OSN FEBRUARY 22, 2021

by | Feb 22, 2021 | Open Source News

Title: Mandiant Identifies Criminal Threat Actor and Mode of Attacks

Date Published: February 22, 2021

https://www.accellion.com/company/press-releases/accellion-provides-update-to-fta-security-incident-following-mandiants-preliminary-findings/

Excerpt: “Mandiant, a division of FireEye, Inc., has identified UNC2546 as the criminal hacker behind the cyberattacks and data theft involving Accellion’s legacy File Transfer Appliance product. Multiple Accellion FTA customers who have been attacked by UNC2546 have received extortion emails threatening to publish stolen data on the “CL0P^_- LEAKS” .onion website. Some of the published victim data appears to have been stolen using the DEWMODE web shell. Mandiant is tracking the subsequent extortion activity under a separate threat cluster, UNC2582.”

Title: US Retailer Kroger Admits Accellion Breach

Date Published: February 22, 2021

https://www.infosecurity-magazine.com/news/us-retailer-kroger-admits/

Excerpt: “US retail giant Kroger has become the latest big-name brand to admit it suffered a data breach via legacy file transfer software. The supermarket chain, America’s largest by revenue, posted the notice late last week.It revealed that some of the firm’s customers and employees may have had their data compromised by a malicious third party who exploited a vulnerability in Accellion’s FTA platform.”

Title: Chinese Hackers Had Access to a U.S. Hacking Tool Years Before It Was Leaked Online

Date Published: February 22,  2021

https://thehackernews.com/2021/02/chinese-hackers-had-access-to-us.html

Excerpt: “Although the group has since signed off following the unprecedented disclosures, new “conclusive” evidence unearthed by Check Point Research shows that this was not an isolated incident. The previously undocumented cyber-theft took place more than two years before the Shadow Brokers episode, the American-Israeli cybersecurity company said in an exhaustive report published today, resulting in U.S.-developed cyber tools reaching the hands of a Chinese advanced persistent threat which then repurposed them in order to attack U.S. targets.”

Title: 30,000 Macs Infected With New Silver Sparrow Malware

https://www.zdnet.com/article/30000-macs-infected-with-new-silver-sparrow-malware/#ftag=RSSbaffb68

Technical Analysis/IoCs: Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight
https://redcanary.com/blog/clipping-silver-sparrows-wings/

Date Published: February 22, 2021

Excerpt: “But despite the high number of infections, details about how the malware was distributed and infected users are still scarce, and it’s unclear if Silver Sparrow was hidden inside malicious ads, pirated apps, or fake Flash updaters —the classic distribution vector for most Mac malware strains these days. Furthermore, the purpose of this malware is also unclear, and researchers don’t know what its final goal is.”

Title: Researchers Uncovered a New Malware Builder Dubbed APOMacroSploit

Date Published: February 22,  2021

https://securityaffairs.co/wordpress/114880/cyber-crime/apomacrosploit-macro-builder.html

Excerpt: “APOMacroSploit is a macro builder that was to create weaponized Excel documents used in multiple phishing attacks. The threat actor behind the tool continuously updated it to evade detection. Check Point researchers were able to unmask one of the threat actors behind the builder.
Excel documents created with the APOMacroSploit builder are capable of bypassing antivirus software, Windows Antimalware Scan Interface (AMSI), and even Gmail and other email-based phishing detection.”

Title: Nvidia Announces Official “Anti-Cryptomining” Software Drivers

https://nakedsecurity.sophos.com/2021/02/22/nvidia-announces-official-anti-cryptomining-software-drivers/

Date Published: February 22,  2021

Excerpt: “Simply put, Nvidia will try to detect the code you’re running, and purposefully – but not secretly, given its public announcement – take out what amounts to “denial of service” (DoS) actions against software it thinks is trying to do Ethereum calculations on the GPU. Reports we’ve seen suggest that Nvidia’s anti-crypto drivers work by detecting memory usage that looks like a Dagger-Hashimoto computation, which needs to follow unusual but unavoidable memory access patterns, and cutting the speed of ETH hashing in half.”

Title: Experts Warn of Threat Actors Abusing Google Alerts To Deliver Unwanted Programs

Date Published: February 21,  2021

https://securityaffairs.co/wordpress/114871/cyber-crime/google-alerts-abuse.html

Excerpt: “Google Alerts is a content change detection and notification service, it sends emails to the user when it finds new results (i.e. web pages, newspaper articles, blogs, or scientific research) that match the user’s search term(s). Upon indexing the content, Google Alerts will alert people who are searching those specific terms. Clicking on the links sent by Google Alerts related to the matches in the fake stories, users are redirected to malicious sites under the control of the threat actors and the threat actor’s malicious site.”

Title: Malformed URL Prefix Phishing Attacks Spike 6,000%

Date Published: February 22,  2021

https://www.infosecurity-magazine.com/news/internet-registry-ripe-ncc-warns/

Excerpt: “RIPE NCC is the regional internet registry (RIR) for Europe, West Asia and the former Soviet Union. It claimed in an update yesterday that its single sign-on (SSO) service was affected by an attempt to crack open accounts, causing some downtime. “We mitigated the attack, and we are now taking steps to ensure that our services are better protected against such threats in the future,” it noted.”

Title: NSA Equation Group Tool Was Used by Chinese Hackers Years Before It Was Leaked Online

Date Published: February 22,  2021

https://securityaffairs.co/wordpress/114898/apt/nsa-equation-group-tool-apt31.html?utm_source=rss&utm_medium=rss&utm_campaign=nsa-equation-group-tool-apt31

Excerpt: “Attackers use the script.google.com domain to avoid detection and bypass Content Security Policy (CSP) controls, the Google domain, and its subdomains, are whitelisted by default in the CSP configuration of the e-stores. Experts pointed out that the the actual code hosted at Google is not public, but the error message displayed reaching the above script suggests that stolen payment data is funneled by Google servers to an Israel-based site called analit[.]tech.”

Title: The Florida Water Hack: Don’t Think ‘Redundancy’ Will Prevent the Next One

Date Published: February 22,  2021

https://armerding.medium.com/the-florida-water-hack-dont-think-redundancy-will-prevent-the-next-one-e324a6e8a0d3

Excerpt: “But as was also reported, the attack was detected and blocked long before there was any damage. A supervisor monitoring the Oldsmar (population 15,000) water plant systems saw a mouse pointer move across a screen and “immediately noticed the change in dosing amounts,” which could eventually have boosted the amount of sodium hydroxide (lye) in drinking water by 100 times. That caustic chemical, at low levels, is used to control acidity in water. In high concentrations, it amounts to drain cleaner.”