Cyware Weekly Threat Intelligence July 19–23, 2021

Weekly Threat Briefing • Jul 23, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Jul 23, 2021
The Good
This week brings Kaseya attack victims a fresh piece of good news in the form of a universal decryptor. Seems like the nightmare is finally over. Arrests of cybercriminals always set us in the right mood for the weekend. The individual responsible for the mega-Twitter hack last year has been arrested from a Spanish town.
The CISA, FBI, and NSA issued a joint cybersecurity advisory against rising Chinese state-sponsored cyber activities and offered mitigation steps to protect the federal government.
After securing a court order, Microsoft will be taking down malicious homoglyph domains that scammers or hackers register to spoof legitimate sites of various businesses and brands.
Kaseya received a universal decryptor for the victims of REvil ransomware to help them recover and restore their systems.
A U.K citizen was arrested in Estepona, Spain, for his involvement in the Twitter hack in July 2020, which resulted in the compromise of 130 high-profile accounts.
Group-IB and the Dutch National Police tracked down alleged members of the cybercrime group named Fraud Family. The group develops, sells, and rents sophisticated phishing frameworks.
A study by Columbia Engineering revealed the first way to encrypt personal images in cloud photo services. Dubbed Easy Secure, the system encrypts images uploaded on the cloud and deters attackers and the services from decrypting the images.
The Bad
Commercial spyware has always been a cause of concern in the cyber landscape. One such spyware—Pegasus— was used to target thousands of smartphones to pilfer confidential information. The Olympics are here and hackers are busy taking advantage of it. Data from the Tokyo Olympic ticket gateway were posted on a leak forum. Identity theft is not a joke, especially not when hackers exploit the recent condo-collapse tragedy to steal the identity of the deceased.
Italy-based TicketClub fell victim to a security breach and the data of over 300,000 users are put on sale on RaidForums marketplace. The threat actor responsible goes by the online name of bl4ckt0r.
An SQL database belonging to Humana leaked highly sensitive data—patients’ names, IDs, email addresses, password hashes, Medicare Advantage Plan listings, and medical treatment data—of over 6,000 patients on a hacker forum.
Cloudstar was hit by ransomware that disrupted its systems. Presently, only the Office 365 mail services, the email encryption offering, and some support services are fully operational.
Cybercriminals are taking advantage of the recent tragic condo collapse incident in South Florida to steal the identities of deceased members.
A malspam campaign was found delivering Remcos RAT via financially-themed emails. The types of attachments used to lure users are related to transaction invoices, appraisal reports, and payment advice, among others.
Scammers launched multiple fake American Rescue Plan Act signup sites to harvest credentials and personal information from users. The fake sites imitate government websites and ask for names, social security numbers, and photos of drivers’ licenses from targets.
ZeroX claimed to have stolen 1TB of sensitive data from Saudi Aramco. The stolen data has been put up for sale on multiple hacking forums. Saudi Aramco denied the hack.
Pegasus malware has been linked to worldwide espionage attacks that targeted activists, journalists, business executives, and politicians. The spyware was used to potentially steal data from more than 50,000 smartphones.
User IDs and passwords for the Tokyo Olympic ticket gateway were posted on a leak website, following an alleged breach. The data also include names, addresses, and account numbers of people who bought Paralympic tickets.
New Threats
A new cyberespionage campaign was initiated this week. The campaign is conducted by a new group dubbed TA2721, which is spreading Bandook. Threat actors, time and again, try to come up with new attack devices. In one such case, they were found disseminating 11 apps on Google Play Store that were propagating the Joker malware. Although crypto scams are nothing new, however, now an advance fee scam has been observed that promises crypto riches via a WhatsApp conversation.