OSN May 19, 2021

Fortify Security Team
May 19, 2021

Title: Mountlocker Ransomware Uses Windows API to Worm Through Networks

Date Published: May 19, 2021


Excerpt: “Using this API, the ransomware can find all devices that are part of the compromised Windows domain and encrypt them using stolen domain credentials. Many corporate environments rely on complex active directory forests and computers within them. Now MountLocker is the first known ransomware to leverage unique corporate architectural insight for the benefit of identifying additional targets for encryption operation outside of the normal network and share scan. This is the quantum shift of professionalizing ransomware development for corporate network exploitation.”

Title: Colonial Pipeline Says Ransomware Recovery Efforts Caused Network Outage for Shippers

Date Published: May 18, 2021


Excerpt: “Our internal server that runs our nomination system experienced intermittent disruptions this morning due to some of the hardening efforts that are ongoing and part of our restoration process, Colonial Pipeline said in a statement. “These issues were not related to ransomware or any type of reinfection.” Shippers told Reuters and Bloomberg News that they were unable to access the communication system, which allows Colonial Pipeline customers to “nominate,” or make formal requests for gasoline and other fuel, and to receive updates on fuel shipments.”

Title: Identifying and Addressing Critical OT Asset Vulnerabilities in 24/7 Industrial Operations

Date Published: May 18, 2021


Excerpt: “The knowledge for identifying the “crown jewels” (critical assets) is derived from a process known as Hazard and Operability (HAZOP) study in the petrochemical and other industries handling highly hazardous chemicals. HAZOP study is a structured and systematic assessment of a manufacturing operation designed to identify specific process safety risks to equipment and personnel. The resulting output is a prioritized list of mitigation measures to address such risks.”

Title: How Ransomware Encourages Opportunists to Become Criminals

Date Published: May 19, 2021


Excerpt: “In March, The Record interviewed Unknown from the REvil/Sodinokibi group, which offers ransomware-as-a-service to criminals to carry out extortion, data theft, and system destruction attacks to gain money from victims and/or buyers. In response to the question of whether it targets those carrying cybersecurity insurance policies, Unknown responded, “Yes, this is one of the tastiest morsels. Especially to hack the insurers first — to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves”.”

Title: Scams Target Families of Missing Persons, FBI Warns

Date Published: May 18, 2021


Excerpt: “In its announcement, the FBI also described three cases of families being targeted using the information they shared on social media. One family posted information about a missing 13-year-old along with their phone number, which the scammer then used to contact the mother and demand a ransom. However, the girl was never abducted and ultimately returned home of her own accord.”

Title: Ransomware Attack on Health Sector (IOCs)

Date Published: May 16, 2021


Excerpt: “On 14/05/21 the Health Service Executive (HSE) was impacted by a Ransomware attack which has affected multiple services on their network. The NCSC along with the HSE and partners are currently investigating this incident and an Incident Response process is ongoing. Malicious cyber activity was also detected on the Department of Health (DoH) network early on Friday morning (14th May 2021), however due to the deployment of tools during the investigation process an attempt to execute ransomware was detected and stopped. These attacks are believed to be part of the same campaign targeting the Irish health sector.”

Title: Hackers Scan for Vulnerable Devices Minutes After Bug Disclosure

Date Published: May 19, 2021


Excerpt: “The researchers found that companies take an average of 12 hours to find a new, serious vulnerability. Almost a third of all identified issues related to the Remote Desktop Protocol, a common target for ransomware actors as they can use it to gain admin access to servers. Misconfigured database servers, zero-day vulnerabilities in critical products from vendors like Microsoft and F5, and insecure remote access (Telnet, SNMP, VNC) complete the list of high-priority flaws. According to Palo Alto Networks, companies identified one such issue every 12 hours, in stark contrast with the threat actors’ mean time to inventory of just one hour.”

Title: It’s Time to Prepare for a Rise in Insider Threats

Date Published: May 18, 2021


Excerpt: “Earlier this year, Tesla discovered that an employee had stolen more than 6,000 files containing sensitive code. The software engineer, who was only employed for two weeks, had been hired as one of the few people who could access these files. This incident highlights the danger that insider threats pose to enterprises. This is not a problem that is unique to Tesla or any one industry. Employees, whether through careless or malicious actions, can pose a significant risk to any organization. A survey from the Ponemon Institute recently found that insider threats increased by 47 percent from 2018 to 2020. The cost of insider threat incidents also rose by 31 percent from $8.76 to $11.45 million during the same time period.”

Title: Introducing Site Isolation in Firefox

Date Published: May 18, 2021


Excerpt: “This fundamental redesign of Firefox’s Security architecture extends current security mechanisms by creating operating system process-level boundaries for all sites loaded in Firefox for Desktop,” Mozilla said in a statement. “Isolating each site into a separate operating system process makes it even harder for malicious sites to read another site’s secret or private data.”

Title: Try This One Weird Trick Russian Hackers Hate

Date Published: May 17, 2021


Excerpt: “In a Twitter discussion last week on ransomware attacks, KrebsOnSecurity noted that virtually all ransomware strains have a built-in failsafe designed to cover the backsides of the malware purveyors: They simply will not install on a Microsoft Windows computer that already has one of many types of virtual keyboards installed — such as Russian or Ukrainian. So many readers had questions in response to the tweet that I thought it was worth a blog post exploring this one weird cyber defense trick.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...