OSN June 17, 2021

Fortify Security Team
Jun 17, 2021

Title: Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise

Date Published: June 16, 2021

https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

Excerpt: “The intrusion that is detailed in this post began on May 18, 2021, which occurred days after the publicly reported shutdown of the overall DARKSIDE program (Mandiant Advantage background). While no ransomware was observed here, Mandiant believes that affiliate groups that have conducted DARKSIDE intrusions may use multiple ransomware affiliate programs and can switch between them at will. Sometime in May 2021 or earlier, UNC2465 likely Trojanized two software install packages on a CCTV security camera provider website. Mandiant determined the installers were malicious in early June and notified the CCTV company of a potential website compromise, which may have allowed UNC2465 to replace legitimate downloads with the Trojanized ones.”

Title: New TA402 Molerats Malware Targets Governments in the Middle East

Date Published: June 17, 2021

https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east

Excerpt: “TA402 is a Middle Eastern advanced persistent threat (APT) group that often targets entities in Israel and Palestine, in addition to other regions in the Middle East. In campaigns identified throughout 2021, TA402 leveraged Middle Eastern geopolitical themes including ongoing conflict in the Gaza Strip. The custom malware implant identified by Proofpoint enables the threat actor to conduct reconnaissance on the target host and exfiltrate data. TA402 leveraged multiple mechanisms to avoid automated threat analysis including geofencing based on IP addresses, only targeting computers with Arabic language packs installed, and password-protected archive files to distribute malware.”

Title: Cl0P Stopped? Ransomware Gang Loses Tesla and Other Treasures in Police Raid

Date Published: June 16, 2021

https://blog.malwarebytes.com/malwarebytes-news/2021/06/clop-stopped-ransomware-gang-loses-tesla-and-other-treasures-in-police-raid/

Excerpt: “The arrests also represent the second time in weeks that authorities have targeted a cybercrime gang by following the money. In early June, the US Department of Justice announced that it had recovered the majority of the ransom payment made by Colonial Pipeline to its attackers, the cybercriminal group called Darkside. By tracking the ransomware payment through the public Bitcoin ledger, the Department of Justice and the FBI managed to retrieve 63.7 bitcoins.”

Title: Remarks by President Biden in Press Conference

Date Published: June 16, 2021

https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/06/16/remarks-by-president-biden-in-press-conference-4/

Excerpt: “I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means. I gave them a list … of 16 specific entities; 16 defined as critical infrastructure under US policy, from the energy sector to our water systems.” “Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory”.”

Title: The Tyler Technology Ransomware Attack Overview

Date Published: June 17, 2021

https://heimdalsecurity.com/blog/the-tyler-technology-ransomware-attack-overview/

Excerpt: “The company did not disclose who was behind the attack but, reports circulating online believe that the company was infected with the RansomExx ransomware. RansomEXX is a human-operated ransomware operation as the attackers manually infect the systems after gaining access to the target network. RansomEXX is the same ransomware that got employed in a cyberattack on the Texas Department of Transportation, and also towards the systems of the IPG Photonics high-performance laser developer.”

Title: Black Kingdom Ransomware

Date Published: June 17, 2021

https://securelist.com/black-kingdom-ransomware/102873/

Excerpt: “The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already provided a script to recover encrypted files in case they were encrypted with the embedded key.”

Title: Scammers Are Mailing Fake Ledger Devices to Steal Cryptocurrency

Date Published: June 17, 2021

https://heimdalsecurity.com/blog/scammers-are-mailing-fake-ledger-devices-to-steal-cryptocurrency/

Excerpt: “As advertised on the French manufacturer’s website, the Nano X wallets keep cryptocurrency secure and support over 1,100 coin types. Unlike the Nano S, which was created for people who want to hold onto a small amount of crypto, Nano X is the best choice for active investors with diverse crypto holdings. The suspicious device came in an authentic-looking packaging, with a letter explaining that their customer information was leaked online on the RaidForum hacking platform and that the Nano X was sent to replace their existing one to secure their funds.”

Title: Ten-Year Hactivist Fugitive Commander X Arrested in Mexico

Date Published: June 16, 2021

https://arstechnica.com/tech-policy/2021/06/ddos-fugitive-commander-x-arrested-in-mexico-extradited-to-us/

Excerpt: “The incident happened during the rise of Anonymous, the loose hacking collective in which Doyon played a minor role. Anonymous captured the world’s attention with its antic spirit of mischief, malice, and occasional self-righteousness, and Doyon himself got caught up in the federal response to the group’s actions. Doyon was no “hacker” in any technical sense; he hung out in IRC chat rooms and could use tools like HOIC that had been built by others. What he did have in spades, though, was a grandiose sense of personal and corporate mythology. After Doyon’s arrest and subsequent flight to Canada, he told a Canadian newspaper that Anonymous “might well be the most powerful organization on Earth”.”

Title: Open-Source Security: Google Has a New Plan to Stop Software Supply Chain Attacks

Date Published: June 17, 2021

https://www.zdnet.com/article/open-source-security-google-has-a-new-plan-to-stop-software-supply-chain-attacks/

Excerpt: “It reckons the higher SLSA levels would have helped prevent the attack on SolarWinds’ software build system, which was compromised to install an implant that injected a backdoor during each new build. It also argues SLSA would help in the CodeCov attack because “provenance of the artifact in the GCS bucket would have shown that the artifact was not built in the expected manner from the expected source repo.”

Title: Hiccup in Akamai’s DDoS Mitigation Service Triggers Massive String of Outages

Date Published: June 17, 2021

https://threatpost.com/hiccup-akamais-ddos-outages/167004/

Excerpt: “Users reported widespread problems accessing a range of internet properties and online services from the likes of CBA, Westpac, ANZ, UBank, AMP Bank, Macquarie Bank, ME Bank and more,” according to ITNews reporter Ry Crozier. Mid-day operations of Hong Kong’s stock exchange were also impacted by the technical problems. Virgin Australia also published a statement to its customers attributing an outage it suffered to Akamai’s Prolexic service.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...