Go to listing page

Cyware Weekly Threat Intelligence, October 18–22, 2021

Cyware Weekly Threat Intelligence, October 18–22, 2021

Share Blog Post

The Good

While the enemy of my enemy cannot always be a friend, it’s always fun to watch hackers pitting against each other. In one such case, REvil has been forced to close up shop once more! We always love bringing indictment news to you. In today’s episode of arrests, the Dutch Police incarcerated nine bank support fraudsters and the South African Police arrested eight suspects for siphoning off funds from romance scam victims.

  • The Tor payment portal and data leak site of REvil was sent to oblivion after an unknown hacker using the same private keys hijacked the group’s domains. The hacked server now leads to some other services.
  • Trustwave has made a BlackByte decryptor available for download at GitHub. This Windows-based ransomware takes advantage of the double extortion technique after targeting its victims.
  • The Dutch Police detained nine bank help desk fraudsters for targeting and stealing money from elderly people via phone calls. The investigators, further, froze the cryptocurrency assets belonging to the suspects. 
  • Eight suspects were arrested by the South African Police Service for stealing and laundering more than $6.85 million from the victims of online romance scams.
  • Twitter suspended two accounts that were a part of a long-lived DPRK cyberespionage campaign operated by North Korean government hackers. The accounts redirected security researchers to malicious websites to infect them with malware. 

The Bad

Cookie monsters have been crushed! Some 4,000 YouTube creators were targeted with cookie-stealing malware in a phishing campaign that spanned for two years, discovered Google TAG team. The week has been gloomy, but especially so for the Argentinian government, as a hacker gained access to the National Registry of Persons and stole ID cards of the entire population. While we hope that no medical facilities fall prey to malicious purposes, this time an insider breach by a former employee of the University Hospital Newark impacted the sensitive info of thousands of individuals.
  • High-profile YouTube creators were targeted with cookie-theft malware in phishing attacks, wherein hackers offered them fake collaboration opportunities. The campaign went on for two years.
  • LightBasin, an alleged Chinese hacker group, infiltrated at least 13 telecommunication companies around the globe and accessed call records and messages.
  • Data pertaining to at least one million users of Quickfox VPN was left open to the internet due to an unprotected Elasticsearch storage blob. The 100GB data trove contained 500 million sensitive records, including system data on 300,000 customers and PII of a million users. 
  • The AvosLocker ransomware gang claimed to have breached Taiwanese company Gigabyte. The group has leaked some samples that, allegedly, belong to the victim firm. 
  • The CISA, FBI, and NSA released a joint advisory that warns critical infrastructure entities—including two U.S. food and agriculture sector organizations—against BlackMatter ransomware intrusions.
  • The Argentinian Interior Ministry was targeted by a cybercriminal who pilfered ID card details for the entire population, including the country’s President and other political figures, journalists, and soccer personalities Lionel Messi and Sergio Aguero.
  • After the attack on Acer India, the company announced that Acer Taiwan also suffered an attack. As per the company, this attack doesn’t involve any exposure to customer data.
  • Health Insurance company Anthem’s vendor PracticeMax and UMass Memorial Health disclosed the PHI and other data of its members and employees in different cyberattacks.
  • University Hospital Newark disclosed that the sensitive personal and medical records of 9,329 individuals were illegally accessed by a former employee for over a year.
  • A malware campaign in South Korea is propagating RATs impersonating as an adult game. The malware is being spread through torrents and webhards. 

New Threats

The week presented us with two new distinct espionage campaigns. While one was conducted by TA551, the other perpetrator is yet unknown and has targeted Southeast Asia. Academic researchers from the U.S. discovered a new fingerprint capturing attack called Gummy Browsers. They have warned that the attack is really easy to perform and can have severe implications. The financially motivated TA505 gang has been propagating a new FlawedGrace RAT strain. 

  • A new espionage campaign was associated with TA551. The threat actor was found relying on email threads to target its victims and using a legitimate open-source tool called Sliver.
  • The new MirrorBlast malware was spotted in a phishing campaign linked with the TA505 and PYSA groups. 
  • Three malicious npm packages—klow, klown, and okhsa—were downloaded 150 times before being removed. They were running cryptocurrency malware on Windows and Linux systems. 
  • Researchers at Texas A&M University and the University of Florida discovered Gummy Browsers, a new fingerprint capturing and browser spoofing attack.
  • Southeast Asia was rifled by a new espionage campaign that targeted defense, healthcare, and ICT sectors. The campaign began in September 2020 and ran at least until May this year. 
  • In a new analysis, Karma ransomware and Nemty variants were found to possess similarities, including the exclusion of extensions and folders and the presence of debug messages. 
  • Cryptojacking group TeamTNT was spotted hosting malicious container images in Docker Hub to install basic utilities and scanning tools Zgrab and masscanner to target more machines for cryptomining.
  • Academics from universities developed a new attack technique, dubbed SmashEx, that runs into Intel SGX and can allow adversaries to steal confidential data from Intel CPUs.
  • Symantec reported a hitherto unknown nation-state actor, Harvester, whose target is South Asian telecom providers, IT firms, and government entities.
  • Proofpoint unmasked a mass volume email attack by the TA505 group that delivers a new version of the FlawedGrace RAT across a wide range of industries.


harvester group
blackmatter ransomware
malicious npm packages
smashex attack
quickfox vpn
flawedgrace rat
argentinian interior ministry
gummy browsers attack
karma ransomware

Posted on: October 22, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.