Cyware Weekly Threat Intelligence - October 18–22

Weekly Threat Briefing • Oct 22, 2021
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Weekly Threat Briefing • Oct 22, 2021
The Good
While the enemy of my enemy cannot always be a friend, it’s always fun to watch hackers pitting against each other. In one such case, REvil has been forced to close up shop once more! We always love bringing indictment news to you. In today’s episode of arrests, the Dutch Police incarcerated nine bank support fraudsters and the South African Police arrested eight suspects for siphoning off funds from romance scam victims.
The Tor payment portal and data leak site of REvil was sent to oblivion after an unknown hacker using the same private keys hijacked the group’s domains. The hacked server now leads to some other services.
Trustwave has made a BlackByte decryptor available for download at GitHub. This Windows-based ransomware takes advantage of the double extortion technique after targeting its victims.
The Dutch Police detained nine bank help desk fraudsters for targeting and stealing money from elderly people via phone calls. The investigators, further, froze the cryptocurrency assets belonging to the suspects.
Eight suspects were arrested by the South African Police Service for stealing and laundering more than $6.85 million from the victims of online romance scams.
Twitter suspended two accounts that were a part of a long-lived DPRK cyberespionage campaign operated by North Korean government hackers. The accounts redirected security researchers to malicious websites to infect them with malware.
The Bad
Cookie monsters have been crushed! Some 4,000 YouTube creators were targeted with cookie-stealing malware in a phishing campaign that spanned for two years, discovered Google TAG team. The week has been gloomy, but especially so for the Argentinian government, as a hacker gained access to the National Registry of Persons and stole ID cards of the entire population. While we hope that no medical facilities fall prey to malicious purposes, this time an insider breach by a former employee of the University Hospital Newark impacted the sensitive info of thousands of individuals.
High-profile YouTube creators were targeted with cookie-theft malware in phishing attacks, wherein hackers offered them fake collaboration opportunities. The campaign went on for two years.
LightBasin, an alleged Chinese hacker group, infiltrated at least 13 telecommunication companies around the globe and accessed call records and messages.
Data pertaining to at least one million users of Quickfox VPN was left open to the internet due to an unprotected Elasticsearch storage blob. The 100GB data trove contained 500 million sensitive records, including system data on 300,000 customers and PII of a million users.
The AvosLocker ransomware gang claimed to have breached Taiwanese company Gigabyte. The group has leaked some samples that, allegedly, belong to the victim firm.
The CISA, FBI, and NSA released a joint advisory that warns critical infrastructure entities—including two U.S. food and agriculture sector organizations—against BlackMatter ransomware intrusions.
The Argentinian Interior Ministry was targeted by a cybercriminal who pilfered ID card details for the entire population, including the country’s President and other political figures, journalists, and soccer personalities Lionel Messi and Sergio Aguero.
After the attack on Acer India, the company announced that Acer Taiwan also suffered an attack. As per the company, this attack doesn’t involve any exposure to customer data.
Health Insurance company Anthem’s vendor PracticeMax and UMass Memorial Health disclosed the PHI and other data of its members and employees in different cyberattacks.
University Hospital Newark disclosed that the sensitive personal and medical records of 9,329 individuals were illegally accessed by a former employee for over a year.
A malware campaign in South Korea is propagating RATs impersonating as an adult game. The malware is being spread through torrents and webhards.
New Threats
The week presented us with two new distinct espionage campaigns. While one was conducted by TA551, the other perpetrator is yet unknown and has targeted Southeast Asia. Academic researchers from the U.S. discovered a new fingerprint capturing attack called Gummy Browsers. They have warned that the attack is really easy to perform and can have severe implications. The financially motivated TA505 gang has been propagating a new FlawedGrace RAT strain.