OSN June 15, 2021

Fortify Security Team
Jun 15, 2021

Title: Hades Ransomware Operators Use Distinctive Tactics and Infrastructure

Date Published: June 15, 2021

https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure

Excerpt: “Hades’ absence on underground forums and marketplaces suggests that it is operated as private ransomware rather than ransomware as a service (RaaS). GOLD WINTER “names and shames” victims after stealing their data but does not use a centralized leak site to expose the exfiltrated data. Instead, Tor-based Hades websites appear to be customized for each victim (see Figure 1). Each website includes a victim-specific Tox chat ID for communications (see Figure 1). Using Tox instant messaging for communications is a novel technique that CTU researchers have not observed with other ransomware families.”

Title: Andariel Evolves to Target South Korea With Ransomware

Date Published: June 15, 2021

https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/

Excerpt: “Our attribution is based on the code overlaps between the second stage payload in this campaign and previous malware from the Andariel group. Apart from the code similarity, we found an additional connection with the Andariel group. Each threat actor has characteristics when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.”

Title: Largest U.S. Propane Distributor Discloses ‘8-Second’ Data Breach

Date Published: June 15, 2021

https://www.bleepingcomputer.com/news/security/largest-us-propane-distributor-discloses-8-second-data-breach/

Excerpt: “During the 8-second breach, the bad actor had access to an internal email with spreadsheet attachments containing 123 AmeriGas employees’ information, including Lab IDs, social security numbers, driver’s license numbers, and dates of birth. This incident marks the second data breach incident concerning AmeriGas this year. In March 2021, AmeriGas had disclosed an attempted data breach, in which a company customer service agent was fired for potentially misusing customer credit card information.”

Title: Critical Entities Targeted in Suspected Chinese Cyber Spying

Date Published: June 15, 2021

https://apnews.com/article/government-and-politics-hacking-technology-business-7350235e07d46ba5afc1238b553ea4b9

Excerpt: “Mandiant said it found signs of data extraction from some of the targets. The company and BAE have identified targets of the hacking campaign in several fields, including financial, technology and defense firms, as well as municipal governments. Some targets were in Europe, but most in the U.S. At least one major local government has disputed it was a target of the Pulse Secure hack. Montgomery County, Maryland, said it was advised by CISA that its Pulse Secure devices were attacked. But county spokesman Scott Peterson said the county found no evidence of a compromise and told CISA they had a “false report”.”

Title: Nato Summit Communiqué Compares Repeat Cyberattacks to Armed Attacks – and Stops Short of Saying ‘One-In, All-In’ Rule Will Always Apply

Date Published: June 15, 2021

https://threatpost.com/revil-hits-us-nuclear-weapons-contractor-sol-oriens/166858/

Excerpt: “The document treats both Russia and China as threats. Russia earns 63 mentions and is labelled as “aggressive.” China is mentioned ten times, and its behaviour is described as “assertive” and “presenting systemic challenges.” The document vows to engage China to defend Alliance security interests, referring specifically to China’s cyberattacks, disinformation campaigns and actions in the space domain, among others.”

Title: When Security Gets Physical: Mossad Boss Hints at Less-Than-Subtle Stuxnet Followup

Date Published: June 15, 2021

https://www.theregister.com/2021/06/15/in_brief_security/

Excerpt: “This kinetic approach is a far cry from a decade or more ago, when a combined US and Israeli operation covertly installed the Stuxnet malware on the air-gapped computer systems used to control some of Iran’s centrifuges. The sophisticated malware surreptitiously interfered with the centrifuge speed to derail Iran’s uranium fuel enrichment process.”

Title: Microsoft Gets Second Shot at Banning hiQ from Scraping LinkedIn User Data

Date Published: June 15, 2021

https://threatpost.com/court-linkedin-data-scraping/166927/

Excerpt: “Though it is appears that giving LinkedIn another chance to argue its case could be a reversal of opinion about the scope of the CFAA, it could actually be a case of the court making a difference between the act of one single person versus the power of bots that companies like hiQ Labs use to scrape data at a much higher volume than any humans can do, said one expert.”

Title: Research Identifies the Clear Benefits of Strong Observability

Date Published: June 15, 2021

https://www.splunk.com/en_us/blog/devops/research-identifies-the-clear-benefits-of-strong-observability.html

Excerpt: “Clearly, adoption of observability strategies has real, tangible benefits. Faster root cause analysis leads to shorter downtime and better performance. Meeting performance commitments enables development to accelerate, knowing that the application will remain performant and operational. Additional products and revenue streams speak for themselves — being able to launch additional products with confidence is key to ensuring survival in today’s dynamic and competitive market.”

Title: Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire

Date Published: June 15, 2021

https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire

Excerpt: “Upon attempting to download the alleged document template, users are redirected, unknowingly, to a malicious website where the RAT malware is hosted. eSentire’s Threat Response Unit (TRU) discovered over 100,000 unique web pages that contain popular business terms/particular keywords: template, invoice, receipt, questionnaire, and resume. In a precursory search, 70,000 unique web pages included the mention of either template or invoice. These common business terms serve as keywords for the threat actors’ search optimization strategy, convincing Google’s web crawler that the intended content meets conditions for a high PageRank score.”

Title: Apple Hurries Patches for Safari Bugs Under Active Attack

Date Published: June 15, 2021

https://threatpost.com/apple-patch-safari-active-attack/166922/

Excerpt: “Apple issued two out-of-band security fixes for its Safari web browser, fixing zero-day vulnerabilities that “may have been actively exploited,” according to a Monday security bulletin by the company. The bugs affect sixth-generation Apple iPhones, iPads and iPod touch model hardware, released between 2013 and 2018. “Apple is aware of a report that this issue may have been actively exploited,” the company wrote. Technical details of the two bugs, Apple said, will not be released, “until an investigation has occurred and patches or releases are available”.”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...

OSN August 23, 2021

Title: WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws Date Published: August 22, 2021 https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html Excerpt: “Now according to researchers from Huntress Labs, at least five distinct styles...