OSN May 13, 2021

Fortify Security Team
May 13, 2021
Title: Executive Order on Improving the Nation’s Cybersecurity

Date Published: May 12, 2021


Excerpt: “Removing Barriers to Sharing Threat Information. The Federal Government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems.  These service providers, including cloud service providers, have unique access to and insight into cyber threat and incident information on Federal Information Systems.  At the same time, current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies (agencies) that are responsible for investigating or remediating cyber incidents, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC).”

Title: Ransomware Groups Use Tor-Based Backdoor for Persistent Access
Date Published: May 12, 2021


Excerpt: “While running, the Tor client maintains an open session with the Tor network that brokers inbound connections to the Onion Service. When a remote attacker connects to the onion address and port pair registered as the Onion Service, the connection is redirected to the IP address and port specified in the HiddenServicePort configuration directive. When the HiddenServicePort directive is configured as the loopback IP address (, the connection is redirected to the localhost.”

Title: Verizon DBIR 2021: “Winners” No Surprise, But All-round Vigilance Essential
Date Published: May 13, 2021


Excerpt: “Verizon’s annual Data Breach Investigations Report (DBIR) is launched today and as always provides valuable insight into the cybersecurity challenges faced by organizations. We all know that 2020 was a year like no other. Phishing and ransomware were the most “successful” of the threats, up 11% and 6% respectively. However, the rapid innovations that many organizations made in 2020 did not always address information risk and security upfront, leading to further opportunities for compromise by malicious threats.”

Title: Transparent Tribe Apt Expands Its Windows Malware Arsenal
Date Published: May 13, 2021


Excerpt: “Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos’ previous research has mainly linked this group to CrimsonRAT, but new campaigns show they are expanding their Windows malware arsenal with ObliqueRAT. While military and defense personnel continue to be the group’s primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting.”

Title: Microsoft Warns: Watch out for This New Malware That Steals Passwords, Webcam and Browser Data
Date Published: May 13, 2021


Excerpt: “According to Microsoft, the phishing emails distribute a loader that then delivers RevengeRAT or AsyncRAT. Morphisec says it also delivers the RAT Agent Tesla. The campaign uses emails that spoof legitimate organizations, with lures relevant to aviation, travel, or cargo. An image posing as a PDF file contains an embedded link (typically abusing legitimate web services) that downloads a malicious VBScript, which drops the RAT payloads. Morphisec named the cryptor service “Snip3” based on a username taken from the malware it found across earlier variants.”

Title: Colonial Pipeline Attackers Linked to Infamous REvil Group
Date Published: May 13, 2021


Excerpt: “Researchers at Flashpoint claimed with “moderate confidence” that the owners of DarkSide are likely to have been former affiliates of REvil — a group in the news recently for its attempted extortion of Apple and supplier Quanta Computer and one of the most successful Ransomware as a Service (RaaS) operations around. They also argued that the malware itself is based on the REvil code. The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to REvil ransomware, which is of Russian origin and has an extensive affiliate program,” Flashpoint claimed. “This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families.”

Title: Proofpoint’s Voice of the CISO 2021 Report Reveals Two-Thirds of Global CISOs Feel Unprepared to Cope with a Cyberattack
Date Published: May 12, 2021


Excerpt: “SUNNYVALE, Calif., May 12, 2021 – Proofpoint, Inc. (NASDAQ: PFPT), a leading cybersecurity and compliance company, today released its inaugural 2021 Voice of the CISO report which explores key challenges facing chief information security officers (CISOs) after an unprecedented twelve months. Sixty-six percent of CISOs feel their organization is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability, proving that the work-from-home model necessitated by the pandemic has tested CISOs like never before.”

Title: Private LTE or 5G: Which Is More Secure?
Date Published: May 12, 2021


Excerpt: “Companies often used 5G as a stopgap during the quick shift to remote work, with varied results. According to the PwC U.S. Remote Work Survey released in January, there was a 22-point difference in the survey results between how employers felt they provided a mobile experience for work applications and data and how employees felt about the experience. On top of that was an increase in security issues during the pandemic, including 59% more phishing scams and a 36% increase in malware.”

Title: Microsoft Shares Details of Malware Attack on Aerospace, Travel Sector
Date Published: May 12, 2021


Excerpt: “What makes this campaign truly different from the others that have been observed in the past is the RAT loader that is employed and designed to bypass detection. The newly discovered loader monetized under a Crypter-as-a-Service model, named Snip3 by Morphisec malware analysts, is used to drop Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT payloads on compromised systems. Links abusing legitimate web services and embedded within the phishing messages download the first-stage VBScript VBS files that execute a second-stage PowerShell script which in turn executes the final RAT payload using Process Hollowing.”

Title: Microsoft: Windows 10 1809 and 1909 Have Reached End of Service
Date Published: May 12, 2021


Excerpt: “Windows Update will automatically initiate a feature update for Windows 10 consumer devices and non-managed business devices that are at, or within several months of reaching end of servicing. For these devices, you can choose a convenient time for your device to reboot and complete the update. The Home, Pro, Pro Education, Pro for Workstations editions of Windows 10, version 1909, and all Windows Server, version 1909 editions reached their end of service yesterday. Several editions of Windows 10 versions 1803 and 1809 have also reached the end of service on May 11, 2021, after Microsoft has delayed it due to the COVID-19 pandemic.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...