OSN June 1, 2021

Fortify Security Team
Jun 1, 2021

Title: New Epsilon Red Ransomware Hunts Unpatched Microsoft Exchange Servers

Date Published: May 29, 2021


Excerpt: “Incident responders at cybersecurity company Sophos discovered the new Epsilon Red ransomware over the past week while investigating an attack at a fairly large U.S. company in the hospitality sector. The researchers found that the threat actor breached the enterprise network by exploiting unpatched vulnerabilities in on-premise Microsoft Exchange server. After breaching the network, the hackers reach machines over RDP and use Windows Management Instrumentation (WMI) to install software and run PowerShell scripts that ultimately deploy Epsilon Red executable.”

Title: Experts Devised a New Attack to Bypass Microsoft Patchguard

Date Published: May 31, 2021


Excerpt: “Microsoft always downplayed the severity of Kento-like attacks because they require that the attackers could run the code with admin privileges, but the IT giant points out that with this level of permission it is already possible to take over any Windows system. Anyway, Microsoft did not patch the PatchGuard bypass attacks that were devised by researchers in the last couple of years, the company labeled the issue a security non-issue.”

Title: Cybersecurity Group Hopes to Push 30 More National Priorities

Date Published: June 1, 2021


Excerpt: “Created in August 2018, the Cyberspace Solarium Commission collected a nonpartisan group of lawmakers and experts to come up with policy changes to enhance the United States’ cyber posture and ability to defend itself. On March 11, 2020, the CSC announced its findings, recommending that the US government take more than 80 initiatives to create an overlapping policy of cyber resilience and cyber deterrence. More than two dozen recommendations where codified into law as part of the National Defense Authorization Act (NDAA), passed in 2020. ”

Title: Rapid TTP Development and Syndicate Adoption Ignite Q2 Ransomware Explosion

Date Published: June 1, 2021


Excerpt: “APT groups are using ransomware functionality to enable and mask targeted data destruction, possibly for political reasons. DarkSide group has suspended its ransomware-as-a-service (RaaS) program , possibly due to disruptions to its infrastructure following the Colonial Pipeline attack. The rapid evolution of JSWorm ransomware from mass-scale operations to targeted threats showcases the investment by RaaS operators in new TTPs. The use of third-party loaders is helping ransomware syndicates like Conti grab a larger share of the market.”

Title: Cyber Attacks: The Challenge Of Attribution And Response

Date Published: June 1, 2021


Excerpt: “Individual attacker TTPs are also becoming harder to distinguish, with the use of ‘off the shelf malware’ and other tools becoming more widespread, and more difficult to attribute to distinct threat actors and groups. The technical threshold between cybercriminal groups and nation state actors is also getting closer. The initial actors behind another supply chain attack affecting software provider Accellion, which involved the chaining of 4 zero-day vulnerabilities, was thought to have been conducted by FIN11, a cybercriminal group with ties into the Clop ransomware variant.”

Title: Guildma Is Now Using Finger and Signed Binary Proxy Execution to Evade Defenses

Date Published: June 1, 2021


Excerpt: “The ongoing campaign starts with an e-mail phishing with a link to a ZIP file which contains an LNK. If the user executes the LNK file, instead of opening a supposed PDF with a proof of payment (Comprovante.pdf7.lnk), it will execute Windows native binary Finger.exe do retrieve the malicious command from attacker’s server on port TCP/79 and pass it to ‘cmd’ to get it executed.”

Title: Swedish Health Agency Shuts Down Sminet After Hacking Attempts

Date Published: May 31, 2021


Excerpt: “The Swedish Public Health Agency (Folkhälsomyndigheten) has shut down SmiNet, the country’s infectious diseases database, on Thursday after it was targeted in several hacking attempts. SmiNet, which is also used to store electronic reports with statistics on COVID-19 infections, was shut down on Thursday to investigate the attacks and was brought back online on Friday evening.”

Title: Report: Danish Secret Service Helped NSA Spy On European Politicians

Date Published: June 1, 2021


Excerpt: “The U.S. The National Security Agency (NSA) used a partnership with Denmark’s foreign and military intelligence service to eavesdrop on top politicians and high-ranking officials in Germany, Sweden, Norway, and France by tapping into Danish underwater internet cables between 2012 and 2014.  Details of the covert wiretapping were broken by Copenhagen-based public broadcaster DR over the weekend based on interviews with nine unnamed sources, all of whom are said to have access to classified information held by the Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste or FE).”

Title: Prometheus and Grief – Two New Emerging Ransomware Gangs Targeting Enterprises. Mexican Government Data Is Published for Sale

Date Published: June 1, 2021


Excerpt: “According to Resecurity, a cybersecurity company out of Los Angeles, the leaked data has been presumably stolen from multiple e-mail accounts in the result of ATO/BEC and compromise of network resources belonging to several Mexican government agencies. It is hard to determine sensitivity and the end impact in the result of such leaks, but it is one of the elements of an extortion game used by the bad actors. Mexico is the major trading partner of the United States, the second-largest economy in Latin America and the 17th-largest exporter in the world.”

Title: JBS USA Cyber Attack Affecting North American and Australian Systems

Date Published: May 31, 2021


Excerpt: “BS said its backup servers were not affected, and that it was actively working with an incident response firm to restore its systems “as soon as possible”. It also said it is currently not aware of any evidence to suggest customer, supplier, or employee data has been compromised or misused as a result of the attack. “Resolution of the incident will take time, which may delay certain transactions with customers and suppliers.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...