Go to listing page

Cyware Daily Threat Intelligence July 15, 2021

Cyware Daily Threat Intelligence July 15, 2021

Share Blog Post

The hide-and-seek game between security experts and threat actors is becoming complicated as the latter continue to hone their tools and techniques. Several sophisticated espionage campaigns that went undetected for months, maybe years, have come to light lately. Most of them are associated with the Mespinoza aka PYSA ransomware gang who made it possible using Gasket and MagicSocks tools. 

In another incident, Google shared detailed information about the mass exploitation of four zero-day flaws affecting multiple browsers in different malware campaigns. These flaws affected Google Chrome, Internet Explorer, and WebKit. SonicWall also warned its customers about a potential ransomware campaign that could exploit the unpatched and outdated versions of its Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products.

Top Breaches Reported in the Last 24 Hours

Forefront Dermatology attacked
Forefront Dermatology disclosed details about a ransomware attack that affected the personal details of 2.4 million patients and employees. The ransomware used in the incident is known as ‘Cuba’. In total, 47MB of data stolen from the firm has been dumped on the threat actors’ darknet site.

Multiple espionage campaigns tracked    
Google researchers have shed light on multiple espionage campaigns that leveraged four zero-day flaws in Chrome, Safari, and Internet Explorer. Furthermore, the exploits for three of the four zero-days were sold to government-backed threat actors. The four flaws in question are tracked as CVE-2021-1879, CVE-2021-21166, CVE-2021-30551, and CVE-2021-33742.
SonicWall warns about an attack
SonicWall is notifying customers about a potential ransomware attack campaign that targets its Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products. The ultimate goal of the campaign is to steal credentials. It has urged users to update the products to the latest versions to stay safe.

Monero mining campaign 
A threat actor gang based in Romania was found using a never-seen-before SSH brute forcer, dubbed Diicot brute, to crack passwords on Linux machines. The main purpose of the campaign is to deploy Monero mining malware. 

Top Malware Reported in the Last 24 Hours

KiwiSDR removes a backdoor
KiwiSDR, a software-defined radio project, has removed a backdoor from radio devices that granted root-level access. This could have allowed threat actors to probe into IoT devices, take them over, and begin traversing to adjacent radio devices. 

Netwire RAT spotted
A spear-phishing campaign that targeted a wide range of organizations in Pakistan was found distributing Netwire RAT. The attackers used the email information stolen from a website of the Pakistani government to lure victims. The RAT was deployed in the final stage to steal sensitive information.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft addresses bypass flaw
Microsoft has addressed a Windows Hello authentication bypass vulnerability that can allow attackers to trick the facial recognition system and take control of a device. Tracked as CVE-2021-34466, the flaw can be exploited when attackers have physical access to a device. The flaw has been addressed in this month’s security patch update.

Lenovo issues patches
Lenovo has issued patches for three BIOS vulnerabilities affecting its products. The flaws are identified as CVE-2021-3452, CVE-2021-3453 (affecting ThinkPad models), and CVE-2021-3614 (affecting Lenovo notebook).

ICS patched
Siemens and Schneider Electric have issued patches for a total of roughly 100 vulnerabilities affecting their products. Some of the vulnerabilities have already been patched by Siemens, while others are in the process of being fixed. Meanwhile, Schneider Electric has released advisories covering 25 vulnerabilities in EcoStruxure, SCADAPack, Modicon, Easergy, C-Bus Toolkit, and EVlink products. 

Top Scams Reported in the Last 24 Hours

Coinbase users targeted
Dozens of phishing campaigns have been found targeting Coinbase users. The purpose of these campaigns is to steal Coinbase login credentials for the theft of cryptocurrency and financial and personal information. The campaigns are being executed via phishing emails with different contents that trick users into clicking on a link that spoofs the Coinbase login page.


webkit browsers
secure mobile access sma 100 series
forefront dermatology

Posted on: July 15, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite