OSN June 1, 2021

by | Jun 1, 2021 | Open Source News

Title: New Epsilon Red Ransomware Hunts Unpatched Microsoft Exchange Servers

Date Published: May 29, 2021

https://www.bleepingcomputer.com/news/security/new-epsilon-red-ransomware-hunts-unpatched-microsoft-exchange-servers/

Excerpt: “Incident responders at cybersecurity company Sophos discovered the new Epsilon Red ransomware over the past week while investigating an attack at a fairly large U.S. company in the hospitality sector. The researchers found that the threat actor breached the enterprise network by exploiting unpatched vulnerabilities in on-premise Microsoft Exchange server. After breaching the network, the hackers reach machines over RDP and use Windows Management Instrumentation (WMI) to install software and run PowerShell scripts that ultimately deploy Epsilon Red executable.”

Title: Experts Devised a New Attack to Bypass Microsoft Patchguard

Date Published: May 31, 2021

https://securityaffairs.co/wordpress/118427/hacking/microsoft-patchguard-kpp-bypass.html

Excerpt: “Microsoft always downplayed the severity of Kento-like attacks because they require that the attackers could run the code with admin privileges, but the IT giant points out that with this level of permission it is already possible to take over any Windows system. Anyway, Microsoft did not patch the PatchGuard bypass attacks that were devised by researchers in the last couple of years, the company labeled the issue a security non-issue.”

Title: Cybersecurity Group Hopes to Push 30 More National Priorities

Date Published: June 1, 2021

https://www.darkreading.com/risk/cybersecurity-group-hopes-to-push-30-more-national-priorities/d/d-id/1341173

Excerpt: “Created in August 2018, the Cyberspace Solarium Commission collected a nonpartisan group of lawmakers and experts to come up with policy changes to enhance the United States’ cyber posture and ability to defend itself. On March 11, 2020, the CSC announced its findings, recommending that the US government take more than 80 initiatives to create an overlapping policy of cyber resilience and cyber deterrence. More than two dozen recommendations where codified into law as part of the National Defense Authorization Act (NDAA), passed in 2020. ”

Title: Rapid TTP Development and Syndicate Adoption Ignite Q2 Ransomware Explosion

Date Published: June 1, 2021

https://blog.eclecticiq.com/rapid-ttp-development-and-syndicate-adoption-ignite-q2-ransomware-explosion

Excerpt: “APT groups are using ransomware functionality to enable and mask targeted data destruction, possibly for political reasons. DarkSide group has suspended its ransomware-as-a-service (RaaS) program , possibly due to disruptions to its infrastructure following the Colonial Pipeline attack. The rapid evolution of JSWorm ransomware from mass-scale operations to targeted threats showcases the investment by RaaS operators in new TTPs. The use of third-party loaders is helping ransomware syndicates like Conti grab a larger share of the market.”

Title: Cyber Attacks: The Challenge Of Attribution And Response

Date Published: June 1, 2021

https://www.digitalshadows.com/blog-and-research/cyber-attacks-the-challenge-of-attribution-and-response/

Excerpt: “Individual attacker TTPs are also becoming harder to distinguish, with the use of ‘off the shelf malware’ and other tools becoming more widespread, and more difficult to attribute to distinct threat actors and groups. The technical threshold between cybercriminal groups and nation state actors is also getting closer. The initial actors behind another supply chain attack affecting software provider Accellion, which involved the chaining of 4 zero-day vulnerabilities, was thought to have been conducted by FIN11, a cybercriminal group with ties into the Clop ransomware variant.”

Title: Guildma Is Now Using Finger and Signed Binary Proxy Execution to Evade Defenses

Date Published: June 1, 2021

https://isc.sans.edu/forums/diary/Guildma+is+now+using+Finger+and+Signed+Binary+Proxy+Execution+to+evade+defenses/27482/

Excerpt: “The ongoing campaign starts with an e-mail phishing with a link to a ZIP file which contains an LNK. If the user executes the LNK file, instead of opening a supposed PDF with a proof of payment (Comprovante.pdf7.lnk), it will execute Windows native binary Finger.exe do retrieve the malicious command from attacker’s server on port TCP/79 and pass it to ‘cmd’ to get it executed.”

Title: Swedish Health Agency Shuts Down Sminet After Hacking Attempts

Date Published: May 31, 2021

https://www.bleepingcomputer.com/news/security/swedish-health-agency-shuts-down-sminet-after-hacking-attempts/

Excerpt: “The Swedish Public Health Agency (Folkhälsomyndigheten) has shut down SmiNet, the country’s infectious diseases database, on Thursday after it was targeted in several hacking attempts. SmiNet, which is also used to store electronic reports with statistics on COVID-19 infections, was shut down on Thursday to investigate the attacks and was brought back online on Friday evening.”

Title: Report: Danish Secret Service Helped NSA Spy On European Politicians

Date Published: June 1, 2021

https://thehackernews.com/2021/06/report-danish-secret-service-helped-nsa.html

Excerpt: “The U.S. The National Security Agency (NSA) used a partnership with Denmark’s foreign and military intelligence service to eavesdrop on top politicians and high-ranking officials in Germany, Sweden, Norway, and France by tapping into Danish underwater internet cables between 2012 and 2014.  Details of the covert wiretapping were broken by Copenhagen-based public broadcaster DR over the weekend based on interviews with nine unnamed sources, all of whom are said to have access to classified information held by the Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste or FE).”

Title: Prometheus and Grief – Two New Emerging Ransomware Gangs Targeting Enterprises. Mexican Government Data Is Published for Sale

Date Published: June 1, 2021

https://securityaffairs.co/wordpress/118446/cyber-crime/prometheus-grief-ransomware.html

Excerpt: “According to Resecurity, a cybersecurity company out of Los Angeles, the leaked data has been presumably stolen from multiple e-mail accounts in the result of ATO/BEC and compromise of network resources belonging to several Mexican government agencies. It is hard to determine sensitivity and the end impact in the result of such leaks, but it is one of the elements of an extortion game used by the bad actors. Mexico is the major trading partner of the United States, the second-largest economy in Latin America and the 17th-largest exporter in the world.”

Title: JBS USA Cyber Attack Affecting North American and Australian Systems

Date Published: May 31, 2021

https://www.zdnet.com/article/jbs-usa-cyber-attack-affecting-north-american-and-australian-systems/

Excerpt: “BS said its backup servers were not affected, and that it was actively working with an incident response firm to restore its systems “as soon as possible”. It also said it is currently not aware of any evidence to suggest customer, supplier, or employee data has been compromised or misused as a result of the attack. “Resolution of the incident will take time, which may delay certain transactions with customers and suppliers.”