OSN June 14, 2021

by | Jun 14, 2021 | Company News

Title: REvil Hits US Nuclear Weapons Contractor: Report

Date Published: June 11, 2021

https://threatpost.com/revil-hits-us-nuclear-weapons-contractor-sol-oriens/166858/

Excerpt: “Whether REvil – or whichever gang proves to be responsible for the attack – got its hands on more sensitive, secret information about the country’s nuclear weapons remains to be seen. But the fact that it got anything at all is, of course, deeply concerning. As Mother Jones pointed out, the NNSA is responsible for maintaining and securing the nation’s nuclear weapons stockpile and works on nuclear applications for the military, along with other highly sensitive missions.”

Title: Audi and Volkswagen Involved in a Massive Data Breach
Date Published: June 14, 2021

https://heimdalsecurity.com/blog/audi-and-volkswagen-involved-in-a-massive-data-breach/

Excerpt: “Unfortunately, as the Audi and Volkswagen data were left unsecured for such a long period of time, there is no way to know how many people had gained unauthorized access to it, therefore, all communications claiming to be from Audi or Volkswagen should be treated with suspicion, and the victims who had more sensitive data exposed should freeze their credit report in order to make it harder for third parties to perform identity theft.”

Title: Fujifilm Resumes Normal Operations After Ransomware Attack
Date Published: June 14, 2021

https://www.bleepingcomputer.com/news/security/fujifilm-resumes-normal-operations-after-ransomware-attack/

Excerpt: “Qbot trojan’s operators have a long history of working with ransomware gangs, providing them with remote access to previously infected networks. The ProLock and Egregor ransomware groups are known to have partnered with Qbo in the past but, after those operations shut down, REvil is the new ransomware gang that has been using the botnet to gain access to victims’ networks. While these are only theories at the moment, we will know soon enough who was behind the attack since, if data was stolen in the attack, it will likely be released on a ransomware data leak site and used as leverage to force Fujifilm to pay the ransom.”

Title: Ransomware: Russia Told to Tackle Cyber Criminals Operating From Within Its Borders
Date Published: June 14, 2021

https://www.zdnet.com/article/ransomware-russia-told-to-tackle-cyber-criminals-operating-from-within-its-borders/#

Excerpt: “Ransomware has struck every type of organization around the world. It’s changed dramatically, too, entering the enterprise from nearly every angle, with attackers leveraging stolen data by posting it on the internet to force victims to pay. In most cases (see SolarWinds and XingLocker), Active Directory (AD) is targeted so the attacker can easily distribute the ransomware after obtaining domain privileges. There are, however, ways to help secure Active Directory to prevent ransomware from succeeding. Distinct areas within Active Directory can be secured, which will increase the overall security of the enterprise and reduce the security risk at the same time. Specifically, the following settings around AD objects can be secured.”

Title: Chinese Hackers Believed to Be Behind Second Cyberattack on Air India
Date Published: June 13, 2021

https://thehackernews.com/2021/06/chinese-hackers-believed-to-be-behind.html

Excerpt: “Group-IB’s analysis has now revealed that at least since Feb. 23, an infected device inside Air India’s network (named “SITASERVER4”) communicated with a server hosting Cobalt Strike payloads dating all the way back to Dec. 11, 2020. Following this initial compromise, the attackers are said to have established persistence and obtained passwords in order to pivot laterally to the broader network with the goal of gathering information inside the local network.”

Title: Colonial Pipeline Cyberattack Proves a Single Password Isn’t Enough
Date Published: June 14, 2021

https://www.darkreading.com/omdia/colonial-pipeline-cyberattack-proves-a-single-password-isnt-enough/a/d-id/1341278

Excerpt: “Although Omdia’s ICT Enterprise Insights 2021 survey revealed that 60% of manufacturing companies are planning to increase investment in cybersecurity, which is promising, that still leaves another 40%. This group, although the minority, are maintaining or potentially reducing investment. With high-profile attacks like the Colonial Pipeline highlighting the significant risks, companies must do more to be prepared. Proper security hygiene requires a layered approach, and part of that is updating and maintaining passwords.”

Title: Backdoordiplomacy APT Targets Diplomats From Africa and the Middle East
Date Published: June 13, 2021

https://securityaffairs.co/wordpress/118920/apt/backdoordiplomacy-apt.html

Excerpt: “In one of the attacks spotted by ESET, they observed the threat actors exploit the CVE-2020-5902 F5 BIP-IP vulnerability (CVE-2020-5902) to drop a Linux backdoor. In another attack, the APT group exploited flaws in Microsoft Exchange server to install the China Chopper backdoor. In a third attack, researchers targeted a Plesk server with poorly configured file-upload security to execute another webshell. Once compromised a system, the threat actors leverage open-source tools for scanning the network and make a lateral movement to infect them. The attackers employed a custom backdoor, tracked by ESET as Turian, which is based on the Quarian backdoor, and in some attacks, they used open-source remote access tools to take over the system.”

Title: The An0m Fake Secure Chat App May Have Been Too Clever for Its Own Good
Date Published: June 14, 2021

https://www.theregister.com/2021/06/14/an0m_and_yamamoto/

Excerpt: “So while the most easily-learned and obvious lesson from AN0M was that criminals ought not to trust anyone selling “secure” comms apps, another lesson was that even if an app is cracked it’s possible to mess up the cops by changing the signal-to-noise ratio. The lesson for the rest of us law-abiding Reg readers is that law enforcement authorities around the world are well and truly committed to finding ways through and around encryption, wherever it is used by criminals.”

Title: The OSI Model and You Part 4: Stopping Threats at the OSI Transport Layer
Date Published: June 14, 2021

https://securityintelligence.com/articles/osi-model-stopping-threats-osi-transport-layer/

Excerpt: “Reliability on the OSI transport layer is crucial. There is a lot going on in this layer because all the packets move around. As a side note, we often refer to packets as segments or datagrams on the transport layer, based on protocol used. If this layer does not segment and reassemble the packets correctly, performance may suffer. That means the OSI transport layer needs to be as error-free as possible. This is also why it performs error control as well. If errors are happening here, communication between hosts will get messy.”

Title: Unpatched Bugs Found Lurking in Provisioning Platform Used with Cisco UC
Date Published: June 11, 2021

https://threatpost.com/unpatched-bugs-provisioning-cisco-uc/166882/

Excerpt: “Meanwhile, researchers said that CVE-2021-31582 can allow an attacker who is already authenticated to the device to alter or delete the contents of the local MariaDB database, which is a free and open-source fork of the MySQL relational database management system. In some cases, attackers could recover LDAP BIND credentials in use in the host organization, which are used to authenticate clients (and the users or applications behind them) to a directory server.”