OSN May 26, 2021

Fortify Security Team
May 26, 2021

Title: VMware Warns of Critical Bug Affecting All vCenter Server Installs
Date Published:  May 25, 2021


Excerpt:  “VMware urges customers to patch a critical remote code execution (RCE) vulnerability in the Virtual SAN Health Check plug-in and impacting all vCenter Server deployments.  “These updates fix a critical security vulnerability, and it needs to be considered at once,” said Bob Plankers, Technical Marketing Architect at VMware.  “This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of whether you use vSAN or not.””

Title: Domino’s India Discloses Data Breach After Hackers Sell Data Online
Date Published:  May 25, 2021


Excerpt:  “Domino’s India has disclosed a data breach after a threat actor hacked their systems and sold their stolen data on a hacking forum.  In April 2021, a threat actor created a new topic on a hacking forum where they claimed to be selling 13 TB of stolen data, including details for 18 crores (180 million) orders and 1 million credit cards, from Domino’s India.  The threat actor was selling the data for approximately 10 BTC, or $380,000 at today’s rates, and shared samples of the database structure for the allegedly stolen data.”

Title: Belgium’s Interior Ministry Uncovers 2-year-long Compromise of Its Network
Date Published:  May 26, 2021


Excerpt:  “Belgium’s Federal Public Service Interior (i.e., the country’s Interior Ministry) has suffered a “complex, sophisticated and targeted cyberattack.”  When Microsoft released out-of-band security updates for Exchange Server in early March to fix zero-day vulnerabilities exploited by the Hafnium threat actor, the FBS Interior called in the Center for Cybersecurity Belgium (CCB) to help with the patching of their Exchange servers.  While doing that, the CCB also carried out more extensive monitoring and “found subtle leads to questionable acts on the network of the FPS Interior.”  The investigation showed that the attacker broke in in April 2019, meaning that they did not exploit the Exchange flaws to get in.  “The complexity of this attack indicates an actor who has cyber capacities and extensive resources. The perpetrators acted in a targeted manner, which sounds like espionage,” the FPS Interior noted.”

Title: Ivanti Fixes High Severity Flaw in Pulse Connect Secure VPN
Date Published:  May 25, 2021


Excerpt:  “Ivanti addressed a high severity Buffer Overflow vulnerability in Secure VPN appliances that could allow a remote authenticated attacker to execute arbitrary code with elevated privileges.  The vulnerability tracked as CVE-2021-22908, has received a CVSS score of 8.5, it impacts Pulse Connect Secure versions 9.0Rx and 9.1Rx.  “Buffer Overflow in Windows File Resource Profiles in 9.X allows a remote authenticated user with privileges to browse SMB shares to execute arbitrary code as the root user. As of version 9.1R3, this permission is not enabled by default.” reads the security advisory published by the company. “The solution for this vulnerability is to upgrade the Pulse Connect Secure server software version to the 9.1R.11.5. We will update the advisory once the timelines are available.””

Title: Ransomware: Dramatic Increase in Attacks is Causing Harm on a Significant Scale
Date Published:  May 26, 2021


Excerpt:  “A dramatic increase in the number of ransomware attacks and their severity is causing harm on a significant scale, the UK’s National Crime Agency (NCA) has warned.  The NCA’s annual National Strategic Assessment (NSA) of Serious and Organized Crime details how the overall threat from cyber crime has increased over the last year, with more severe and high profile attacks against victims.  Ransomware attacks in particular have grown in frequency and impact over the course of the last year, to such an extent they rank alongside other major crimes “causing harm to our citizens and communities on a significant scale,” warns the report.  One of the things which has made ransomware much more dangerous is the increase in attacks which don’t just encrypt networks and demand a ransom paid in Bitcoin or other cryptocurrency in exchange for the decryption, but also see cyber criminals steal sensitive information from the victim organization which the crooks threaten to publish it if their extortion demands aren’t met, potentially putting employees and members of the public at risk of additional fraud.  According to the NCA report, over half of ransomware attacks now deploy this double extortion techniques.”

