An overview of security incidents from the 21st to the 28th of August, 2021

 A summary of the week's major events in the world of information security.

New cyber ransomware, significant additions to cybercriminal groups' arsenals, APT group attacks, hacking of routers and Microsoft Exchange servers via the sensational vulnerabilities of ProxyShell and PetitPotam - read about these and other events in the world of information security in our review.

Less than a week after the incident with the American telecom operator T-Mobile, an array of personal data allegedly belonging to 70 million AT&T customers was put up for sale on one of the hacker forums. The AT&T database has a starting price of $ 200,000, with the ability to purchase fragments of it for $ 30,000. Those interested in purchasing the entire array at once can do so for $1 million. According to a small portion of the database posted on the hacker forum, the information includes customer names, addresses, phone numbers, date of birth, and social security numbers.

SecurityLab reported a week ago on vulnerabilities in the Realtek SDK that affected hundreds of thousands of smart devices from 65 vendors. It has now been revealed that these vulnerabilities are already being exploited by operators of the well-known DDoS botnet Mirai. According to the information security firm SAM, the attacks began three days after the details of the vulnerabilities were published by the specialists of the information security firm IoT Inspector.

After hacking Microsoft Exchange servers using the notorious ProxyShell vulnerabilities and gaining access to the domain controller using the PetitPotam vulnerability, the new cyber ransomware group LockFile encrypts Windows domains. At the moment, little is known about the cyber ransomware group LockFile. The ransomware first appeared in July 2021. He left a ransom note in the LOCKFILE-README.hta file on the systems he attacked. However, there have been reports of a ransomware called LockFile since last week. When encrypting files, the ransomware appends the extension.lockfile to the file name.

Palo Alto Networks Unit 42 specialists reported on four ransomware groups that can pose a serious threat to enterprises and critical infrastructure all at once. The groups LockBit 2.0, HelloKitty, AvosLocker, and Hive, according to the researchers, pose a serious threat to enterprises and critical infrastructure.

In response, the US Federal Bureau of Investigation issued the first public notice, which details the extortionate methods of work of the partner groups. The FBI's posted post is an important step in clarifying how the cybercrime ecosystem works.

The largest cyber attack in Brazil, Lojas Renner clothing chain stores, was carried out using extortionate software. Some of its IT systems were unavailable as a result of the incident. Lojas Renner did not reveal any details about the attack, but one of the Brazilian blogs speculated that it was carried out by the cyber ransomware group RansomExx.

Ragnarok (Asnarök), a cyber ransomware group, has announced the end of its operations and released a free utility to recover encrypted files. On Thursday, August 26, a free decryptor with an embedded master key for decryption was published on the group's darknet web portal, where it had previously published the data of victims who refused to pay the ransom. Several security researchers examined the decryptor and confirmed its authenticity. They are currently conducting a detailed analysis of the tool with the goal of rewriting it into a safe and user-friendly version that will be published on Europol's NoMoreRansom portal.

Experts from Kaspersky Lab discussed a large-scale Trojan-dropper campaign discovered in April 2021. Swarez, the dropper, was distributed through 15 popular video games, including Battlefield 4, Battlefield V, Control, Counter-Strike Global Offensive, FIFA 21, Fortnite, Grand Theft Auto V, Minecraft, NBA 2K21, Need for Speed Heat, PLAYERUNKNOWN'S BATTLEGROUNDS, Rust, The Sims 4, Titanfall 2. Attempts to download such files were recorded in 45 countries, including Russia, by the company's products.

AT&T Alien Labs cybersecurity researchers discovered a cluster of Linux ELF binaries that were identified as modifications to the open source PRISM backdoor. Over the last three years, attackers have used the backdoor in several campaigns.

FIN8, a financially motivated cybercriminal group, has also obtained a new backdoor. According to Bitdefender experts, the group hacked into a financial institution's computer network in the United States and installed a new Sardonic backdoor. The backdoor was deployed and executed on the attacked systems in a three-step process using a PowerShell script, a.NET bootloader, and bootloader shell code during the attack on a bank in the United States. The PowerShell script is manually copied to the compromised system, according to the researchers, while the bootloaders are delivered automatically.

ESET cybersecurity experts discovered the SideWalk modular backdoor used by an APT group called SparklingGoblin. This backdoor is very similar to the CROSSWALK backdoor used by the group. SparklingGoblin primarily targets the academic sector in East and Southeast Asia, but has recently shown increased interest in education in Canada, media companies in the United States, and at least one unnamed computer retailer in the United States.

Not without new hacking tool reports this week from Israeli commercial spyware maker NSO Group. Experts from the Citizen Lab Research Center at the University of Toronto discussed a previously unknown vulnerability in iOS that can be exploited with a single click in their new report. According to the report, a vulnerability known as FORCEDENTRY has been used in attacks against several activists and dissidents in Bahrain since February 2021.

Trend Micro information security experts reported that cybercriminals are using the theme of commercial spyware Pegasus from NSO Group in phishing campaigns. According to experts, the Confucius cybercriminal group recently conducted a phishing campaign targeting Pakistan's military. Trend Micro discovered the malicious campaign as part of a larger investigation into Confucius.

Intel 471 experts lifted the lid on how the ShinyHunters cybercriminal group, which is responsible for a string of high-profile data leaks, operates. According to a new Intel 471 report, the group is closely scrutinising the company's source code on GitHub repositories for vulnerabilities that could be exploited to launch larger cyberattacks.

According to Fox News journalist Jackie Heinrick, who cited a source, a cyberattack on the US State Department occurred.

"The State Department has been hacked," wrote the journalist. She went on to say that the hacker attack could have happened "a couple of weeks ago." According to the journalist, the Pentagon Cyber Command had issued a warning about a possible serious breach. Simultaneously, she stated that the scope of the hacker attack, as well as the scope of the investigation into the alleged criminals, "remain unclear." It is also unclear what steps were taken to mitigate the impact of the cyberattack, as well as what the “current risks to operations” are.

Opponents of Belarus' political regime announced a daring cyber operation, as a result of which dozens of Ministry of Internal Affairs databases were compromised. Over the last few weeks, hackers calling themselves Belarusian cyber-guerrillas have published a significant portion of the stolen data, including classified information, according to them. According to Bloomberg News, the database contains lists of Interior Ministry informers, personal information of high-ranking officials and intelligence officers, video images collected from police drones and security cameras in correctional facilities, and even recordings of secret telephone conversations. Furthermore, the stolen information includes details about Alyaksandr Lukashenka's close associates and "top" intelligence.