OSN June 2, 2021

by | Jun 2, 2021 | Open Source News

Title: Internet Domains Used by APT29 in Phishing Attacks Seized by the U.S.
Date Published: June 2, 2021

https://heimdalsecurity.com/blog/internet-domains-used-by-apt29-in-phishing-attacks-seized-by-the-us/

Excerpt: “The domains seized are theyardservice[.]com and worldhomeoutlet[.]com. The domains were used to receive the data that was exfiltrated from victims of the targeted phishing attacks and to send further commands malware in an attempt to execute on infected machines. Microsoft has disclosed the attacks recently and declared they were conducted by a Russian state-affiliated hacking group known as NOBELIUM (APT29, Cozy Bear, and The Dukes), with the group supposedly being affiliated with the Russian Foreign Intelligence Service (SVR).”

Title: U.S. Schools Land IBM Grants to Protect Themselves Against Ransomware
Date Published: June 2, 2021

https://www.zdnet.com/article/us-schools-land-ibm-grants-to-protect-themselves-against-ransomware/

Excerpt: “The grants, worth $500,000 each, have been awarded to school districts in Florida (Brevard Public Schools), New York (Poughkeepsie City School District), Georgia (KIPP Metro Atlanta Schools), Texas (Sheldon Independent School District), California (Newhall School District), and Colorado (Denver Public Schools). IBM says that applicants were judged on their “cybersecurity needs and experiences, community resources and potential risks”.

Title: Hackers‌ ‌Actively‌ ‌Exploiting‌ ‌0-Day‌ ‌in WordPress Plugin Installed on Over ‌17,000‌ ‌Sites
Date Published: June 2, 2021

https://thehackernews.com/2021/06/hackers-actively-exploiting-0-day-in.html

Excerpt: “Armed with this capability, an attacker can achieve remote code execution on an affected website, allowing full site takeover, the researchers noted. Wordfence has not shared the technical specifics of the vulnerability as it’s under active attack. Wordfence said that the critical zero-day could be exploited in select configurations even if the plugin has been deactivated, urging users to completely uninstall Fancy Product Designer until a patched version becomes available.”

Title: China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware
Date Published: June 1, 2021

https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5

Excerpt: “This successful, sophisticated attack targeted CI on a national scale, denied service across the country, interrupted the daily life of the common citizen, and brought brief but significant economic turmoil. On May 15, (ten days after the CPC incident), the Investigation Bureau of the Ministry of Justice (MJIB) released an investigation report stating that the CPC was one of more than ten victims in this sophisticated and organized ColdLock ransomware attack. The unnamed ten included other organizations in Taiwan’s critical infrastructure, even a large multinational semiconductor vendor.”

Title: Visualizing U.S. Petroleum Pipeline Networks
Date Published: June 2, 2021

https://towardsdatascience.com/visualizing-u-s-petroleum-pipeline-networks-f46833e08dad

Excerpt: “There is much we can learn through multidimensional data sources and connecting the dots during disasters, so that in the future, we are more prepared as a society. In the case of the Colonial pipeline cyber-attack: pipeline networks, petroleum refinery and storage locations, transport supply chains, and the locations of gas stations with shortages can help understand the chain of events. This understanding will make us better prepared for future cyber-attacks.”

Title: Exploit Broker Zerodium Is Looking for Pidgin 0day Exploits
Date Published: June 2, 2021

https://securityaffairs.co/wordpress/118500/breaking-news/zerodium-pidgin-0day.html

Excerpt: “Because Pidgin is used by cybercriminal organizations and terrorist groups, some of them developed specific plugins to add additional protection to the communications. Today the Pidgin client is mainly used to exchange messages via the XMPP (Jabber) protocol. Pidgin also supports plugins that implement Off-the-Record Messaging over any IM network Pidgin supports. Researchers from Trend Micro reported the existence of Asrar al-Dardashah, a plugin released in 2013 that was developed for Pidgin to add encryption to the instant messaging functions, securing instant messaging with the press of a single button.”

Title: Researchers Uncover Hacking Operations Targeting Government Entities in South Korea
Date Published: June 2, 2021

https://thehackernews.com/2021/06/researchers-uncover-hacking-operations.html

Excerpt: “Kimsuky’s attack infrastructure consists of various phishing websites that mimic well known websites such as Gmail, Microsoft Outlook, and Telegram with an aim to trick victims into entering their credentials. “This is one of the main methods used by this actor to collect email addresses that later will be used to send spear-phishing emails.” In using social engineering as a core component of its operations, the goal is to distribute a malware dropper that takes the form of a ZIP archive file attached to the emails, which ultimately leads to the deployment of an encoded DLL payload called AppleSeed, a backdoor that’s been put to use by Kimusky as early as 2019.”

Title: Cyber-Insurance Fuels Ransomware Payment Surge
Date Published: June 2, 2021

https://www.bankinfosecurity.com/white-house-puts-russia-on-notice-over-jbs-ransomware-hit-a-16783

Excerpt: “The sub-limits have become more common as cyber-insurance has drawn concern from security experts about how it will change the overall security landscape. For instance, many argue that falling back on cyber-insurance policies during a ransomware attack could dissuade companies from adopting the security measures that could prevent such an attack in the first place. From a broad perspective, building in ransomware payments to insurance policies will only promote the use of ransomware further and simultaneously disincentivize organizations from taking the proper steps to avoid ransomware fallout.”

Title: White House Puts Russia on Notice Over JBS Ransomware Hit
Date Published: June 1, 2021

https://securityaffairs.co/wordpress/118446/cyber-crime/prometheus-grief-ransomware.html

Excerpt: “The White House says the U.S. Department of Agriculture is contacting other meat suppliers to ensure they’re aware of the JBS incident and taking steps to defend themselves against similar attacks. Agriculture operations and food processing facilities are designated by CISA as being critical infrastructure. But food plants – similar to manufacturing plants – have often proven to be soft targets for ransomware distributors, says Allan Liska, who is part of cybersecurity firm Recorded Future’s computer security incident response team.”

Title: Scripps Begins Notifying More Than 147,000 People of Ransomware Records Breach
Date Published: June 1, 2021

https://www.sandiegouniontribune.com/news/health/story/2021-06-01/scripps-begins-notifying-more-than-147-000-people-of-ransomware-records-breach

Excerpt: “Fallout from the incursion took nearly a full month to resolve, forcing medical professionals at all levels of care, from medical offices to hospitals, to document their work on paper charts. Access to important information, such as previous test results, was unavailable for weeks, and Scripps facilities did not begin regaining the ability to create new digital records until late last week when the organization’s MyScripps patient portal also returned to service.”