News – July 2021


  • Windows 0-Days Used Against Dissidents in Israeli Broker’s Spyware

    July 16, 2021

    A set of unique spyware strains created by an Israeli firm and allegedly used by governments around the world to surveil dissidents has been defanged by Microsoft, the software giant said. The private company, called variously Candiru, Grindavik, Saito Tech and Taveta (and dubbed “Sourgum” by Microsoft), reportedly sells its wares exclusively to governments, according to ...

  • Toddler mobile banking malware surges across Europe

    July 16, 2021

    Researchers have provided a deep dive into Toddler, a new Android banking Trojan that is surging across Europe. In a report shared with ZDNet, the PRODAFT Threat Intelligence (PTI) team said that the malware, also known as TeaBot/Anatsa, is part of a rising trend of mobile banking malware attacking countries, including Spain, Germany, Switzerland, and the ...

  • DDoS attack registered on Russian Defense Ministry website

    July 16, 2021

    The official website of the Russian Defense Ministry is down due to a DDoS attack, a source in the law enforcement informed TASS on Friday. “Specialists from the defense ministry are repelling a DDoS attack on the official website of the Defense Ministry,” the source said. Read more… Source: TASS  

  • Cyberattack on Moldova’s Court of Accounts destroyed public audits

    July 16, 2021

    Moldova’s “Court of Accounts” has suffered a cyberattack leading to the agency’s public databases and audits being destroyed. Court of Accounts of Moldova is a government authority that performs audits of public financial resources and government agencies to comply with international standards. Read more… Source: Bleeping Computer  

  • Linux Variant of HelloKitty Ransomware Targets VMware ESXi Servers

    July 16, 2021

    For the first time, researchers have publicly spotted a Linux encryptor used by the HelloKitty ransomware gang: the outfit behind the February attack on videogame developer CD Projekt Red. On Wednesday, MalwareHunterTeam disclosed its discovery of numerous Linux ELF-64 versions of the HelloKitty ransomware targeting VMware ESXi servers and virtual machines (VMs) running on them. Read more… Source: ...

  • US State Department offering $10 million reward for state-backed hackers

    July 15, 2021

    The State Department announced a $10 million reward for any information about hackers working for foreign governments. The measure is aimed squarely at those participating in “malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act.” Officials said in a release that this included ransomware attacks targeting “critical infrastructure.” Read more… Source: ...

  • LuminousMoth APT: Sweeping attacks for the chosen few

    July 14, 2021

    handpick a set of targets that in turn are handled with almost surgical precision, with infection vectors, malicious implants and payloads being tailored to the victims’ identities or environment. It’s not often we observe a large-scale attack conducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying ...

  • Cybercriminals took advantage of WFH to target financial services companies, says Financial Stability Board report

    July 14, 2021

    Criminals targeted security gaps at financial services firms as their staff moved to working from home, according to a report issued by the Financial Stability Board (FSB) on Tuesday. Established after the G20 London summit in April 2009, the FSB makes recommendations about the global financial system and coordinates financial rules for the G20 group of ...

  • Trickbot updates its VNC module for high-value targets

    July 14, 2021

    The Trickbot botnet malware that often distributes various ransomware strains, continues to be the most prevalent threat as its developers update the VNC module used for remote control over infected systems. Its activity has been increasing constantly since the complete disruption of the Emotet botnet in January, which acted as a distributor for both Trickbot and ...

  • SonicWall releases urgent notice about ‘imminent’ ransomware targeting firmware

    July 14, 2021

    Networking device maker SonicWall sent out an urgent notice to its customers about “an imminent ransomware campaign using stolen credentials” that is targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life 8.x firmware. In addition to the notice posted to its website, SonicWall sent an email to anyone ...

  • CISA Issues Emergency Directive Requiring Federal Agencies To Mitigate Windows Print Spooler Service Vulnerability

    July 13, 2021

    WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive (ED) 21-04 today to mitigate a Microsoft Windows print spooler service vulnerability CVE-2021-34527 being actively exploited. Federal civilian agencies are required to immediately disable the print spooler service on Microsoft Active Directory Domain Controllers, apply the Microsoft July 2021 cumulative updates, and make ...

  • The Underground Exploit Market and the Importance of Virtual Patching

    July 13, 2021

    Over the past two calendar years, we conducted research on the underground exploit market to learn more about the life cycle of exploits, the kinds of buyers and sellers who transact, and the business models that are in effect in the underground. We detail our findings in our research paper “The Rise and Imminent Fall ...

  • Operation SpoofedScholars: Iranian hackers posed as academics in a bid to steal email passwords

    July 13, 2021

    An Iranian cyber espionage campaign used spoofed identities of real academics at a UK university in phishing attacks designed to steal password details of experts in Middle Eastern affairs from universities, think tanks and the media. Detailed by cybersecurity researchers at Proofpoint, who’ve dubbed it Operation SpoofedScholars, the campaign also compromised a university-affiliated website in an ...

  • Modipwn: code execution vulnerability discovered in Schneider Electric Modicon PLCs

    July 13, 2021

    A vulnerability discovered in Schneider Electric (SE) Modicon programmable logic controllers (PLCs) allows full takeover of the industrial chips. Discovered by Armis researchers, the vulnerability can be used to bypass existing security mechanisms in PLCs to hijack the devices and potentially impact wider industrial setups. The authentication bypass vulnerability, dubbed Modipwn, has been assigned as CVE-2021-22779. Read ...

  • REvil ransomware gang’s web sites mysteriously shut down

    July 13, 2021

    The infrastructure and websites for the REvil ransomware operation have mysteriously gone offline as of last night. The REvil ransomware operation, aka Sodinokibi, operates through numerous clear web and dark web sites used as ransom negotiation sites, ransomware data leak sites, and backend infrastructure. Starting last night, the websites and infrastructure used by the REvil ransomware operation ...