Go to listing page

Cyware Weekly Threat Intelligence, September 06–10, 2021

Cyware Weekly Threat Intelligence, September 06–10, 2021

Share Blog Post

The Good

Remember the HSE attack earlier this year? The Gardai confiscated all infrastructure related to the attackers. We have quite a new guidance issued by the CISA for organizations in the private and government sectors. The alert aims to reinforce cybersecurity resilience. In other news, researchers claim that training ML models on the visual representation of website code can improve the detection process of phishing websites. 

  • Kaspersky released a safety guide for Android users detailing how alternative downloading or installation of apps from stores other than Google Play jeopardize their data and money.
  • A paper published by security researchers from the University of Plymouth and the University of Portsmouth found a way to speed up the detection of phishing websites. According to the paper, ML models trained on the visual representation of website codes can enhance the accuracy and speed of the process. 
  • The Biden Administration released multiple documents that serve as guidelines for agencies to implement cybersecurity architectures by the end of fiscal 2024. The documents will be out for public comment from October 01. 
  • The Irish Gardai confiscated the cyberinfrastructure of the group involved in the HSE cyberattack earlier this year. Officials seized domains via which hackers made 753 attempts via ICT systems worldwide.
  • A Ukrainian individual has been indicted by the U.S. Department of Justice for brute-forcing computer login credentials and then selling them in underground marketplaces. 
  • The CISA published new guidelines for both private and government organizations to follow while outsourcing to managed service providers. This guidance is aimed at boards of directors and senior executives, network and system administrators, and procurement professionals. 

The Bad

There’s no good way to say this, so here it goes - REvil is back. Two months back, the group suddenly disappeared and now its sudden reemergence is sparking concerns amongst the security community. Israel witnessed two unfortunate cyber incidents. In one of these incidents, cybercriminals stole the personal information of seven million Israelis. Talking about data theft, a hospital in Bangkok lost the personal and medical records of hundreds of thousands of patients.

A hacker allegedly stole the personal data of about seven million Israelis via a website used by different municipalities in the country. The data was stolen by hacking a website handled by municipalities. In another unfortunate cyber incident in Israel, Darkrypt actors leaked about 20TB of data containing personal details of students and lecturers at Bar Ilan University after the institution refused to pay $2.5 million in ransom.

  • A cybercriminal, allegedly from the Groove ransomware gang, dumped approximately 500,000 Fortinet VPN login credentials on a hacker forum and a telegram channel for free.
  • Personal and medical records of over 40,000 patients at Bhumirajanagarindra Kidney Institute Hospital, Bangkok, were stolen by a cybercriminal. A similar incident impacted Phetchabun Hospital last Sunday. 
  • An unidentified hacker group hijacked a Russian government website and launched Bitcoin giveaway scams, wherein they asked users to install an application to qualify for schemes.
  • A massive DDoS attack hobbled Australia and New Zealand Banking Group’s New Zealand site and NZ Post due to an issue at one of its third-party providers.
  • Researchers noted that the leak site and other sites connected to the REvil ransomware group are back online, suggesting the group’s resurgence after it disappeared following the Kaseya attack.
  • Days after eHAC’s leak in Indonesia, another COVID-19 tracking app in the country named PeduliLindungi exposed personal data and vaccination information of residents, including that of the President.
  • A security misconfiguration in the storage servers of Texas Right to Life laid bare the personal data of at least 300 job applicants, via their resumes.
  • The visa website of the French government experienced a foreign intrusion that led to the exposure of personal data of about 8,700 users. Authorities denied the leak of any sensitive details.
  • The United Nations admitted to having suffered a data breach in April. Intruders accessed its networks, leading to further intrusions. 

New Threats

The week witnessed another new, massive-humongous-huge DDoS attack against Yandex, conducted by the M?ris botnet. As threat actors are evolving, so are their tactics. Ragnar Locker came up with one such extortion tactic in which they claimed to publish stolen data if victims contact law enforcement. However, we are yet to see them coming through. Coming to the topic of ransomware actors, a lot of them are paying for initial access, increasing the prevalence of initial access brokers. 

  • CoomingProject, a new hacker group, claimed responsibility for breaching the networks of the South African National Space Agency (SANSA) and stealing mostly space science research-related work.
  • Internet service provider Yandex is experiencing one of the biggest DDoS attacks, that began last week, in the history of RuNet. The attack was launched by a new DDoS botnet named M?ris that gains its power from more than 250,000 compromised devices. 
  • AT&T Alien Labs uncovered a new Chimaera campaign by the TeamTNT hacker group that targets multiple operating systems. The infection impacted thousands of devices globally.
  • A team of academics discovered a new side-channel technique in CPUs named Spook.js that can exploit the site isolation feature in Google Chrome and Chromium-based browsers to steal data.
  • The recently disclosed flaw in the Atlassian Confluence service was exploited in an attack to install a cryptocurrency miner. The flaw is tracked as CVE-2021-26084 and is related to an OGNL injection issue.
  • Microsoft warned of a new zero-day flaw affecting Internet Explorer. The flaw can be abused by leveraging a specially crafted Microsoft Office Doc. 
  • ESET researchers stumbled across a mobile espionage campaign—active since March 2020—aimed at the Kurdish ethnic group. The campaign is conducted by the BlackHawk attackers who use Facebook and fake Android apps to trick users.
  • Ragnar Locker operators have adopted a new tactic to extort their victims. They have announced that they will leak the stolen data if the victims contact law enforcement agencies, negotiators, and data recovery experts.
  • Research reveals that ransomware operators are heavily relying on dark web marketplaces to purchase the network access of large companies. One of the posts was linked to BlackMatter ransomware operators who were willing to spend between $3,000 and $100,000 to buy network access.


fortinet vpn
joe biden
team tnt
covid 19
atlassian confluence

Posted on: September 10, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.