OSN June 16, 2021

Fortify Security Team
Jun 16, 2021

Title: Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Date Published: June 16, 2021

https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/

Excerpt: “Recorded Future’s Insikt Group has identified ties between a suspected Chinese state-sponsored threat activity group we track as RedFoxtrot and the Chinese military intelligence apparatus, specifically People’s Liberation Army (PLA) Unit 69010 located in Ürümqi, Xinjiang. This activity offers a glimpse into PLA operations following a major organizational restructure beginning in 2015 and follows a period where public reporting has largely concentrated on groups affiliated with China’s Ministry of State Security (MSS).”

Title: Ferocious Kitten: 6 Years of Covert Surveillance in Iran
Date Published: June 16, 2021

https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/

Excerpt: “Additionally, such groups are known to target various platforms (most notably Windows and Android) and often share TTPs, as indicated in this report. The latter in particular may suggest that the underlying actors may be interconnected, sharing developers or operating under a mutual supervisor. While not technically impressive, it’s interesting that the actor created specialized variants to be launched alongside popular programs, namely Chrome and Telegram.”

Title: AT&T Report: Malware Hosting Domain Cyberium Fanning out Mirai Variants
Date Published: June 14, 2021

https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants

Excerpt: “During the end of March, AT&T Alien Labs observed a spike in exploitation attempts for Tenda Remote Code Execution (RCE) vulnerability CVE-2020-10987. This spike was observed throughout a significant number of clients, in the space of a few hours. This vulnerability is not commonly used by web scanners and was barely detected by our honeypots during the last six months, except for a minor peak in November. This exploit can be identified by the URL that is requested, which includes ‘setUsbUnload’ with the payload assigned to the vulnerable parameter ‘deviceName’. This payload contains the logic to change the execution path to a temporary location, wget a file from a malware hosting page, provide execution permissions, and execute it.”

Title: Avaddon Ransomware Gang Evaporates Amid Global Crackdowns  
Date Published: June 16, 2021

https://threatpost.com/avaddon-ransomware-global-crackdowns/166968/

Excerpt: “Avaddon was believed to be operating within the Commonwealth of Independent States (former Soviet-bloc countries), meaning the group’s shutdown just happens to coincide with President Biden’s summit with Russian President Vladimir Putin, where officials said ransomware and cybersecurity will be discussed. Avaddon launched one of these punitive DDoS attacks against Australian-based telecom provider Schepisi Communication when it refused to pay up.”

Title: Ukraine Arrests Clop Ransomware Gang Members, Seizes Servers
Date Published: June 16, 2021

https://www.bleepingcomputer.com/news/security/ukraine-arrests-clop-ransomware-gang-members-seizes-servers/

Excerpt: “According to the Cyberpolice Department of the National Police of Ukraine the ransomware group is behind total financial damages of roughly $500 million. Based on Ukrainian police’s press release, it is not yet clear if the arrested individuals are affiliates or core members of the ransomware operation. Based on Ukrainian police’s press release, it is not yet clear if the arrested individuals are affiliates or core members of the ransomware operation. Clop’s Tor payment site and data leak site are still operational, so it looks like the Clop ransomware operation has not been completely shut down at this time.”

Title: Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping
Date Published: June 16, 2021

https://thehackernews.com/2021/06/critical-throughtek-flaw-opens-millions.html

Excerpt: “Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds,” CISA said in the alert. ThroughTek’s point-to-point (P2P) SDK is widely used by IoT devices with video surveillance or audio/video transmission capability such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors to provide remote access to the media content over the internet.”

Title: Volkswagen, Audi Notify 3.3 Million of Data Breach
Date Published: June 15, 2021

https://www.bankinfosecurity.com/volkswagen-audi-notify-33-million-data-breach-a-16875

Excerpt: “More sensitive data, however, was leaked for 90,000 individuals in the United States. Volkswagen says the driver’s license numbers for most of those people were leaked. A smaller number within that group may have also had their birth dates, Social Security or social insurance numbers, account or loan numbers and tax identification numbers leaked, Volkswagen says. Affected individuals are being notified by either email or postal mail. Free credit protection services are being offered for anyone whose driver’s license number or other more sensitive data was exposed.”

Title: The First Step: Initial Access Leads to Ransomware
Date Published: June 16, 2021

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

Excerpt: “TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike. Proofpoint assesses with high confidence TA577 is associated with a March 2021 Sodinokibi ransomware infection. TA577 initially compromised the victim via emails containing malicious Microsoft Office attachments, which, when macros are enabled, download and run IcedID. Activity observed by this actor increased 225% in the last six months.”

Title: Football Fever Puts Password Security at Risk
Date Published: June 16, 2021

infosecurity-magazine.com/news/football-fever-password-security/  

Excerpt: “It claimed that of the one billion passwords in the trove, over 1.1 million are linked to the beautiful game. These are led by the password “football” (353,993), followed by “Liverpool” (215,842), “Chelsea” (172,727), “Arsenal” (151,936) and “Barcelona” (131,090). The problem for these users is two-fold: not only are such credentials relatively easy to guess or crack, but if they’re reused across multiple accounts, including corporate ones, it could expose them to credential stuffing.”

Title: Will “Data Poisoning” Be a Particularly Dangerous Type of Computer-Made Misinformation?
Date Published: June 16, 2021

https://medium.com/deepnews-ai/will-data-poisoning-be-a-particularly-dangerous-type-of-computer-made-misinformation-50a1fb7a7993

Excerpt: “It turns out that current methods of generating fake news with a machine, even using a model that pre-dates recent advances like GPT-3, Google’s LaMDA or Wu Dao in China, are good enough to fool cybersecurity analysts who had worked in the field for years. They were able to identify only around 21% of the fake reports as fake, worse than chance. The researchers said that this batch of correctly identified fake reports also happened to be the ones that had more “linguistic deficiencies” than the ones that analysts thought were true.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...