OSN June 17, 2021

Fortify Security Team
Jun 17, 2021

Title: Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise

Date Published: June 16, 2021


Excerpt: “The intrusion that is detailed in this post began on May 18, 2021, which occurred days after the publicly reported shutdown of the overall DARKSIDE program (Mandiant Advantage background). While no ransomware was observed here, Mandiant believes that affiliate groups that have conducted DARKSIDE intrusions may use multiple ransomware affiliate programs and can switch between them at will. Sometime in May 2021 or earlier, UNC2465 likely Trojanized two software install packages on a CCTV security camera provider website. Mandiant determined the installers were malicious in early June and notified the CCTV company of a potential website compromise, which may have allowed UNC2465 to replace legitimate downloads with the Trojanized ones.”

Title: New TA402 Molerats Malware Targets Governments in the Middle East

Date Published: June 17, 2021


Excerpt: “TA402 is a Middle Eastern advanced persistent threat (APT) group that often targets entities in Israel and Palestine, in addition to other regions in the Middle East. In campaigns identified throughout 2021, TA402 leveraged Middle Eastern geopolitical themes including ongoing conflict in the Gaza Strip. The custom malware implant identified by Proofpoint enables the threat actor to conduct reconnaissance on the target host and exfiltrate data. TA402 leveraged multiple mechanisms to avoid automated threat analysis including geofencing based on IP addresses, only targeting computers with Arabic language packs installed, and password-protected archive files to distribute malware.”

Title: Cl0P Stopped? Ransomware Gang Loses Tesla and Other Treasures in Police Raid

Date Published: June 16, 2021


Excerpt: “The arrests also represent the second time in weeks that authorities have targeted a cybercrime gang by following the money. In early June, the US Department of Justice announced that it had recovered the majority of the ransom payment made by Colonial Pipeline to its attackers, the cybercriminal group called Darkside. By tracking the ransomware payment through the public Bitcoin ledger, the Department of Justice and the FBI managed to retrieve 63.7 bitcoins.”

Title: Remarks by President Biden in Press Conference

Date Published: June 16, 2021


Excerpt: “I talked about the proposition that certain critical infrastructure should be off limits to attack — period — by cyber or any other means. I gave them a list … of 16 specific entities; 16 defined as critical infrastructure under US policy, from the energy sector to our water systems.” “Of course, the principle is one thing. It has to be backed up by practice. Responsible countries need to take action against criminals who conduct ransomware activities on their territory”.”

Title: The Tyler Technology Ransomware Attack Overview

Date Published: June 17, 2021


Excerpt: “The company did not disclose who was behind the attack but, reports circulating online believe that the company was infected with the RansomExx ransomware. RansomEXX is a human-operated ransomware operation as the attackers manually infect the systems after gaining access to the target network. RansomEXX is the same ransomware that got employed in a cyberattack on the Texas Department of Transportation, and also towards the systems of the IPG Photonics high-performance laser developer.”

Title: Black Kingdom Ransomware

Date Published: June 17, 2021


Excerpt: “The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with Black Kingdom with the help of the hardcoded key. The industry already provided a script to recover encrypted files in case they were encrypted with the embedded key.”

Title: Scammers Are Mailing Fake Ledger Devices to Steal Cryptocurrency

Date Published: June 17, 2021


Excerpt: “As advertised on the French manufacturer’s website, the Nano X wallets keep cryptocurrency secure and support over 1,100 coin types. Unlike the Nano S, which was created for people who want to hold onto a small amount of crypto, Nano X is the best choice for active investors with diverse crypto holdings. The suspicious device came in an authentic-looking packaging, with a letter explaining that their customer information was leaked online on the RaidForum hacking platform and that the Nano X was sent to replace their existing one to secure their funds.”

Title: Ten-Year Hactivist Fugitive Commander X Arrested in Mexico

Date Published: June 16, 2021


Excerpt: “The incident happened during the rise of Anonymous, the loose hacking collective in which Doyon played a minor role. Anonymous captured the world’s attention with its antic spirit of mischief, malice, and occasional self-righteousness, and Doyon himself got caught up in the federal response to the group’s actions. Doyon was no “hacker” in any technical sense; he hung out in IRC chat rooms and could use tools like HOIC that had been built by others. What he did have in spades, though, was a grandiose sense of personal and corporate mythology. After Doyon’s arrest and subsequent flight to Canada, he told a Canadian newspaper that Anonymous “might well be the most powerful organization on Earth”.”

Title: Open-Source Security: Google Has a New Plan to Stop Software Supply Chain Attacks

Date Published: June 17, 2021


Excerpt: “It reckons the higher SLSA levels would have helped prevent the attack on SolarWinds’ software build system, which was compromised to install an implant that injected a backdoor during each new build. It also argues SLSA would help in the CodeCov attack because “provenance of the artifact in the GCS bucket would have shown that the artifact was not built in the expected manner from the expected source repo.”

Title: Hiccup in Akamai’s DDoS Mitigation Service Triggers Massive String of Outages

Date Published: June 17, 2021


Excerpt: “Users reported widespread problems accessing a range of internet properties and online services from the likes of CBA, Westpac, ANZ, UBank, AMP Bank, Macquarie Bank, ME Bank and more,” according to ITNews reporter Ry Crozier. Mid-day operations of Hong Kong’s stock exchange were also impacted by the technical problems. Virgin Australia also published a statement to its customers attributing an outage it suffered to Akamai’s Prolexic service.”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...