TL;DR: Five Extensions, Three Attacks and One Entry Point (32nd Week)

Security researchers have detected the first case of three ransomware gangs attacking one victim. A warning of a sophisticated and effective phishing campaign has been issued; and a shopping network in Denmark has become a victim of a ransomware attack.

BazarCall phishing method

AdvIntel security researchers warn of an email-to-phone phishing campaign carried out by three groups composed of former members of the Conti ransomware gang. The groups use the BazarCall method, which involves sending a fake email notification about subscription to a usually very expensive service. The notification contains a phone number to cancel the subscription, and once called, the victim is navigated to allow the attacker a remote access (similar to false calls of Microsoft tech support).

Attack on 7-Eleven

The 7-Eleven store chain in Denmark became a target of a ransomware attack on 8 August. An unknown attacker successfully disabled all payment portals, leading to the closure of all Danish branches. The company has resumed operation at 135 branches, which have operationally switched to cash payments and MobilePay until the incident is resolved. Whether the threat actors have stolen the data, is still unknown.

Ransomware attack attempt

Cisco disclosed that it was attacked by the Yanlouwang ransomware gang. To gain access to the system the cybercriminals misused Cisco VPN login credentials, which they obtained by compromising the Google account of an employee who was storing all his login credentials in Chrome browser. They bypassed two-factor authentication with several voice phishing attacks and repetitive push notifications to confirm access. The attackers managed to download allegedly not sensitive data and their activity resembled preparation for a ransomware attack.

Triple ransomware attack

An unnamed automotive supplier has become a victim of three ransomware attacks in a 2-week period. Sophos security researchers documented the attacks executed by Lockbit, Hive and ALPHV/BlackCat gangs and highlighted the use of different software and techniques. All the groups gained access to the system alike – by abusing a firewall rule allowing RDP access to the company’s infrastructure. The Lockbit and Hive attacks followed each other within 2 hours and encrypted the data twice, resulting in five times encryption of all files after the ALPHV/BlackCat attack.


  • Security researchers at Palo Alto Unit 42 report that the Tropical Scorpius ransomware gang is using a new ROMCOM RAT Trojan in their Cuba Ransomware attacks.
  • A cybercriminal suspected of masterminding a group of scammers was extradited to Japan for trial. His group was specialised in romance fraud campaign and have made nearly three million euros from scams.
  • Security researchers at Check Point Research published that the Emotet Trojan was the most prevalent malware in July 2022 (despite a 50% decrease from May).
  • A developer of communication API Twilio has become a target of a cyberattack. Cybercriminals sent an SMS to an employee asking to change an expired password (smishing) and used the stolen credentials to gain access to the data of an unknown number of customers.
  • A company Advanced cooperating with the National Health Service (NHS) in the UK, has become a target of a cyberattack (possibly ransomware). The attack limited a number of services and reportedly affected only a small number of servers.
  • Reversinglabs security researchers have published information about a new ransomware gang called Gwisin. The cybercriminals are specifically focusing on healthcare and industrial companies in South Korea.

« Späť na zoznam