Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing Aug 2, 2021

The Good

Governments and private firms are concerned with cybercriminals’ most daring intrusions in recent times and doing all they can to contain their impact. A new open-source tool by GitLab now helps detect malicious code in open source software components. U.S. officials launched a new website to help organizations mitigate ransomware threats. Another group of experts devised a method to encrypt photos on leading cloud-storage platforms, including Google Photos, Apple, and Flickr.

  • GitLab rolled out a new open-source tool, dubbed Package Hunter, to help developers identify malicious code in their project dependencies. Right now, it includes support for NodeJS modules and Ruby Gems.

  • ENISA highlighted 12 high-level recommendations for SMEs on how to fortify the security infrastructure of their businesses, such as improving internet services, adopting cloud services, upgrading websites, and enabling staff to work remotely.

  • The DoJ, along with other federal partners, launched a new site StopRansomware.gov. It claims to offer partners and stakeholders ransomware detection, protection, and response guidance, all from a single source.

  • A study by Columbia Engineering revealed the first way to encrypt personal images in cloud photo services. Dubbed Easy Secure, the system encrypts images uploaded on the cloud and deters attackers and services from decrypting the images.

  • Brazil created a cyberattack response network called the Federal Cyber Incident Management Network to promote faster response to cyberattacks and vulnerabilities while establishing coordination between federal government bodies.

The Bad

From the Pegasus scandal to Beijing One Pass, spyware grabbed the spotlight in July. Still, sensitive breaches kept sending shockwaves across organizations and their stakeholders. A zero-day flaw at Saudi Aramco was exploited for millions. Officials in Florida, Taiwan suffered data leaks. Besides, there was a cryptomining campaign engaging servers from at least 1,300 global organizations.

  • Chinese state benefits app called Beijing One Pass was found laden with spyware-like features. It is mandatory for foreign organizations in China to download the app to handle employee state benefits.

  • ZeroX claimed to have stolen 1TB of sensitive data from Saudi Aramco, to which the victim weeks later acknowledged. While the stolen data was up for sale on multiple hacking forums, hackers allegedly demanded $50 million as part of the extortion attempt.

  • The Cuba ransomware hit Forefront Dermatology and impacted the personal details of 2.4 million patients and employees. Around 47MB of data stolen was dumped on the threat actor’s darknet site.

  • A consortium of media houses exposed NSO’s Pegasus malware to claim that it was misused to target activists, journalists, business executives, and politicians. The spyware was used to potentially steal all types of data from more than 50,000 smartphones.

  • Florida’s Department of Economic Opportunity (DEO) suffered a data breach after threat actors allegedly accessed sensitive information from the CONNECT public claimant portal between April 27 and July 16. The affected data includes social security numbers, driver’s license numbers, and bank account numbers, among others.

  • LINE accounts of more than 100 Taiwanese politicians and government officials were hacked and data pilfered. Users have been asked to enable their account’s message encryption feature.

  • NFT Ethereum-based game Axie Infinity players were targeted after threat actors infected Google Ads content. The threat actors lured the players into transferring funds from their cryptocurrency accounts.

  • An SQL database belonging to Humana leaked highly sensitive data—patients’ names, IDs, email addresses, password hashes, Medicare Advantage Plan listings, and medical treatment data—of over 6,000 patients on a hacker forum.

  • The Iran-linked TA453 threat actor group, also known as Charming Kitten, was found impersonating British scholars in a recent attack campaign. Dubbed Operation SpoofedScholars, the motive of the campaign was to steal credentials from senior professors from well-known academic institutions and experts focusing on the Middle East.

  • Threat actors stole over $350,000 from users in a widespread scam involving over 170 fake mobile apps. These apps—BitScams and CloudScams—promised to perform cryptocurrency mining on behalf of subscribers.

  • A global cryptojacking scheme that targeted over 1,300 organizations was revealed last month. It reportedly targeted organizations in the health, tourism, media, and education sectors in the U.S., Vietnam, and India.

  • A leading U.S. insurance company CNA Financial Corporation notified customers of a data breach due to an attack by the Phoenix CryptoLocker ransomware in March. Data—names and social security numbers—of 75,349 individuals were compromised.

New Threats

As observed, a majority of cyber adversaries had an even greater interest in innovating and experimenting with new tools. Malware used to target European banking applications was upgraded and offered on dark web forums. Some new ransomware groups, including the Haron and BlackMatter groups, attempted to make strides in the threat landscape. Meanwhile, experts warned against security loopholes in smart cameras.

  • Mobile malware Oscorp was revamped as the new UBEL Android botnet and is on sale for a price of $980 on underground forums. It is capable of reading and sending SMS, stealing audio recordings, and installing and deleting applications, among others.
  • Researchers identified new ransomware called Haron that borrows its code and tactics from Thanos and Avaddon ransomware. On another tangent, the new BlackMatter ransomware was spotted recruiting affiliates and is claimed to be the successor of the now-defunct DarkSide and REvil ransomware.
  • A new malware strain dubbed MosaicLoader targeted systems via cracked installers and propagated sets of sophisticated malware such as Glupteba. The malware includes several anti-analysis techniques to slip past antivirus software.
  • A new Android RAT, dubbed Vultur, was found exploiting screen recording features to steal credentials and other sensitive data from compromised devices. So far, Vultur has infected between 5,000 and 8,000 users.
  • Microsoft released an out-of-band security update for the PrintNightmare vulnerability in Windows Print Spooler. Amid the rumors of released patches not completely addressing the issue, security researchers uncovered other local privilege escalation bugs.
  • The ANSSI issued an alert bulletin warning against a new series of attacks against many French organizations. The campaign was allegedly being coordinated by the China-sponsored APT31 group.
  • The Hancitor malware adopted a new technique that uses cookies to avoid URL scraping. It is also capable of sending malicious emails and deploying Cobalt Strike beacons.
  • The SideCopy cyberespionage group propagated several custom RATs to target Indian government officials. The malware used by the group includes CetaRAT, DetaRAT, ReverseRAT, MargulasRAT, njRAT, Allakore, ActionRAT, Lilith, and Epicenter RAT.
  • The WildPressure APT group resurfaced with new versions of Milum trojan for both Windows and macOS systems. Dubbed as Guard and Tandis, the trojans enable the threat actors to gain remote control of the compromised device.
  • An undocumented Python-based backdoor called BIOPASS RAT took advantage of Open Broadcaster Software (OBS) Studio’s live-streaming app to pilfer the screen of its victims. The malware is under active development.
  • IP cameras sold by a dozen vendors were found vulnerable to remote assaults due to a myriad of serious and high-severity flaws affecting UDP Technology firmware. Eleven of these flaws are related to remote code execution issues and one authentication bypass vulnerability.

Related Threat Briefings

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.