Title: Russian National Jailed for Running Stolen Data, Hijacked Account Seller Platform Deer.io
Date Published:  May 26, 2021


Excerpt:  “A Russian national has been jailed for 2.5 years for operating deer.io, a platform designed for the sale of stolen data and accounts.  This week, the US Department of Justice (DoJ) said that Kirill Victorovich Firsov, 30, will spend 30 months behind bars for acting as the administrator of Deer.io, a now-defunct website that offered a form of ‘Shopify’ front for criminal activity.  Deer.io, thought to have been in operation since at least 2013, hosted over 24,000 online stores on a subscription basis over the course of its lifetime, with prices set at approximately $12 per month. According to the DoJ, at the time of its seizure, Deer.io catered to 3,000 active stores with sales exceeding $17 million.”

Title: Coast Guard to Create Red Team
Date Published:  May 25, 2021


Excerpt:  “The United States Coast Guard is to establish a Cyber Operational Assessments Branch this summer and create its first ever red team.  The planned restructuring, first reported by Federal News Network, will support the cybersecurity work currently being undertaken by the Coast Guard’s blue team.  Acting as a cyber adversary, the red team will emulate the behavior of threat actors and perform penetration tests to identify any weaknesses in the Coast Guard’s cyber-defenses.  Cyber blue team branch chief, Lt. Kenneth Miltenberger, said his team will continue to fulfill its existing duties, which include performing cooperative vulnerability assessments, security consulting for acquisition operations, and endpoint scanning.”

Title: US to Regulate Pipeline Cybersecurity
Date Published:  May 25, 2021


Excerpt:  “The United States Department of Homeland Security (DHS) is to issue its first ever set of cybersecurity regulations for pipelines, according to The Washington Post.  The news comes in the wake of a recent ransomware attack on the Colonial Pipeline that knocked operational systems offline for five days, triggering panic buying that led to fuel shortages in the Southeast.  Last week, Colonial Pipeline paid a ransom of $4.4m to cyber-criminal gang DarkSide to regain control of its systems and data.  According to the Post, a senior DHS official has said that a security directive will be issued this week requiring pipeline companies to report cybersecurity incidents to federal authorities. The directive will come from the Transportation Security Administration, a DHS unit.  This directive will be followed by a meatier set of regulations in a couple of weeks’ time. These rules are expected to lay out in more detail what pipeline operators must do to protect their systems from cyber-attacks.”

Title: Ransomware Unmasked: Dispute Reveals Ransomware TTPs
Date Published:  May 26, 2021


Excerpt:  “A recent “public” dispute on the dark web between actors affiliated with the “REvil” ransomware group and an actor offering to negotiate with victims has shed light on the rise of “ransomware consultants” and revealed the operational methods of ransomware hackers.  Ransomware consultants research victims to gather intelligence for realistic ransom demands and conduct the negotiations on behalf of the ransomware group. The core reason that ransomware groups are looking for these types of services is that although they are proficient at gaining access to victims and encrypting data, they are less proficient at extracting ransom payments.  As criminal profits for ransomware attacks grew to nearly $370 million in 2020, the ecosystem of accompanying services and actors continues to undergo greater professionalization. Within this context, there are three major groups of relevant actors.”

Title: New Ponemon Institute Study Reveals Cloud Account Compromises Cost Organizations Over $6 Million Annually
Date Published:  May 24, 2021


Excerpt:  “Proofpoint, a leading cybersecurity and compliance company, and Ponemon Institute, a top IT security research organization, today released the results of a new study on “The Cost of Cloud Compromise and Shadow IT.” The average cost of cloud account compromises reached $6.2 million over a 12-month period, according to over 600 IT and IT security professionals in the U.S. In addition, 68 percent of these survey respondents believe cloud account takeovers present a significant security risk to their organizations, with more than half indicating the frequency and severity of cloud account compromises has increased over the last 12 months.  “This research illustrates that leaving SaaS security in the hands of end-users or lines of business can be quite costly,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Cloud account compromises and sensitive information loss can disrupt business, damage brand reputation, and cost organizations millions annually.”  Only 44 percent of survey respondents believe their organizations have established clearly defined roles and accountability for safeguarding confidential or sensitive information in the cloud. Risks are also magnified as fewer than 40 percent of respondents say their organizations are vigilant in conducting cloud app assessments before deployment.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...