CyberIntelMag's Threat report

Weekly Cyber Threat Report, June 28-July 2

Welcome to CyberIntelMag’s weekly roundup! A place where you can find the most important stories in the cybersecurity world from the past week.

From the good news:

This week, we’ve learned about new security announcements from Google, a novel two-step cryptography technique for cloud, and more.

  • Google is currently working on a feature that will allow Chrome web browsers to automatically update their HTTP connections to secure HTTPS. This new feature is being tested in the Canary preview releases of Chrome 93 for Mac, Windows, Linux, Chrome OS, and Android.
  • Google announced the Scorecards project, an automation security tool that produces a risk score for open-source software by running a variety of pass/fail checks. For developers, Scorecards help minimize the time and effort required to continuously evaluate changing code packages.
  • Google has updated its privacy commitments and introduced new security standards for its Nest smart home devices that include adopting long-standing industry standards and implementing new updates for its connected home devices, including automatic bug fixes.
  • Researchers from India and Yemen proposed a novel two-step cryptography technique that combines genetic technology and a mathematical technique. Their paper argues that this framework could transform the way data is secured and could lead to a paradigm shift in how data is handled.
  • The Columbian law enforcers arrested a cybercriminal who allegedly distributed the Gozi Trojan between 2007 and 2012. A Romanian national Mihai Ionut Paunescu, aka “Virus,” was identified as one of the individuals who spread the virus that affected over a million PCs.
  • The CISA has created a new tool for a step-by-step assessment of the ransomware readiness of organizations. The Ransomware Readiness Assessment (RRA) tool can help organizations identify gaps in their security posture and identify areas of weakness to better defend against and recover from ransomware attacks.
  • The National Automated Clearinghouse Association (NACHA), the body that governs the ACH Network, announced new data security rules governing how money is transferred in the US, forcing major digital money processors to render deposit account information unreadable in electronic storage starting on June 30.
  • Researchers analyzed a Lorenz ransomware and developed a free decryption tool for the victims to use and avoid paying ransoms. They plan to release it through the NoMoreRansom initiative soon.
  • Malvuln, a project started by security researcher John Page, has discovered and listed over 260 known vulnerabilities in over 105 individual malware families like trojans, worms, backdoors, droppers, and ransomware.

From the bad news:

This week has brought reports about data breaches by REvil’s ransomware, a Linux version of the REvil ransomware, the return of Babuk, increasing use of Golang and AutoHotKey in malware, and other important stories you can’t miss.

  • A massive supply-chain attack by REvil ransomware gang has hit the supply chain of multiple managed service providers on Friday. REvil (Sodinokibi) targeted MSPs with thousands of customers that use Kaseya VSA, a cloud-based MSP platform. Huntress Labs reported its three partners were impacted and roughly 200 businesses encrypted
  • Earlier this week, the Revil gang claimed to have stolen various databases and other important data from MasMovil, Spain’s fourth-largest telecom operator. The gang published screenshots of the folders they claim to have obtained from MasMovil.
  • What’s more, REvil is now targeting Vmware ESXi virtual machines, as researchers have uncovered a Linux version of the REvil ransomware in the wild. This is the first time that the Linux variant has been found publicly.
  • An advisory by Germany’s CERT@VDE noted that four memory-related flaws have been identified in the company’s Edge Controller and Touch Panel 600 HMIs that can be exploited by remote attackers to cause a system to crash or execute arbitrary code. The issues are related to the company’s programmable logic controllers and human-machine interface products.
  • Check Point Research researchers warned about a suspected Chinese-speaking actor that has been targeting the Afghan government by impersonating its president. Researchers said the intrusions were carried out by a hacker group known as IndigoZebra likely since 2014.
  • The NSA warned that Russian hackers are conducting mass attacks on American networks in an attempt to steal sensitive data. GRU unit called the 85th Main Special Service Centre (GTsSS), military unit 26165, better known as APT28, is using a Kubernetes cluster to carry out password spray attacks on US and foreign entities.
  • Nobelium, the group that gained notoriety for its supply chain attack on SolarWinds, has now hit Microsoft. The APT was able to plant malware on the computer of one of its support agents and steal account information from some customers.
  • Microsoft found a Windows driver, Netfilter, hiding a malicious rootkit that works by spoofing a gamer’s geo-location to allow the actor to play from anywhere and also hijack other players’ accounts by stealing credentials with keyloggers.
  • The Babuk ransomware gang has returned to its old business. They have not followed through on their announcement to move away from the ransomware business in favor of data theft extortion. The cybercriminals are now using a new version of their malware and have moved their operation to a new leak site that already boasts a few new victims.
  • Altus Group software company suffered a security breach after which the new Hive ransomware gang leaked its confidential files. Altus Group is yet to acknowledge the legitimacy of the leaked data nor revealed any information regarding the situation.
  • A new ransomware strain written in Golang testifies to the increasing adoption of the programming language by threat actors. Security firm CrowdStrike says it borrows features from the HelloKitty (DeathRansom) and FiveHands.
  • New Ransomware Gang ‘Hades’ has claimed to have infected at least seven companies since its launch late last year. According to Accenture the criminals have been targeting the insurance, manufacturing, and distribution industries.
  • FortiGuard Labs researchers think a new strain of ransomware called Diavol may be linked to Wizard Spider, operators of the Trickbot botnet. Researchers say Diavol and Wizard Spider’s Conti malware operate similarly in terms of their various features and operations.
  • SecurityIntelligence researchers have reported living-off-the-land attacks involving misuse of AutoHotkey, an open-source tool. The campaign started in mid-May 2021 and delivers a remote access Trojan.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.