OSN May 13, 2021

Fortify Security Team
May 13, 2021
Title: Executive Order on Improving the Nation’s Cybersecurity

Date Published: May 12, 2021


Excerpt: “Removing Barriers to Sharing Threat Information. The Federal Government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems.  These service providers, including cloud service providers, have unique access to and insight into cyber threat and incident information on Federal Information Systems.  At the same time, current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies (agencies) that are responsible for investigating or remediating cyber incidents, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC).”

Title: Ransomware Groups Use Tor-Based Backdoor for Persistent Access
Date Published: May 12, 2021


Excerpt: “While running, the Tor client maintains an open session with the Tor network that brokers inbound connections to the Onion Service. When a remote attacker connects to the onion address and port pair registered as the Onion Service, the connection is redirected to the IP address and port specified in the HiddenServicePort configuration directive. When the HiddenServicePort directive is configured as the loopback IP address (, the connection is redirected to the localhost.”

Title: Verizon DBIR 2021: “Winners” No Surprise, But All-round Vigilance Essential
Date Published: May 13, 2021


Excerpt: “Verizon’s annual Data Breach Investigations Report (DBIR) is launched today and as always provides valuable insight into the cybersecurity challenges faced by organizations. We all know that 2020 was a year like no other. Phishing and ransomware were the most “successful” of the threats, up 11% and 6% respectively. However, the rapid innovations that many organizations made in 2020 did not always address information risk and security upfront, leading to further opportunities for compromise by malicious threats.”

Title: Transparent Tribe Apt Expands Its Windows Malware Arsenal
Date Published: May 13, 2021


Excerpt: “Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos’ previous research has mainly linked this group to CrimsonRAT, but new campaigns show they are expanding their Windows malware arsenal with ObliqueRAT. While military and defense personnel continue to be the group’s primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting.”

Title: Microsoft Warns: Watch out for This New Malware That Steals Passwords, Webcam and Browser Data
Date Published: May 13, 2021


Excerpt: “According to Microsoft, the phishing emails distribute a loader that then delivers RevengeRAT or AsyncRAT. Morphisec says it also delivers the RAT Agent Tesla. The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads. Morphisec named the cryptor service “Snip3” based on a username taken from the malware it found across earlier variants.”

Title: Colonial Pipeline Attackers Linked to Infamous REvil Group
Date Published: May 13, 2021


Excerpt: “Researchers at Flashpoint claimed with “moderate confidence” that the owners of DarkSide are likely to have been former affiliates of REvil — a group in the news recently for its attempted extortion of Apple and supplier Quanta Computer and one of the most successful Ransomware as a Service (RaaS) operations around. They also argued that the malware itself is based on the REvil code. The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to REvil ransomware, which is of Russian origin and has an extensive affiliate program,” Flashpoint claimed. “This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families.”

Title: Proofpoint’s Voice of the CISO 2021 Report Reveals Two-Thirds of Global CISOs Feel Unprepared to Cope with a Cyberattack
Date Published: May 12, 2021


Excerpt: “SUNNYVALE, Calif., May 12, 2021 – Proofpoint, Inc. (NASDAQ: PFPT), a leading cybersecurity and compliance company, today released its inaugural 2021 Voice of the CISO report which explores key challenges facing chief information security officers (CISOs) after an unprecedented twelve months. Sixty-six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability, proving that the work-from-home model necessitated by the pandemic has tested CISOs like never before.”

Title: Private LTE or 5G: Which Is More Secure?
Date Published: May 12, 2021


Excerpt: “Companies often used 5G as a stopgap during the quick shift to remote work, with varied results. According to the PwC U.S. Remote Work Survey released in January, there was a 22-point difference in the survey results between how employers felt they provided a mobile experience for work applications and data and how employees felt about the experience. On top of that was an increase in security issues during the pandemic, including 59% more phishing scams and a 36% increase in malware.”

Title: Microsoft Shares Details of Malware Attack on Aerospace, Travel Sector
Date Published: May 12, 2021


Excerpt: “What makes this campaign truly different from the others that have been observed in the past is the RAT loader that is employed and designed to bypass detection. The newly discovered loader monetized under a Crypter-as-a-Service model, named Snip3 by Morphisec malware analysts, is used to drop Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT payloads on compromised systems. Links abusing legitimate web services and embedded within the phishing messages download the first-stage VBScript VBS files that execute a second-stage PowerShell script which in turn executes the final RAT payload using Process Hollowing.”

Title: Microsoft: Windows 10 1809 and 1909 Have Reached End of Service
Date Published: May 12, 2021


Excerpt: “Windows Update will automatically initiate a feature update for Windows 10 consumer devices and non-managed business devices that are at, or within several months of reaching end of servicing. For these devices, you can choose a convenient time for your device to reboot and complete the update. The Home, Pro, Pro Education, Pro for Workstations editions of Windows 10, version 1909, and all Windows Server, version 1909 editions reached their end of service yesterday. Several editions of Windows 10 versions 1803 and 1809 have also reached the end of service on May 11, 2021, after Microsoft has delayed it due to the COVID-19 pandemic.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...