header image

Cyber Intelligence Briefing: 25 June 2021

Billy Gouveia, Kyle Schwaeble 25 June 2021
25 June 2021    Billy Gouveia, Kyle Schwaeble


In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends, and indicators, curated by our intelligence specialists.


  • Back in business. Two new Clop ransomware victims emerge days after arrests.
  • H2… Oh no! Study finds security standards at US water treatment facilities are falling short.
  • Misconfigured cloud databases. Cognyte, CVS Health, and Wegmans suffer data breaches as a result.
  • Dodgy ads. Attackers use Google Ads to deceive victims into downloading malware.
  • COVID app appears. Google has installed a COVID track and trace app without user permission.
  • Taking a stand. US and EU governments develop initiatives to tackle cybercrime.

Clop ransomware back in business despite arrests

Despite a period of inactivity following the arrest of six members of the Clop ransomware group last week, they appear to be back in business.

Clop has named two of its most recent victims on its data leak site. A sample of data belonging to both companies was published by the threat group. One of the victims has since been removed from the site, indicating that they may have paid the ransom.

Last week’s arrests were likely unsuccessful in causing significant disruption to Clop’s operations as it was the money laundering arm of the business that was targeted by authorities. It’s understood that no core members were apprehended in the operation.


 SO WHAT?  Disrupting the operations of ransomware groups is difficult and, even when achieved, does not always result in a shutdown. Even when they do, new, and usually related groups often soon appear in their place.

New industry sTUDY on water supply hacks reveals sobering findings

Earlier this year, hackers deleted water treatment programmes at a plant that served parts of the San Francisco Bay Area in California after gaining access to the network. The breach drew little attention at the time but follows a trend with both Pennsylvania and Florida having had similar treatment facilities targeted in the last 18 months.

The latest disclosure comes as an industry body finds that basic steps for network protection have fallen short in the sector. Only 30 percent of US treatment facilities have identified all the operational technology assets on their networks, whilst 38 percent of water systems allocate less than 1 percent of budget to cyber security.


 SO WHAT?  You can’t secure what you don’t know you have. As our networks expand with new and less conventional devices, it becomes more important to understand what assets we have and where they are in our network.

Misconfigured cloud databases are a major security issue

  • Last week, cyber security firm Cognyte disclosed that it had left an Elasticsearch cluster holding 5 billion records publicly exposed. The database, which included data from known prior breaches, was indexed by search engines on 28 May and secured by Cognyte on 2 June.
  • Separately, CVS Health, in the US, had to secure a database that had been left publicly exposed without password protection. The 204GB database mostly included technical information regarding site visits, although some records contained users’ email addresses, which could be used to correlate individuals with their activity on the site.
  • Finally, US supermarket chain Wegmans disclosed that two of its cloud databases, both of which contained customer information, were also exposed. Both have since been secured.


 SO WHAT?  As more organisations shift to cloud-based infrastructure, it is imperative that responsible parties are familiar with vendor-specific cloud database configurations. Additionally, organisations should undertake regular security assessments of their public-facing environments and cloud configurations.

Attackers leverage fake Google adverts to deceive victims into downloading malware

Criminals are using fake Google adverts to promote popular applications and lure victims into downloading an information stealing malware. The secure messaging application, Signal, has most recently been leveraged to trick victims.

Opening the malicious advert redirects the victim to a replica of the application’s download page. Users are then deceived into downloading the RedLine Stealer malware.

Indicators of the malicious sites include defective links, non-standard top-level domains and the use of ad hosting provider, NameCheap.


 SO WHAT?  Attacks aimed at poisoning Google search results are becoming more popular. Train your employees on all tactics used to lure victims to malicious documents, adverts, and web pages.

Google and The State of Massachusetts silently install COVID track and trace app Onto phones

Google silently installed the ‘MassNotify’ track and trace app onto Massachusetts’ Android phones. The app was installed onto devices even if users had not enabled the ‘Android Exposure Notification’ setting on their device.  

The app is just installed onto the device and is not actively functioning by default. MassNotify say that the app has been made available as an option in ‘Settings’ if users wish to enable it. There are also claims being made that it is difficult to uninstall the app.


 SO WHAT?  Users are concerned about Google invading their privacy, even if it is for a good cause. If the technology giant has done this for Massachusetts, we may see this happen in other states too.

US and EU governments develop initiatives to tackle cybercrime

  • US legislators recently introduced the Cybercrime Prevention Act and the Enhancing K-12 Cybersecurity Act. The former would give the Department of Justice more tools to pursue cybercriminal activity and increase penalties for targeting critical infrastructure. The latter would aim to improve the protection of K-12 institutions from cyber-attacks.
  • Meanwhile, the EU has announced plans for a Joint Cyber Unit. The unit, which aims to be operational by July 2022, would provide an EU-coordinated response and recovery assistance to large-scale cyber-attacks across the bloc.


 SO WHAT?  Nations are intensifying legal and operational capabilities to both prevent and respond to cybercrime. However, the transnational nature of cyber-attacks poses a significant challenge to effectively implementing these initiatives.


Cyber Threat Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Kyle Schwaeble
Kyle schwaeble Analyst Email Kyle

Intelligent Business 2022 Strategic Intelligence Report

The evolution of strategic intelligence in the corporate world. Read S-RM's latest report.

Download Report