OSN June 17, 2021

Fortify Security Team
Jun 17, 2021

Title: Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise

Date Published: June 16, 2021


Excerpt: “The intrusion that is detailed in this post began on May 18, 2021, which occurred days after the publicly reported shutdown of the overall DARKSIDE program (Mandiant Advantage background). While no ransomware was observed here, Mandiant believes that affiliate groups that have conducted DARKSIDE intrusions may use multiple ransomware affiliate programs and can switch between them at will. Sometime in May 2021 or earlier, UNC2465 likely Trojanized two software install packages on a CCTV security camera provider website. Mandiant determined the installers were malicious in early June and notified the CCTV company of a potential website compromise, which may have allowed UNC2465 to replace legitimate downloads with the Trojanized ones.”

Title: New TA402 Molerats Malware Targets Governments in the Middle East

Date Published: June 17, 2021


Excerpt: “TA402 is a Middle Eastern advanced persistent threat (APT) group that often targets entities in Israel and Palestine, in addition to other regions in the Middle East. In campaigns identified throughout 2021, TA402 leveraged Middle Eastern geopolitical themes including ongoing conflict in the Gaza Strip. The custom malware implant identified by Proofpoint enables the threat actor to conduct reconnaissance on the target host and exfiltrate data. TA402 leveraged multiple mechanisms to avoid automated threat analysis including geofencing based on IP addresses, only targeting computers with Arabic language packs installed, and password-protected archive files to distribute malware.”

Title: Cl0P Stopped? Ransomware Gang Loses Tesla and Other Treasures in Police Raid

Date Published: June 16, 2021


Excerpt: “The arrests also represent the second time in weeks that authorities have targeted a cybercrime gang by following the money. In early June, the US Department of Justice announced that it had recovered the majority of the ransom payment made by Colonial Pipeline to its attackers, the cybercriminal group called Darkside. By tracking the ransomware payment through the public Bitcoin ledger, the Department of Justice and the FBI managed to retrieve 63.7 bitcoins.”

Title: Remarks by President Biden in Press Conference

Date Published: June 16, 2021


Excerpt: “I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means. I gave them a list … of 16 specific entities; 16 defined as critical infrastructure under US policy, from the energy sector to our water systems.” “Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory”.”

Title: The Tyler Technology Ransomware Attack Overview

Date Published: June 17, 2021


Excerpt: “The company did not disclose who was behind the attack but, reports circulating online believe that the company was infected with the RansomExx ransomware. RansomEXX is a human-operated ransomware operation as the attackers manually infect the systems after gaining access to the target network. RansomEXX is the same ransomware that got employed in a cyberattack on the Texas Department of Transportation, and also towards the systems of the IPG Photonics high-performance laser developer.”

Title: Black Kingdom Ransomware

Date Published: June 17, 2021


Excerpt: “The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already provided a script to recover encrypted files in case they were encrypted with the embedded key.”

Title: Scammers Are Mailing Fake Ledger Devices to Steal Cryptocurrency

Date Published: June 17, 2021


Excerpt: “As advertised on the French manufacturer’s website, the Nano X wallets keep cryptocurrency secure and support over 1,100 coin types. Unlike the Nano S, which was created for people who want to hold onto a small amount of crypto, Nano X is the best choice for active investors with diverse crypto holdings. The suspicious device came in an authentic-looking packaging, with a letter explaining that their customer information was leaked online on the RaidForum hacking platform and that the Nano X was sent to replace their existing one to secure their funds.”

Title: Ten-Year Hactivist Fugitive Commander X Arrested in Mexico

Date Published: June 16, 2021


Excerpt: “The incident happened during the rise of Anonymous, the loose hacking collective in which Doyon played a minor role. Anonymous captured the world’s attention with its antic spirit of mischief, malice, and occasional self-righteousness, and Doyon himself got caught up in the federal response to the group’s actions. Doyon was no “hacker” in any technical sense; he hung out in IRC chat rooms and could use tools like HOIC that had been built by others. What he did have in spades, though, was a grandiose sense of personal and corporate mythology. After Doyon’s arrest and subsequent flight to Canada, he told a Canadian newspaper that Anonymous “might well be the most powerful organization on Earth”.”

Title: Open-Source Security: Google Has a New Plan to Stop Software Supply Chain Attacks

Date Published: June 17, 2021


Excerpt: “It reckons the higher SLSA levels would have helped prevent the attack on SolarWinds’ software build system, which was compromised to install an implant that injected a backdoor during each new build. It also argues SLSA would help in the CodeCov attack because “provenance of the artifact in the GCS bucket would have shown that the artifact was not built in the expected manner from the expected source repo.”

Title: Hiccup in Akamai’s DDoS Mitigation Service Triggers Massive String of Outages

Date Published: June 17, 2021


Excerpt: “Users reported widespread problems accessing a range of internet properties and online services from the likes of CBA, Westpac, ANZ, UBank, AMP Bank, Macquarie Bank, ME Bank and more,” according to ITNews reporter Ry Crozier. Mid-day operations of Hong Kong’s stock exchange were also impacted by the technical problems. Virgin Australia also published a statement to its customers attributing an outage it suffered to Akamai’s Prolexic service.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...