CyberIntelMag's Threat report

Weekly Cyber Threat Report, October 4 – October 8, 2021

Welcome to CyberIntelMag’s weekly roundup! A place where you can find the most important stories in the cybersecurity world from the past week.

From the good news:

This week’s good news includes the US and 30 more countries coming together to fight against global ransomware threats, Google donating to protect an open-source program, Microsoft releasing a TPM check bypass for PCs not supporting Windows 11, Google patching four severe Chrome vulnerabilities, and others.

  • The United States, along with 30 other countries, will take measures to combat cybercrime. Their efforts will include steps to improve law enforcement coordination, prevent the unlawful use of cryptocurrencies, and engage diplomatically on these problems.
  • Google has offered $100 million in assistance as part of its commitment to enhancing the security of the open-source ecosystem for efforts that try to fix vulnerabilities in open-source projects.
  • The new Ransom Disclosure Act in the United States would compel companies that have been harmed by ransomware and have paid the ransom to disclose the payment information. This shared information will help in combating the threat ransomware attacks pose throughout the country.
  • In order to prevent customers from using non-standard third-party scripts, Microsoft has provided a relatively straightforward method to evade TPM checks. It’ll help in installing Windows 11 on devices without a TPM 2.0 chip.
  • Google has announced a new update for Windows, Linux, and Mac. It’ll fix four severe Chrome vulnerabilities – CVE-2021-37977, CVE-2021-37978, CVE-2021-37979, and CVE-2021-37980.


From the bad news:

Many adverse incidents happened this week. Online Machinery Marketplaces of Sandhills Global was taken down by Ransomware, TA544 group responsible for the Ursnif malware campaign in Italy, UEFI bootkit targeting Windows computers since 2012, GhostEmperor Threat Group targets a new vulnerability in exchange, and much more.

  • Sandhills Global, a publishing and hosting US-based company, was hit by ransomware. Its website, along with the hosted publications, turned offline. As suggested by many sources, this disruption was because of a Conti ransomware campaign.
  • TA544, a commercially driven threat actor who has been active since at least 2017, is responsible for Ursnif campaigns hitting Italian organizations. To mislead users into activating macros in weaponized documents and dropping the Ursnif financial Trojan, the TA544 gang leverages phishing and social engineering methods.
  • ESPecter, a virus, can survive on the EFI System Partition (ESP) and circumvent Microsoft Windows Driver Signature Enforcement to install an unlicensed driver that might be used for document theft, keylogging, and screen monitoring. Since 2012, its creators have been backdooring Windows machines via an undocumented UEFI (Unified Extensible Firmware Interface) bootkit.
  • GhostEmperor now employs Demodex, a previously unknown Windows kernel-mode rootkit, as well as a complex multi-stage malware architecture for controlling targeted systems remotely. The common targets are telecom businesses and government entities in Southeast Asia, as well as Afghanistan, Ethiopia, and Egypt.
  • Honeywell Experion PKS and ACE Controllers have critical flaws, named CVE-2021-38397, CVE-2021-38395, and CVE-2021-38399. They might allow a malicious actor to access unapproved files and folders or even execute arbitrary code remotely and create a denial-of-service scenario.
  • 10 TB database of Telegraph, including subscriber information, gets exposed. The revealed data is of 600 individuals and includes internal logs, subscriber names, email addresses, IP addresses, URL requests, device info, unique reader identifiers, and authentication tokens. However, the company denies any exploitation risks.
  • Data of 200,000 shareholders of BrewDog has been exposed for the last 18 months. Names, genders, email addresses, dates of birth, previously used delivery addresses, telephone numbers, shareholder numbers, shares owned, and referrals are among the data revealed.
  • A huge breach of Twitch data, including its source code and creator payments, was posted on the 4chan message board. An anonymous source has posted a 125GB torrent claiming to include the entirety of Twitch and its commit history.
  • FIN12 targets healthcare organizations with focused ransomware attacks. FIN12 also exfiltrated roughly 90GB of data to several cloud storage providers and extorted the victim twice to keep the material out of the public eye throughout the campaign.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.