Go to listing page

Cyware Weekly Threat Intelligence, September 13–17, 2021

Cyware Weekly Threat Intelligence, September 13–17, 2021

Share Blog Post

The Good

This week’s newsletter brings its share of good news. A ransomware decryptor came as a welcome gift for the victims of REvil ransomware. The U.S., the U.K, and Australia made a historic pact to collaborate on cybersecurity capabilities and several other critical technology areas.

  • The U.K, the U.S., and Australia announced a trilateral security and defense agreement. Named AUKUS, the pact requires the nations to collaborate in areas such as AI, quantum computing critical technology, cyber capabilities, and defense-related supply chains. 
  • Microsoft announced that users will no longer have to memorize or save passwords as it plans to go passwordless for Microsoft accounts in the coming weeks.
  • Bitdefender released a free master decryptor against REvil ransomware, which enables victims encrypted before July 13 to recover their files for free.
  • Under the Mutually Agreed Norms for Routing Society (MANRS), the Internet Society announced to launch an Equipment Vendor Program. This program aims to decrease the most common threats to the internet routing system. 
  • A six-kilometer-long optical fiber with a hollow core has been found to be effective in conducting Quantum Key Distribution (QKD). The QKD protocol is unhackable and can efficiently protect sensitive data from intruders.  

The Bad

The week won't be complete without mentioning attacks on healthcare facilities. A cyberattack in May resulted in the exfiltration of all patient data from Desert Wells Family Medicine. The threat of unsecured databases has not been eliminated yet as evident from the leak of 61 million users' data because of an exposed database at GetHealth. Also, Olympus suffered a ransomware attack by the infamous BlackMatter threat actor and its networks were knocked offline.

  • Desert Wells Family Medicine reportedly lost all data—names, birth dates, addresses, billing account numbers, medical record numbers, and treatment information— entered into its EHR systems due to a cyberattack in May. In another incident, LifeLong Medical underwent a series of ransomware attacks that affected the personal data of over 100,000 patients.
  • Customer care giant TTEC was hit by a suspected ransomware attack launched by the Ragnar Locker gang. The group is known for demanding millions of dollars in ransom.
  • The Anonymous hacktivist group claimed to have pilfered about 180GB of data from web hosting provider Epik. The stolen data includes sensitive records of the provider’s clients and their domains.
  • Experts uncovered a phishing scam wherein hackers masqueraded as officials from the U.S. Transportation Department to acquire login credentials of targeted firms. The Department of Justice and Constitutional Development of South Africa suffered a ransomware attack that knocked off several of its IT services, including the national bail services.
  • An unsecured database at GetHealth exposed the health-related data of over 61 million users, pertaining to wearable technology and fitness services, including Fitbit, Google Fit, and Strava.
  • The U.S. FTC released alerts against fraudsters imitating potential romantic partners on online dating apps to carry out extortion targeting the LGBTQ+ community.
  • An attack by the BlackMatter ransomware group against Olympus servers crippled its computer networks across Europe, Middle East, and Africa.
  • A long-running campaign against the aviation sector has finally been linked to a Nigerian threat actor. Dubbed Operation Layover, the campaign has been running for at least two years.

New Threats

This week presented us with Operation Harvest, a long-term cyberespionage campaign by a Chinese threat actor. The attackers had been able to stay undetected for quite some time. In another vein, Grief ransomware has followed the footsteps of Ragnar Locker and became the second gang threatening to leak all stolen data if victims contact data recovery experts. The ZLoader trojan is back in a new campaign leveraging fake Google ads.

  • Barlow Respiratory Hospital in California experienced a ransomware attack by the new Vice Society threat group, which is known for quickly exploiting new security flaws.
  • McAfee stumbled across a highly sophisticated APT group that has been using a mix of known and new malware packages under its attack campaign called Operation Harvest.
  • Grief ransomware has become the latest cybercriminal gang to warn its victims about deleting their files if they make attempts to call data recovery agents.
  • A new strain of malware, dubbed Capoae, is reportedly targeting WordPress and Linux systems worldwide. Written in GoLang, it brings cross-platform capabilities.
  • The Wizard Spider threat actor group has been associated with the recent exploitation of a Windows zero-day vulnerability related to the MSHTML browsing engine. The threat actor is known to propagate the Ryuk ransomware.
  • SentinelLabs reported a new campaign delivering the ZLoader banking trojan via fake Google advertisements for various software, including Discord, Zoom, TeamViewer, and Java plugins.
  • Cybercriminals reportedly created a Linux beacon, dubbed Vermilion Strike, compatible with Cobalt Strike, and used it to target Windows and Linux machines to harvest data.
  • The FBI, CISA, and CGCYBER issued a joint advisory warning against the exploitation of a critical bug in the Zoho ManageEngine ADSelfService Plus software by the nation-state actors.
  • Trend Micro discovered an ongoing spam campaign by the APT-C-36 group that sends phishing emails to various entities in South America and delivers commodity RATs.
  • European and South American banks need to be vigilant as a new banking trojan, dubbed maxtrilha, has been targeting their customers in a new phishing campaign.


operation layover
grief ransomware
capoae malware
olympus corporation
cobalt strike beacon
operation harvest
zloader malware
desert wells family medicine

Posted on: September 17, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite