OSN June 4, 2021

Fortify Security Team
Jun 4, 2021

Title: Meat Giant JBS Now Fully Operational After Ransomware Attack

Date Published: June 4, 2021


Excerpt: “JBS was able to get its systems back online sooner than expected since its backup servers were not impacted during the incident, and the restoration of systems critical to production was prioritized to reduce the impact on the food supply chain, producers, and consumers. It also received strong support from the US, Australian and Canadian governments, with the FBI and CISA offering their technical support to JBS in recovering from the ransomware attack. “The company’s swift response, robust IT systems and encrypted backup servers allowed for a rapid recovery,” JBS USA said in a press release on Thursday.”

Title: Fujifilm Confirms Ransomware Attack Disrupted Business Operations

Date Published: June 4, 2021


Excerpt: “While it has not been disclosed what ransomware gang was behind the attack, it is believed to be the REvil ransomware operation. Fujifilm had recently been infected by the Qbot trojan, which is currently partnering with the REvil ransomware operation to provide remote access to compromised networks. Using the remote access provided by the trojan, the REvil ransomware gang will infiltrate a network and spread slowly to other devices while stealing unencrypted data. Once they gain access to a Windows domain administrator account and have harvested any data of value, they deploy the ransomware throughout the system to encrypt devices.”

Title: REvil Ransomware Gang Spill Details on US Attacks

Date Published: June 4, 2021


Excerpt: “Key claims made by the REvil gang on the Russian OSINT channel included: The recent attack, impacting JBS Foods, was originally directed at a Brazilian entity. REvil doesn’t understand why the U.S. has intervened in this case. The gang member said current U.S. legislation, if passed, that would restrict ransomware victims from paying a ransom, would not be a deterrent for future attacks. The group is not afraid of being considered terrorists. The group originally restricted U.S. targets in cyberattacks. In the interview the anonymous REvil gang member said that in light of U.S. actions and posturing to retaliate for the JBS Foods attack, the group will now lift the restriction on attacking U.S. targets.”

Title: Hackers Use Colonial Pipeline Ransomware News for Phishing Attack

Date Published: June 4, 2021


Excerpt: “The malicious links take users to websites with convincing names — ms-sysupdate[.]com and selectivepatch[.]com — both of which are newly created and registered with NameCheap. The same domain that sent the emails also controlled the links, INKY explained in a blog post. The people behind the attack were able to make the fake websites look even more convincing by designing them with the logo and images from the target company. A download button on the page downloads a “Cobalt Strike” file onto the user’s computer called “Ransomware_Update.exe.”

Title: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations

Date Published: June 4, 2021


Excerpt: “TeamTNT operations are now using compromised AWS credentials to enumerate AWS cloud environments, via the AWS platform’s API. These actions attempt to identify all Identity and Access Management (IAM) permissions, Elastic Compute Cloud (EC2) instances, Simple Storage Service (S3) buckets, CloudTrail configurations and CloudFormation operations granted to the compromised AWS credential. TeamTNT operations are now also targeting the credentials of 16 additional applications, including those of AWS and Google Cloud credentials, which may be stored on the compromised cloud instance, if installed.”

Title: Positive Technologies Uncovers Critical Vulnerabilities in CODESYS; Serious Threat to Industrial Control Systems Worldwide

Date Published: June 3, 2021


Excerpt: “To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough. According to the researchers, the main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations. The most dangerous problems were revealed in the CODESYS V2.3 web server component used by CODESYS WebVisu to display a human-machine interface in a web browser.”

Title: Dark Web Price Index 2021

Date Published: June 1, 2021


Excerpt: “With the massive influx of supply, buyers seem to be gravitating towards bigger, “trustworthy” sites, with White House Market holding the largest market share of sales. The Dark Web markets are even starting to parody traditional markets with comical offers of “buy 2 cloned credit cards and get 1 for free!!” for example. In an effort to mitigate detection and tracking by law enforcement, the Dark Web is moving towards increased security on all ends. The markets have abandoned Bitcoin (BTC) as it is not secure, and vendors are demanding buyers to use Monero as payment and communicate only through PGP encryption.”

Title: DNS Attacks on the Rise, Costing $1 Million Each

Date Published: June 4, 2021


Excerpt: “The most common forms of attack were DNS phishing (49%), DNS-based malware (38%), DDoS (29%), DNS hijacking (27%), DNS tunnelling for command and control (24%), zero-day bugs (23%) and cloud misconfiguration abuse (23%). Phishing appears to have been particularly popular due to the large number of potentially at-risk remote workers. These attacks frequently led to cloud service and in-house app downtime, compromised websites, brand damage, lost business and sensitive data theft, the report claimed.”

Title: Zero-day in Popular WordPress Plugin Exploited to Take Over Website

Date Published: June 3, 2021


Excerpt: “Based on Defiant’s analysis, the majority of the attacks appear to come from three specific IP addresses. The attackers are targeting e-commerce websites with the aim of getting their hands on order information from the vendor’s databases. The data that could be extracted from these orders may include customers’ personally identifiable information. Thich could spell problems for website operators since it puts them at risk of violating PCI-DSS (Payment Card Industry Data Security Standard) compliance rules.”

Title: Mandiant to Re-Emerge After $1.2 Billion FireEye Sale

Date Published: June 3, 2021


Excerpt: “FireEye has agreed to sell its FireEye Products business and brand name to a private equity firm in a deal that will see the Mandiant business it bought several years ago become a standalone company again. The $1.2 billion all-cash sale to a consortium led by Symphony Technology Group (STG) is expected to close by the end of Q4 2021. It will see STG acquire FireEye’s network, email, endpoint and cloud security products — alongside its related security management and orchestration platform.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...