OSN May 22, 2021

Fortify Security Team
May 22, 2021

Title: Wormable Windows HTTP Vulnerability Also Affects WinRM Servers

Date Published: May 22, 2021


Excerpt: “It also impacts Windows 10 and Server devices running the WinRM service (short for Windows Remote Management), a component of the Windows Hardware Management feature set which also makes use of the vulnerable HTTP.sys. While home users have to enable the WinRM service manually on their Windows 10 systems, enterprise Windows Server endpoints have WinRM toggled on by default which makes them vulnerable to attacks if they’re running versions 2004 or 20H2.”

Title: FBI Intelligence Analyst Indicted for Theft of Cybersecurity, Counterterrorism Documents

Date Published: May 24, 2021


Excerpt: “The US Department of Justice (DoJ) said that between June 2004 and December 2017, the 48-year-old removed and then kept national security, secret, and confidential documents at her home. Some of the material specifically related to al Qaeda members suspected “associates” of Osama Bin Laden and emerging terrorist groups in Africa.”

Title: Zeppelin Ransomware Comes Back to Life With Updated Versions

Date Published: May 24, 2021


Excerpt: “AdvIntel warns that despite the lack of organization typical to the RaaS model, Zeppelin could make it more difficult to fight the ransomware threat since access to the malware allows other developers to steal features for their products.The company says that Zeppelin users are individual buyers that do not complicate their attacks and rely on common initial attack vectors like RDP, VPN vulnerabilities, and phishing. Furthermore, Zeppelin operators do not have a leak site, like most RaaS groups, and they focus on encrypting the data, not stealing it.”

Title: North Korean Hackers Behind Cryptocore Multi-Million Dollar Heists

Date Published: May 24, 2021


Excerpt: “ClearSky compared the details in these researches to their findings and noticed sufficient similarities to confidently attribute the attacks to the same actor. It is important to note that ClearSky has accepted F-Secure’s attribution of the attacks to the Lazarus group after checking if the company’s YARA rules for identifying and classifying malware applied to remote access trojans (RATs) in reports about Lazarus from ESET and Kaspersky. ClearSky notes that the YARA rule matched an old RAT that Kaspersky reported in 2016 (bbd703f0d6b1cad4ff8f3d2ee3cc073c). ”

Title: FBI Identifies 16 Conti Ransomware Attacks Striking Us Healthcare, First Responders

Date Published: May 24, 2021


Excerpt: “Conti may use stolen credentials, RDP, or phishing campaigns to obtain initial access to a network. According to the FBI, the group may also use Cobalt Strike, Mimikatz, Emotet, and Trickbot alongside Conti ransomware during attacks. The FBI does not encourage victim organizations to pay up, as decryption keys are not guaranteed to work and each successful extortion attempt only encourages ransomware-related criminal activity.”

Title: A Malware Attack Hit the Alaska Health Department

Date Published: May 23, 2021


Excerpt: “The website of the Alaska health department was forced offline this week by a malware attack. It is not clear how hackers breached the network Alaska health department and how they planted the malicious code. Experts speculate the involvement of a ransomware family in the attack, investigators are working to determine if any personal or confidential information was compromised.”

Title: Data of 4.5m Passengers Was Stolen in SITA Cyberattack

Date Published: May 24, 2021


Excerpt: “Air India said to have understood the severity of the cyber-attack only last month. They declared to have conducted investigations, securing compromised servers, engaging external specialists, notifying and liaising with credit card issuers, and resetting passwords of the Air India FFP program trying to handle the situation. It seems like the airline found out about the incident on February 25th (and issued a warning on March 19th), but only learned the identities of affected passengers on March 25th and May 4th as it was already investigating the breach.”

Title: The Middle East’s Cyber Security Crisis

Date Published: May 24, 2021


Excerpt: “Iran has been particularly brazen in its cyber-espionage activities against its own citizens, as well as against its regional rivals, especially Saudi Arabia. These espionage campaigns are getting better in their execution and more difficult to detect, and will continue unabated. Significantly, while Middle Eastern governments, companies and other institutions should expect that countries like Israel, China, Russia and the United States can probably access their networks at will, more and more countries within the Arab world are acquiring the technical expertise and tradecraft required to carry out their own cyber-espionage operations.”

Title: TPG Telecom Reveals Its Legacy Cloud-based Hosting Service Has Been Compromised in a Cyberattack

Date Published: May 24, 2021


Excerpt: “TPG Telecom Limited has disclosed that its legacy cloud-based hosting service, TrustedCloud, was affected in a recent cyberattack, with two clients found to have their data accessed. Only two TPG clients had their data stolen during the April cyberattack, which the enterprise observed on the same day, forcing it to take TrustedCloud offline while the issue was fixed, the telecommunications company said. The company added that it doesn’t think any other TrustedCloud customers or services were impacted as “TrustedCloud is hosted in a standalone environment separate from its telecommunications networks and other systems”.”

Title: The OSI Model and You Part 1: Stopping Threats on the OSI Physical Layer

Date Published: May 24, 2021


Excerpt: “Once you figure out what the business impact will be, time to shift over to risk tolerances and contingency planning. This means it is time to think about your business continuity, disaster recovery and even emergency response plans. Do you need to go offsite, for example? Do you have memorandums of understanding in place? Oh yeah, have you tested those plans? If you need some help on how to plan for these threats, NIST Special Publication 800-34 Revision 1 is one of the best guides out there.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...