Go to listing page

Cyware Weekly Threat Intelligence, September 20–24, 2021

Cyware Weekly Threat Intelligence, September 20–24, 2021

Share Blog Post

The Good

Before you take that sip of coffee, rejoice as 106 cybercriminals associated with the Italian Mafia were busted by European law enforcement agencies. The U.S. government has taken yet another step to make the lives of ransomware gangs difficult by imposing sanctions on a complicit Russian crypto exchange. No further pitstop, as we take you through the rest of the updates from the cybersecurity world this week. 

  • A joint operation by the Europol, Italian and Spanish law enforcement culminated in the arrests of 106 members of the Italian cybercrime nexus for their involvement in multi-million-dollar cybercrime and money laundering activities.
  • The Australian state of Victoria's government initiated a new five-year-old cyber strategy that plans on allocating 50 million AUD to reinforce the state’s cyber resilience. The strategy would primarily emphasize the safe delivery of government services and designing a vibrant cyber economy and safe cyberspace.
  • The U.S. Treasury Department imposed sanctions on Suex cryptocurrency exchange for facilitating ransom transactions to at least eight ransomware variants and helping them evade sanctions.
  • The Brazilian government issued a data protection guide that aims to raise awareness among the public. The guide delineates the rights of data holders and provides recommendations on how they can protect their information.


The Bad

A vast amount of ransomware attacks have been witnessed against the healthcare, education, and government sectors in recent times. However, it is time to shift our focus on the food and agriculture sector as ransomware actors hit NEW Cooperative and Crystal Valley Cooperative. Also, let’s bring back some of the focus on cybersecurity of the healthcare sector as two distinct ransomware actors attacked two medical facilities in LA and Missouri, while Simon Eye underwent a seven-day-long data breach. 

  • WizCase uncovered an unprotected database exposing over one terabyte of data in 5.5 million files pertaining to hundreds of thousands of employees of a Colombian firm, Coninsa Ramon. EventBuilder, an event management firm, exposed roughly a million records—affecting the PII of at least 100,000 event registrants—via an unprotected Azure Blob storage.
  • REvil ransomware has designed a backdoor that enables it to hijack victim chats and in turn, swindle affiliates of their ransom cuts.
  • Delta Medical Center in Missouri and Barlow Respiratory Hospital in Los Angeles suffered ransomware attacks by Hive and Vice Society ransomware gangs, respectively. The groups stole confidential patient data.
  • A critical flaw was reported in Microsoft’s Autodiscover protocol, a feature to configure Exchange clients such as Outlook, which jeopardizes user credentials.
  • Post security audit, the Lithuanian Defense Ministry underlined that two Chinese models—Huawei P40 5G and Xiaomi Mi 10T 5G—breach user privacy and have secret censorship capabilities.
  • NEW Cooperative was hit by a $5.9 million ransom demand after the BlackMatter group claimed to have stolen a terabyte of data. This incident was soon followed by Crystal Valley Cooperative, one of the largest U.S. agriculture businesses, being hit by a potential ransomware attack. The FBI has issued warning against burgeoning threats against the food and agriculture sectors.
  • Cross-chain protocol pNetwork suffered a loss of more than $12 million worth of crypto assets as attackers abused a codebase vulnerability. 
  • The U.S. optometry provider Simon Eye reportedly experienced a seven-day-long data breach encompassing sensitive records of more than 144,000 individuals.  
  • A popular hacker forum was found selling a database allegedly containing 3.8 billion Clubhouse and Facebook user records. While the entire database has a price tag of $100,000, the owner would split it into parts. 
  • The DOJ unveiled that AT&T suffered a loss of more than $200 million after a Pakistani fraudster managed to illegally unlock nearly two million phones.


New Threats

The cyberespionage world got a new entrant—FamousSparrow—that is hanging like an albatross around the neck of cybersecurity professionals. The group is targeting hotels and governments. A new crypto scam is making the rounds, pretending to be Elon Musk Mutual Aid Fund. In other news, a massive phishing-as-a-service operation was uncovered by Microsoft.  

  • FamousSparrow, a new entrant to the cyberespionage space, is reportedly spying on users across multiple sectors, including government, engineering, legal, and hospitality.
  • Microsoft laid bare a massive Phishing-as-a-Service operation called BulletProofLink that offers built-in hosting and email-sending services, and more, at a relatively low cost.
  • A new TangleBot smishing campaign was discovered targeting Android users in the U.S. and Canada with lures related to COVID-19 regulations and vaccine information.
  • Six new versions of the Jupyter infostealer have been disclosed, which use digitally signed certificates to avoid detection.
  • Drinik banking trojan was spotted in a new attack campaign that targeted more than 27 public and private banks across India. It collects full names, email addresses, call logs, message logs, and financial details of users.
  • A new fileless attack campaign dubbed Water Basilisk used a new variant of HCrypt crypter to distribute numerous RATs to target systems. 
  • The newly discovered TinyTurla backdoor is being used in attacks against the U.S., Germany, and Afghanistan. The campaign uses DLL side loading technique to evade detection.
  • A low-effort cryptocurrency giveaway scam called Elon Musk Mutual Aid Fund or Elon Musk Club was found making its way into victims’ inboxes.

 Tags

blackmatter ransomware
revil ransomware
tinyturla
jupyter stealer
phishing as a service
simon eye
crystal valley cooperative
pnetwork
new cooperative
tanglebot
bulletprooflink
famoussparrow apt group
hcrypt
drinik trojan

Posted on: September 24, 2021


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.