OSN June 17, 2021

Fortify Security Team
Jun 17, 2021

Title: Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise

Date Published: June 16, 2021


Excerpt: “The intrusion that is detailed in this post began on May 18, 2021, which occurred days after the publicly reported shutdown of the overall DARKSIDE program (Mandiant Advantage background). While no ransomware was observed here, Mandiant believes that affiliate groups that have conducted DARKSIDE intrusions may use multiple ransomware affiliate programs and can switch between them at will. Sometime in May 2021 or earlier, UNC2465 likely Trojanized two software install packages on a CCTV security camera provider website. Mandiant determined the installers were malicious in early June and notified the CCTV company of a potential website compromise, which may have allowed UNC2465 to replace legitimate downloads with the Trojanized ones.”

Title: New TA402 Molerats Malware Targets Governments in the Middle East

Date Published: June 17, 2021


Excerpt: “TA402 is a Middle Eastern advanced persistent threat (APT) group that often targets entities in Israel and Palestine, in addition to other regions in the Middle East. In campaigns identified throughout 2021, TA402 leveraged Middle Eastern geopolitical themes including ongoing conflict in the Gaza Strip. The custom malware implant identified by Proofpoint enables the threat actor to conduct reconnaissance on the target host and exfiltrate data. TA402 leveraged multiple mechanisms to avoid automated threat analysis including geofencing based on IP addresses, only targeting computers with Arabic language packs installed, and password-protected archive files to distribute malware.”

Title: Cl0P Stopped? Ransomware Gang Loses Tesla and Other Treasures in Police Raid

Date Published: June 16, 2021


Excerpt: “The arrests also represent the second time in weeks that authorities have targeted a cybercrime gang by following the money. In early June, the US Department of Justice announced that it had recovered the majority of the ransom payment made by Colonial Pipeline to its attackers, the cybercriminal group called Darkside. By tracking the ransomware payment through the public Bitcoin ledger, the Department of Justice and the FBI managed to retrieve 63.7 bitcoins.”

Title: Remarks by President Biden in Press Conference

Date Published: June 16, 2021


Excerpt: “I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means. I gave them a list … of 16 specific entities; 16 defined as critical infrastructure under US policy, from the energy sector to our water systems.” “Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory”.”

Title: The Tyler Technology Ransomware Attack Overview

Date Published: June 17, 2021


Excerpt: “The company did not disclose who was behind the attack but, reports circulating online believe that the company was infected with the RansomExx ransomware. RansomEXX is a human-operated ransomware operation as the attackers manually infect the systems after gaining access to the target network. RansomEXX is the same ransomware that got employed in a cyberattack on the Texas Department of Transportation, and also towards the systems of the IPG Photonics high-performance laser developer.”

Title: Black Kingdom Ransomware

Date Published: June 17, 2021


Excerpt: “The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already provided a script to recover encrypted files in case they were encrypted with the embedded key.”

Title: Scammers Are Mailing Fake Ledger Devices to Steal Cryptocurrency

Date Published: June 17, 2021


Excerpt: “As advertised on the French manufacturer’s website, the Nano X wallets keep cryptocurrency secure and support over 1,100 coin types. Unlike the Nano S, which was created for people who want to hold onto a small amount of crypto, Nano X is the best choice for active investors with diverse crypto holdings. The suspicious device came in an authentic-looking packaging, with a letter explaining that their customer information was leaked online on the RaidForum hacking platform and that the Nano X was sent to replace their existing one to secure their funds.”

Title: Ten-Year Hactivist Fugitive Commander X Arrested in Mexico

Date Published: June 16, 2021


Excerpt: “The incident happened during the rise of Anonymous, the loose hacking collective in which Doyon played a minor role. Anonymous captured the world’s attention with its antic spirit of mischief, malice, and occasional self-righteousness, and Doyon himself got caught up in the federal response to the group’s actions. Doyon was no “hacker” in any technical sense; he hung out in IRC chat rooms and could use tools like HOIC that had been built by others. What he did have in spades, though, was a grandiose sense of personal and corporate mythology. After Doyon’s arrest and subsequent flight to Canada, he told a Canadian newspaper that Anonymous “might well be the most powerful organization on Earth”.”

Title: Open-Source Security: Google Has a New Plan to Stop Software Supply Chain Attacks

Date Published: June 17, 2021


Excerpt: “It reckons the higher SLSA levels would have helped prevent the attack on SolarWinds’ software build system, which was compromised to install an implant that injected a backdoor during each new build. It also argues SLSA would help in the CodeCov attack because “provenance of the artifact in the GCS bucket would have shown that the artifact was not built in the expected manner from the expected source repo.”

Title: Hiccup in Akamai’s DDoS Mitigation Service Triggers Massive String of Outages

Date Published: June 17, 2021


Excerpt: “Users reported widespread problems accessing a range of internet properties and online services from the likes of CBA, Westpac, ANZ, UBank, AMP Bank, Macquarie Bank, ME Bank and more,” according to ITNews reporter Ry Crozier. Mid-day operations of Hong Kong’s stock exchange were also impacted by the technical problems. Virgin Australia also published a statement to its customers attributing an outage it suffered to Akamai’s Prolexic service.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...