OSN June 4, 2021

Fortify Security Team
Jun 4, 2021

Title: Meat Giant JBS Now Fully Operational After Ransomware Attack

Date Published: June 4, 2021


Excerpt: “JBS was able to get its systems back online sooner than expected since its backup servers were not impacted during the incident, and the restoration of systems critical to production was prioritized to reduce the impact on the food supply chain, producers, and consumers. It also received strong support from the US, Australian and Canadian governments, with the FBI and CISA offering their technical support to JBS in recovering from the ransomware attack. “The company’s swift response, robust IT systems and encrypted backup servers allowed for a rapid recovery,” JBS USA said in a press release on Thursday.”

Title: Fujifilm Confirms Ransomware Attack Disrupted Business Operations

Date Published: June 4, 2021


Excerpt: “While it has not been disclosed what ransomware gang was behind the attack, it is believed to be the REvil ransomware operation. Fujifilm had recently been infected by the Qbot trojan, which is currently partnering with the REvil ransomware operation to provide remote access to compromised networks. Using the remote access provided by the trojan, the REvil ransomware gang will infiltrate a network and spread slowly to other devices while stealing unencrypted data. Once they gain access to a Windows domain administrator account and have harvested any data of value, they deploy the ransomware throughout the system to encrypt devices.”

Title: REvil Ransomware Gang Spill Details on US Attacks

Date Published: June 4, 2021


Excerpt: “Key claims made by the REvil gang on the Russian OSINT channel included: The recent attack, impacting JBS Foods, was originally directed at a Brazilian entity. REvil doesn’t understand why the U.S. has intervened in this case. The gang member said current U.S. legislation, if passed, that would restrict ransomware victims from paying a ransom, would not be a deterrent for future attacks. The group is not afraid of being considered terrorists. The group originally restricted U.S. targets in cyberattacks. In the interview the anonymous REvil gang member said that in light of U.S. actions and posturing to retaliate for the JBS Foods attack, the group will now lift the restriction on attacking U.S. targets.”

Title: Hackers Use Colonial Pipeline Ransomware News for Phishing Attack

Date Published: June 4, 2021


Excerpt: “The malicious links take users to websites with convincing names — ms-sysupdate[.]com and selectivepatch[.]com — both of which are newly created and registered with NameCheap. The same domain that sent the emails also controlled the links, INKY explained in a blog post. The people behind the attack were able to make the fake websites look even more convincing by designing them with the logo and images from the target company. A download button on the page downloads a “Cobalt Strike” file onto the user’s computer called “Ransomware_Update.exe.”

Title: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations

Date Published: June 4, 2021


Excerpt: “TeamTNT operations are now using compromised AWS credentials to enumerate AWS cloud environments, via the AWS platform’s API. These actions attempt to identify all Identity and Access Management (IAM) permissions, Elastic Compute Cloud (EC2) instances, Simple Storage Service (S3) buckets, CloudTrail configurations and CloudFormation operations granted to the compromised AWS credential. TeamTNT operations are now also targeting the credentials of 16 additional applications, including those of AWS and Google Cloud credentials, which may be stored on the compromised cloud instance, if installed.”

Title: Positive Technologies Uncovers Critical Vulnerabilities in CODESYS; Serious Threat to Industrial Control Systems Worldwide

Date Published: June 3, 2021


Excerpt: “To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough. According to the researchers, the main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations. The most dangerous problems were revealed in the CODESYS V2.3 web server component used by CODESYS WebVisu to display a human-machine interface in a web browser.”

Title: Dark Web Price Index 2021

Date Published: June 1, 2021


Excerpt: “With the massive influx of supply, buyers seem to be gravitating towards bigger, “trustworthy” sites, with White House Market holding the largest market share of sales. The Dark Web markets are even starting to parody traditional markets with comical offers of “buy 2 cloned credit cards and get 1 for free!!” for example. In an effort to mitigate detection and tracking by law enforcement, the Dark Web is moving towards increased security on all ends. The markets have abandoned Bitcoin (BTC) as it is not secure, and vendors are demanding buyers to use Monero as payment and communicate only through PGP encryption.”

Title: DNS Attacks on the Rise, Costing $1 Million Each

Date Published: June 4, 2021


Excerpt: “The most common forms of attack were DNS phishing (49%), DNS-based malware (38%), DDoS (29%), DNS hijacking (27%), DNS tunnelling for command and control (24%), zero-day bugs (23%) and cloud misconfiguration abuse (23%). Phishing appears to have been particularly popular due to the large number of potentially at-risk remote workers. These attacks frequently led to cloud service and in-house app downtime, compromised websites, brand damage, lost business and sensitive data theft, the report claimed.”

Title: Zero-day in Popular WordPress Plugin Exploited to Take Over Website

Date Published: June 3, 2021


Excerpt: “Based on Defiant’s analysis, the majority of the attacks appear to come from three specific IP addresses. The attackers are targeting e-commerce websites with the aim of getting their hands on order information from the vendor’s databases. The data that could be extracted from these orders may include customers’ personally identifiable information. Thich could spell problems for website operators since it puts them at risk of violating PCI-DSS (Payment Card Industry Data Security Standard) compliance rules.”

Title: Mandiant to Re-Emerge After $1.2 Billion FireEye Sale

Date Published: June 3, 2021


Excerpt: “FireEye has agreed to sell its FireEye Products business and brand name to a private equity firm in a deal that will see the Mandiant business it bought several years ago become a standalone company again. The $1.2 billion all-cash sale to a consortium led by Symphony Technology Group (STG) is expected to close by the end of Q4 2021. It will see STG acquire FireEye’s network, email, endpoint and cloud security products — alongside its related security management and orchestration platform.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...