CrowdStrike has published a description of LightBasin, also tracked as UNC1945, an "activity cluster" that's been targeting global telecommunications infrastructure since 2016. LightBasin has been collecting user information on a large scale, showing a particular interest in call metadata and subscriber information. Why LightBasin is collecting the data isn't entirely clear, and while it appears to be an espionage operation, CrowdStrike says, "There is currently not enough available evidence to link the cluster’s activity to a specific country-nexus." Circumstantial evidence includes strings in Pinyin, which suggests Chinese or at least Chinese-speaking operators, but this falls well short of what might be required for attribution. CyberScoop's discussion treats LightBasin as an espionage campaign; the Record, however, characterizes the operators as "crims."
Avast reports that the Magnitude exploit kit has added capability against the Chromium family of browsers, exploiting the CVE-2021-21224 and CVE-2021-31956 vulnerabilities. The Record finds it noteworthy that a moribund exploit kit obtained a relatively advanced capability. On the bright side, the exploit works against a relatively small range of targets.
The well-known exploit broker Zerodium is looking for exploitable flaws in ExpressVPN, NordVPN, and Surfshark. They're interested specifically in "information disclosure, IP address leak, or remote code execution," and say that "local privilege escalation is out of scope." The Record says the three VPN vendors haven't commented.
More evidence suggesting that official admonitions against paying ransomware operators Danegeld may be falling on deaf ears: ThycoticCentrify's 2021 State of Ransomware study concludes that 83% of the victims paid their extortionists.