CyberIntelMag's Threat report

Weekly Cyber Threat Report, July 26-July 30

Welcome to CyberIntelMag’s weekly roundup! A place where you can find the most important stories in the cybersecurity world from the past week.

From the good news:

This week, we’ve learned about Google’s new bounty platform, NSA’s revelations about the security of connected devices, No More Ransom project’s great strides in saving ransom money, and more.

  • As it celebrated the 10-year anniversary of its Vulnerability Rewards Program (VRP), Google unveiled a new platform: The platform will have gamification features, leaderboards, awards/badges, and offer more chances for interaction and competition. It will also feature a stronger emphasis on learning for bug hunters.
  • NSA has released an info sheet to help various agencies and organizations that have remote workers identify potential threats to wireless networks and minimize risks. The agency warns hackers can infiltrate devices over Bluetooth, public Wi-Fi, and Near-Field Communications (NFC) and steal data.
  • No More Ransom project, launched in 2015, helped over 6 million ransomware victims to recover their files for free and save 1 billion Euros in ransom money. To get a decryptor, all a victim needs to do is upload two encrypted files and a ransom note.

From the bad news:

This week has brought news about the likey reappearance of DarkSide and DoppelPaymer gangs, new Praying Mantis, UBEL, and Vutur malware, a novel method of hiding malware, glaring security flaws in open-source projects, and other important stories you can’t miss.

  • The US Department of Justice has revealed that the Russian Foreign Intelligence Agency hacked Office 365 email accounts of 27 US attorneys’ offices. The Russian APT maintained access to the compromised accounts from May 7 to December 27, 2020.
  • DoppelPaymer ransomware gang appears to have rebranded as a new gang “Grief” (Pay or Grief). The two gangs have the same encrypted file format and the same distribution channel, the Dridex botnet.
  • Researchers find strong indications that the DarkSide gang has rebranded as the new BlackMatter gang that appeared last week and is now targeting corporate users. The new group is using the same encryption methods previously used exclusively by DarkSide.
  • Cybercriminals struck the City of Grass Valley, a small community in California, with a ransomware attack. City officials paid the ransom instead of finding another solution. The City wouldn’t reveal how big the ransom they paid.
  • A new threat actor tracked as “Praying Mantis” or “TG1021” is targeting Windows IIS environments with “almost completely in-memory” attacks. It uses custom malware and “leaves little-to-no trace” on infected machines.
  • BlackBerry’s Research & intelligence team said malware authors are increasingly using unusual programming languages, such as Golang, Dlang, Nim, and Rust, to prevent analysis efforts. First-stage droppers and loaders written in languages such as Golang and Dlang are particularly popular.
  • Researchers have shown a novel method of hiding malware inside a neural network by creating an image classifier that can fool security solutions. They said with the growing use of AI, cybercriminals will increasingly rely on neural networks to carry out their attacks.
  • This week, THORChain decentralized exchange suffered a second massive multi-million attack in a week, losing $8M. The hack happened just a week after it lost $5 million in a flash loan attack.
  • A database containing 3.8B phone numbers of Clubhouse users was put up for sale on hacking forums. The threat actor claimed that the company “saves/steals the phonebook of each user” and stores it in a special database that the actor had stolen.
  • A new UBEL malware has been linked to Oscorp based on similarities in the codebase. The malware is abusing Android’s accessibility features to target European banking applications and steal sensitive information.
  • FireEye revealed nine security flaws in three open-source projects, Pimcore, EspoCRM, and Akanting, that are used by thousands of businesses globally. The flaws could allow to execute arbitrary JavaScript code, take over the OS, and launch a denial-of-service attack.
  • Researchers reported a previously undocumented Android remote access trojan (RAT) called Vutur that steals sensitive information, such as banking credentials, by using device’s screen-recording features.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.