OSN June 1, 2021

Fortify Security Team
Jun 1, 2021

Title: New Epsilon Red Ransomware Hunts Unpatched Microsoft Exchange Servers

Date Published: May 29, 2021


Excerpt: “Incident responders at cybersecurity company Sophos discovered the new Epsilon Red ransomware over the past week while investigating an attack at a fairly large U.S. company in the hospitality sector. The researchers found that the threat actor breached the enterprise network by exploiting unpatched vulnerabilities in on-premise Microsoft Exchange server. After breaching the network, the hackers reach machines over RDP and use Windows Management Instrumentation (WMI) to install software and run PowerShell scripts that ultimately deploy Epsilon Red executable.”

Title: Experts Devised a New Attack to Bypass Microsoft Patchguard

Date Published: May 31, 2021


Excerpt: “Microsoft always downplayed the severity of Kento-like attacks because they require that the attackers could run the code with admin privileges, but the IT giant points out that with this level of permission it is already possible to take over any Windows system. Anyway, Microsoft did not patch the PatchGuard bypass attacks that were devised by researchers in the last couple of years, the company labeled the issue a security non-issue.”

Title: Cybersecurity Group Hopes to Push 30 More National Priorities

Date Published: June 1, 2021


Excerpt: “Created in August 2018, the Cyberspace Solarium Commission collected a nonpartisan group of lawmakers and experts to come up with policy changes to enhance the United States’ cyber posture and ability to defend itself. On March 11, 2020, the CSC announced its findings, recommending that the US government take more than 80 initiatives to create an overlapping policy of cyber resilience and cyber deterrence. More than two dozen recommendations where codified into law as part of the National Defense Authorization Act (NDAA), passed in 2020. ”

Title: Rapid TTP Development and Syndicate Adoption Ignite Q2 Ransomware Explosion

Date Published: June 1, 2021


Excerpt: “APT groups are using ransomware functionality to enable and mask targeted data destruction, possibly for political reasons. DarkSide group has suspended its ransomware-as-a-service (RaaS) program , possibly due to disruptions to its infrastructure following the Colonial Pipeline attack. The rapid evolution of JSWorm ransomware from mass-scale operations to targeted threats showcases the investment by RaaS operators in new TTPs. The use of third-party loaders is helping ransomware syndicates like Conti grab a larger share of the market.”

Title: Cyber Attacks: The Challenge Of Attribution And Response

Date Published: June 1, 2021


Excerpt: “Individual attacker TTPs are also becoming harder to distinguish, with the use of ‘off the shelf malware’ and other tools becoming more widespread, and more difficult to attribute to distinct threat actors and groups. The technical threshold between cybercriminal groups and nation state actors is also getting closer. The initial actors behind another supply chain attack affecting software provider Accellion, which involved the chaining of 4 zero-day vulnerabilities, was thought to have been conducted by FIN11, a cybercriminal group with ties into the Clop ransomware variant.”

Title: Guildma Is Now Using Finger and Signed Binary Proxy Execution to Evade Defenses

Date Published: June 1, 2021


Excerpt: “The ongoing campaign starts with an e-mail phishing with a link to a ZIP file which contains an LNK. If the user executes the LNK file, instead of opening a supposed PDF with a proof of payment (Comprovante.pdf7.lnk), it will execute Windows native binary Finger.exe do retrieve the malicious command from attacker’s server on port TCP/79 and pass it to ‘cmd’ to get it executed.”

Title: Swedish Health Agency Shuts Down Sminet After Hacking Attempts

Date Published: May 31, 2021


Excerpt: “The Swedish Public Health Agency (Folkhälsomyndigheten) has shut down SmiNet, the country’s infectious diseases database, on Thursday after it was targeted in several hacking attempts. SmiNet, which is also used to store electronic reports with statistics on COVID-19 infections, was shut down on Thursday to investigate the attacks and was brought back online on Friday evening.”

Title: Report: Danish Secret Service Helped NSA Spy On European Politicians

Date Published: June 1, 2021


Excerpt: “The U.S. The National Security Agency (NSA) used a partnership with Denmark’s foreign and military intelligence service to eavesdrop on top politicians and high-ranking officials in Germany, Sweden, Norway, and France by tapping into Danish underwater internet cables between 2012 and 2014.  Details of the covert wiretapping were broken by Copenhagen-based public broadcaster DR over the weekend based on interviews with nine unnamed sources, all of whom are said to have access to classified information held by the Danish Defence Intelligence Service (Forsvarets Efterretningstjeneste or FE).”

Title: Prometheus and Grief – Two New Emerging Ransomware Gangs Targeting Enterprises. Mexican Government Data Is Published for Sale

Date Published: June 1, 2021


Excerpt: “According to Resecurity, a cybersecurity company out of Los Angeles, the leaked data has been presumably stolen from multiple e-mail accounts in the result of ATO/BEC and compromise of network resources belonging to several Mexican government agencies. It is hard to determine sensitivity and the end impact in the result of such leaks, but it is one of the elements of an extortion game used by the bad actors. Mexico is the major trading partner of the United States, the second-largest economy in Latin America and the 17th-largest exporter in the world.”

Title: JBS USA Cyber Attack Affecting North American and Australian Systems

Date Published: May 31, 2021


Excerpt: “BS said its backup servers were not affected, and that it was actively working with an incident response firm to restore its systems “as soon as possible”. It also said it is currently not aware of any evidence to suggest customer, supplier, or employee data has been compromised or misused as a result of the attack. “Resolution of the incident will take time, which may delay certain transactions with customers and suppliers.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...