware algorithm that can fend off hacking attempts. This model sends one-time signals to each component and converts them into active monitoring systems.

The Bad

The education sector continues to be a lucrative target for threat actors as certain miscreants disabled the IT systems of the University of Sutherland. In a concerning turn of events, security agencies confirmed silent attacks on three water and wastewater treatment facilities in the U.S. And, Olympus fell again as unknown hackers took down its IT systems.

  • Thingiverse, a platform for sharing user-created digital design files, exposed a 36GB MySQL database containing 228,000 unique email addresses and user PII.
  • The University of Sutherland in the U.K was hit by a cyberattack that tore down its IT systems. Online lectures remain inaccessible. 
  • According to a new report from Approov, APIs used in Fast Healthcare Interoperability and Resources (FHIR) apps are vulnerable to abuse, putting 4 million patient and clinician records at risk.
  • A misconfigured Elasticsearch storage blob at Brazilian e-commerce firm Hariexpress exposed about 1.8 billion records, containing PII of customers as well as sellers.
  • Unknown hackers allegedly targeted Olympus, forcing it to shut down its IT systems in the U.S, Latin America, and Canada.
  • Microsoft reported a 2.4 Tbps DDoS attack via a botnet composed of about 70,000 devices, targeted at an Azure customer in Europe.
  • Oregon Eye Specialists laid bare personal, financial, and medical information of customers in a breach involving unauthorized activity on employee email accounts.
  • A joint advisory by the FBI, CISA, NSA, and EPA revealed that hackers attacked three U.S. water and wastewater treatment facilities this year. The attacks hit facilities in Nevada, Maine, and California in March, July, and August, respectively.
  • A ransomware attack against the Hillel Yaffe Medical Center in Israel forced it to cancel non-urgent procedures as IT systems were disabled.
  • Acer confirmed being hit by a security breach after hackers put over 60GB of company data, including customer details and login information, on sale on an infamous underground forum.

New Threats

Another ransomware emerged to warn victims against seeking help from law enforcement. Dubbed Yanluowang, this ransomware family has launched highly targeted attacks against large enterprises. The FreakOut botnet is on its mission to compromising as many systems and deploying cryptominers. A new ALPACA TLS attack is being conducted due to wildcard TLS certificates. The warning came from the NSA. 

  • Symantec Threat Hunter uncovered a new strain of ransomware, dubbed Yanluowang, targeting virtual machines in enterprises. Hackers further warned not to approach law enforcement for help.
  • NCC Group observed a new threat actor, dubbed SnapMC, that steals data for carrying out data extortion attacks. Hackers use the Acunetix vulnerability scanner to hunt for flaws in VPN solutions and webserver apps.
  • Juniper Threat Labs spotted Necro botnet, aka FreakOut, targeting a flaw in Visual Tools DVR systems and deploying Monero miners on compromised systems.
  • Kaspersky unearthed a cyberespionage campaign exploiting a zero-day flaw in Windows to deliver MysterySnail malware and steal data. A connection to a Chinese-speaking APT IronHusky was also established.
  • INKY experts reported a phishing attempt targeted at Verizon that involves the use of a mathematical symbol to bypass anti-phishing systems to acquire users’ Office365 credentials.
  • Iran-linked hackers, DEV-0343, were found conducting extensive password spraying attacks against Office 365 accounts for defense technology and global maritime firms in the U.S. and Israel.
  • The NSA clued in organizations against the use of wildcard TLS certificates that may lead to the new ALPACA TLS attack. It also jotted recommendations for securing web servers.
  • Imperva stumbled across a browser extension called AllBlock that claims to block ads but also runs a background script—in every tab opened—to inject ads on Chrome or Opera.


alpaca attacks
cisa advisory
ransomware action plan
yanluowang ransomware
freakout botnet
university of sutherland
mysterysnail rat
water and wastewater systems

Posted on: October 15, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.