Weekly Cyber Threat Report, July 12-July 16

From the good news:

This week, we’ve learned about new plans from the US and Australian governments to boost national cybersecurity, REvils’ disappearance, new bounties for ethical hackers, and more.

• In total, Microsoft released 117 security fixes for the Windows operating system. Some critical fixes included addressing 128RCEs, 16 privilege escalation issues, nine zero-day fixes, and the RCE issue discovered during the Pwn2Own competition.
• Facebook will now reward bug hunters who find and report a vulnerability if the social network is slow to issue a fix after thee bug has been found and reported. The Payout Time Bonus will be awarded if it takes more than a month for Facebook to issue a patch.
• The White House on Thursday launched a slew of actions to fight ransomware. The White House plans to cut off ransomware groups from using cryptocurrencies.
• REvil has mysteriously disappeared when researchers noticed several of its darknet and surface web sites went offline on Tuesday. Its Tor network infrastructure of 22 data hosting sites and one data leak blog went offline as well.
• The Australian government proposed various reforms aimed at improving Australia’s cybersecurity. Among the proposals are new regulations for IoT devices, mandatory reporting for large businesses, and a new code of conduct for handling personal information.
• Interpol urged law enforcers and industry partners to join forces against an imminent “ransomware pandemic.” Officials said the best way to prevent future attacks is by adopting a joint international strategy, the same as the one used for organized crime or terrorism.
• Amazon is rolling out End-to-End Encryption (E2EE) in its Ring connected doorbells globally. Previously, E2EE was available only to US customers in technical preview since January 2021.
• The US State Department started to offer $10 million to anyone who can provide a lead to hackers working for foreign governments. The lead must relate to attackers “against US critical infrastructure in violation of the Computer Fraud and Abuse Act,” ransomware attacks included.

From the bad news:

This week has brought new Toddler Trojan, attacks from Nobelium, the return of TrickBot, and other important stories you can’t miss.

• SolarWinds has found a new remote code execution vulnerability in its Serv-U managed file transfer service and issued patches to fix it. The company found a new flaw several months after the last year’s SUNBURST supply-chain attack by Russian hackers. Later this week, Microsoft said it detected the flaw was already exploited and with high confidence linked the attacks to a China-based threat group known as DEV-0322.
• American fashion brand Guess notified customers that their data was compromised in a February ransomware attack, saying “personal information related to certain individuals may have been accessed or acquired by an unauthorized actor” which included “Social Security numbers, driver’s license numbers, passport numbers and/or financial account numbers.”
• Google Threat Analysis Group (TAG) and Google Project Zero said govt-backed attackers, likely part of a Russian APT, targeted four new flaws in Google’s Chrome browser, Internet Explorer, and WebKit engine used by Apple’s Safari. The flaws allow gaining unauthorized access to sensitive information. Microsoft tied some attacks to the Russian Nobelium.
• Researchers reported an uptick in the number of TrickBot infections. The bot got new capabilities that are used to monitor and gather intelligence on victims and a custom communication protocol to hide data transmissions between C2 servers and victims’ machines.
• Cofense detected a new phishing campaign in which attackers use a multi-compression technique, aka nested archive method, to fool some secure email gateways (SEGs). Attackers trick users into downloading fake image files. The attack chain involves deploying BazarBackdoor and Cobalt Strike.
• Facebook had taken down a group of Iranian hackers who were spreading malware using fake Facebook profiles. Facebook removed about 200 accounts following an investigation. Facebook’s researchers said attackers are part of the Tortoiseshell hacker group. 
• PRODAFT Threat Intelligence (PTI) warned about the spread of a new Android banking Trojan called Toddler, which is also known as TeaBot/Anatsa, infecting users across Europe. Spain and Italy got the most infections. Over 7,600 mobile devices have been infected, researchers estimate.