Cybersecurity Weekly: REvil decryptor, AT&T loses millions, OMIGOD flaw

September 20, 2021 by Sam Fay

A free decryptor for past REvil ransomware victims was released. AT&T lost $200 million to an illegal phone unlocking scheme. Mirai Botnet started exploiting the OMIGOD flaw. All this, and more, in this week’s edition of Cybersecurity Weekly.


1. Free decryptor for past REvil ransomware victims released

The experts at security firm Bitdefender have made available a universal decryptor for victims of the REvil ransomware. REvil appeared to go offline in mid-July, but its infrastructure has come back online in recent days – raising concerns that it may be about to launch new attacks.
Read more »


2. AT&T lost $200 million to illegal phone unlocking scheme

AT&T found that 1,900,033 cellular phones were illegally unlocked by conspirators behind this scheme, resulting in $200 million in losses due to lost payments. The company also sued former employees fired after discovering they were bribed into illegally unlocking phones and planting malware and malicious tools on its network.
Read more »


3. Mirai Botnet started exploiting OMIGOD flaw

Recently released security updates have addressed four severe vulnerabilities, collectively tracked as OMIGOD, in the Open Management Infrastructure software agent that exposes Azure users to attack. An attacker could exploit OMIGOD vulnerabilities to execute code remotely or elevate privileges on vulnerable Linux virtual machines running on Azure.
Read more »


4. Malware attack on aviation sector uncovered after two years

A targeted phishing campaign aimed at the aviation industry for two years may be spearheaded by a threat actor operating out of Nigeria. The actor doesn’t seem to be technically sophisticated, using off-the-shelf malware since the beginning of its activities without developing its own malware.
Read more »


5. Apple patches operating systems due to spyware exploit

In mid-September, Apple was forced to issue an emergency security update for its iPhone, iPad, Mac and Watch operating systems after being alerted to a no-click exploit. “The business of selling zero-day vulnerabilities is a lucrative business practice and has well-established roots,” noted Keatron Evans, principal security researcher at Infosec.
Read more »


6. A new wave of malware attack targeting organizations in South America

A spear-phishing campaign aimed at South American organizations has retooled its techniques to include a wide range of commodity remote access trojans and geolocation filtering to avoid detection. The infection chain commences when the message recipients open a decoy PDF or Word document that claims to be a seizure order tied to their bank accounts.
Read more »


7. Customer care giant TTEC hit by ransomware

TTEC is dealing with disruptions from a network security incident resulting from a ransomware attack in early September. TTEC’s own message to employees suggests the company’s network may have been hit by the ransomware group Ragnar Locker. The hacker group threatened to publish the full data of victims who seek help from law enforcement.
Read more »


8. Ransomware attacks growing more sophisticated

Cybercriminals attacked with gusto in the first half of 2021 and attacks show no signs of slowing down. In just the first half of the year, malicious actors exploited dangerous vulnerabilities across different types of devices and operating systems, leading to major attacks that shut down fuel networks and extracted millions from enterprises.
Read more »


9. New Elon Musk Club crypto giveaway scam promoted via email

A new Elon Musk-themed cryptocurrency giveaway scam called the Elon Musk Mutual Aid Fund or Elon Musk Club is being promoted through spam email campaigns that started over the past few weeks. The phishing emails themselves are low effort and include strange non-descriptive subjects and messages. However, they include an HTML attachment that launches the attack.
Read more »


10. New banking Trojan that abuses YouTube for remote config

ESET researchers spotted a new LATAM banking trojan, tracked as Numando, that abuses YouTube, Pastebin, and other public platforms as C2 infrastructure and to spread. The threat actor behind this banking Trojan has been active since at least 2018, it focuses almost exclusively on Brazil but experts spotted rare attacks against users in Mexico and Spain.
Read more »

Posted: September 20, 2021
Sam Fay
View Profile