Go to listing page

Cyware Weekly Threat Intelligence, September 27-October 01, 2021

Cyware Weekly Threat Intelligence, September 27-October 01, 2021

Share Blog Post

The Good

October is finally here! Temperatures are finally cooling down, but cybersecurity is officially heating up as '18th National Cybersecurity Awareness Month' kicks off. To start with some great initiatives, the CISA along with other law enforcement agencies have released self-assessment tools and solutions to protect organizations against insider threats and VPN attacks respectively. In other news, the UK government has launched a new emergency hotline to tackle surging financial scams in the country.    

  • A new emergency hotline has been launched to tackle the rising financial scams in the U.K. The service will work in a similar way to non-emergency police or NHS services. 
  • The CISA has launched multiple prevention and detection tools as well as solutions to mitigate the rising risk of insider threats and attacks on VPNs. Additionally, they have released guidance on securing critical assets.
  • The Security Service of Ukraine (SSU) experts took down an illegitimate network of call centers located in Lviv following the discovery of a scam. The perpetrators behind this scam used covert channels to get in touch with customers and deceived them in a fraudulent scheme for investing in cryptocurrency.

The Bad

There were some bad moments in the cyber ecosystem which made organizations more alert and proactive in securing their systems. New threat actors, named Wintervivern and ChamelGang, with distinguished capabilities were spotted by researchers. Ransomware threat actor groups expanded their scope by launching attacks against hundreds of bookstores across Europe.
  • A data breach at FarFaria resulted in the leak of 38 GB of data due to a misconfigured MongoDB database. 
  • Researchers detected several sophisticated cyberespionage campaigns from new threat actor groups, namely Wintervivern and ChamelGang. While the former targeted European governments, the latter was held responsible for attacks on an energy company.
  • Around 15 Russian financial organizations were targeted in DDoS attacks between August and September this year. While the attacks were serious, the attackers failed to disrupt the performance of credit institutions. 
  • Hundreds of bookstores across multiple countries in Europe were crippled following a ransomware attack. The impacted store chains include Libris, Aquarius, Malperthuis, Donner, Atheneum, and Bookhandels. 
  • The Conti ransomware gang claimed attacks on JVCKendwood by stealing 1.7TB of data. The gang further went on to upgrade its tactic by hiring affiliates to demolish backups. 
  • Transportation organizations such as Forward Air and Navistar were affected in different security breach incidents that affected the sensitive details of their customers and employees.  

New Threats

The discovery of new malware also raises the security concern of organizations. Among the new malware uncovered this week includes Tomiris, FoggyWeb, and Sarwent. The Mirai and FormBook also got a makeover to launch more sophisticated attacks.
  • The Nobelium threat actor group has been linked with two new backdoors, dubbed Tomiris and FoggyWeb, that are capable of deploying additional payloads. The Tomiris malware was part of a cyberespionage campaign targeting organizations in Eastern Europe.  
  • New variants of Mirai botnet and FormBook infostealer, were spotted in different campaigns that exploited zero-day vulnerabilities in RUIJIE routers and Office 365 respectively. DoppelDridex, a variant of Dridex, was also found using Slack and Discord CDNs as channels for propagation. An upgraded version of FinSpy was also found using UEFI bootkit to infect its victims.
  • BloodyStealer was used to target gamers in Europe, Latin America, and the Asia-Pacific region in an attempt to steal their login credentials. 
  • The week witnessed the explosion of several new malware such as PixStealer, MalRhino, and GriftHorse. All these malware have been designed to pilfer banking details of users across the globe.
  • The recently discovered BrakTooth flaws were found impacting devices used in the healthcare sector. An exploit of these flaws can lead to a system shutdown to a potential data breach.
  • A brand new malware, dubbed Sarwent, was associated with a campaign that pretended to safeguard users from the Pegasus mobile spyware. The campaign impersonated the Amnesty International website to lure users. The Sarwent malware contains the usual abilities of a RAT. 


typical ddos attacks
conti ransomware gang
wintervivern campaign
tomiris backdoor
forward air

Posted on: October 01, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.