OSN June 4, 2021

Fortify Security Team
Jun 4, 2021

Title: Meat Giant JBS Now Fully Operational After Ransomware Attack

Date Published: June 4, 2021

https://www.bleepingcomputer.com/news/security/meat-giant-jbs-now-fully-operational-after-ransomware-attack/

Excerpt: “JBS was able to get its systems back online sooner than expected since its backup servers were not impacted during the incident, and the restoration of systems critical to production was prioritized to reduce the impact on the food supply chain, producers, and consumers. It also received strong support from the US, Australian and Canadian governments, with the FBI and CISA offering their technical support to JBS in recovering from the ransomware attack. “The company’s swift response, robust IT systems and encrypted backup servers allowed for a rapid recovery,” JBS USA said in a press release on Thursday.”

Title: Fujifilm Confirms Ransomware Attack Disrupted Business Operations

Date Published: June 4, 2021

https://www.bleepingcomputer.com/news/security/fujifilm-confirms-ransomware-attack-disrupted-business-operations/

Excerpt: “While it has not been disclosed what ransomware gang was behind the attack, it is believed to be the REvil ransomware operation. Fujifilm had recently been infected by the Qbot trojan, which is currently partnering with the REvil ransomware operation to provide remote access to compromised networks. Using the remote access provided by the trojan, the REvil ransomware gang will infiltrate a network and spread slowly to other devices while stealing unencrypted data. Once they gain access to a Windows domain administrator account and have harvested any data of value, they deploy the ransomware throughout the system to encrypt devices.”

Title: REvil Ransomware Gang Spill Details on US Attacks

Date Published: June 4, 2021

https://threatpost.com/revil-spill-details-us-attacks/166669/

Excerpt: “Key claims made by the REvil gang on the Russian OSINT channel included: The recent attack, impacting JBS Foods, was originally directed at a Brazilian entity. REvil doesn’t understand why the U.S. has intervened in this case. The gang member said current U.S. legislation, if passed, that would restrict ransomware victims from paying a ransom, would not be a deterrent for future attacks. The group is not afraid of being considered terrorists. The group originally restricted U.S. targets in cyberattacks. In the interview the anonymous REvil gang member said that in light of U.S. actions and posturing to retaliate for the JBS Foods attack, the group will now lift the restriction on attacking U.S. targets.”

Title: Hackers Use Colonial Pipeline Ransomware News for Phishing Attack

Date Published: June 4, 2021

https://www.zdnet.com/article/hackers-use-colonial-pipeline-ransomware-news-for-phishing-attack/

Excerpt: “The malicious links take users to websites with convincing names — ms-sysupdate[.]com and selectivepatch[.]com — both of which are newly created and registered with NameCheap. The same domain that sent the emails also controlled the links, INKY explained in a blog post. The people behind the attack were able to make the fake websites look even more convincing by designing them with the logo and images from the target company. A download button on the page downloads a “Cobalt Strike” file onto the user’s computer called “Ransomware_Update.exe.”

Title: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations

Date Published: June 4, 2021

https://heimdalsecurity.com/blog/revil-ransomware-responsible-for-the-jbs-attack-fbi-says/

Excerpt: “TeamTNT operations are now using compromised AWS credentials to enumerate AWS cloud environments, via the AWS platform’s API. These actions attempt to identify all Identity and Access Management (IAM) permissions, Elastic Compute Cloud (EC2) instances, Simple Storage Service (S3) buckets, CloudTrail configurations and CloudFormation operations granted to the compromised AWS credential. TeamTNT operations are now also targeting the credentials of 16 additional applications, including those of AWS and Google Cloud credentials, which may be stored on the compromised cloud instance, if installed.”

Title: Positive Technologies Uncovers Critical Vulnerabilities in CODESYS; Serious Threat to Industrial Control Systems Worldwide

Date Published: June 3, 2021

https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-critical-vulnerabilities-in-codesys-serious-threat-to-industrial-control-systems-worldwide/

Excerpt: “To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough. According to the researchers, the main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations. The most dangerous problems were revealed in the CODESYS V2.3 web server component used by CODESYS WebVisu to display a human-machine interface in a web browser.”

Title: Dark Web Price Index 2021

Date Published: June 1, 2021

https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html

Excerpt: “With the massive influx of supply, buyers seem to be gravitating towards bigger, “trustworthy” sites, with White House Market holding the largest market share of sales. The Dark Web markets are even starting to parody traditional markets with comical offers of “buy 2 cloned credit cards and get 1 for free!!” for example. In an effort to mitigate detection and tracking by law enforcement, the Dark Web is moving towards increased security on all ends. The markets have abandoned Bitcoin (BTC) as it is not secure, and vendors are demanding buyers to use Monero as payment and communicate only through PGP encryption.”

Title: DNS Attacks on the Rise, Costing $1 Million Each

Date Published: June 4, 2021

https://www.infosecurity-magazine.com/news/dns-attacks-on-rise/

Excerpt: “The most common forms of attack were DNS phishing (49%), DNS-based malware (38%), DDoS (29%), DNS hijacking (27%), DNS tunnelling for command and control (24%), zero-day bugs (23%) and cloud misconfiguration abuse (23%). Phishing appears to have been particularly popular due to the large number of potentially at-risk remote workers. These attacks frequently led to cloud service and in-house app downtime, compromised websites, brand damage, lost business and sensitive data theft, the report claimed.”

Title: Zero-day in Popular WordPress Plugin Exploited to Take Over Website

Date Published: June 3, 2021

https://www.welivesecurity.com/2021/06/03/zero-day-popular-wordpress-plugin-exploited-take-over-websites/

Excerpt: “Based on Defiant’s analysis, the majority of the attacks appear to come from three specific IP addresses. The attackers are targeting e-commerce websites with the aim of getting their hands on order information from the vendor’s databases. The data that could be extracted from these orders may include customers’ personally identifiable information. Thich could spell problems for website operators since it puts them at risk of violating PCI-DSS (Payment Card Industry Data Security Standard) compliance rules.”

Title: Mandiant to Re-Emerge After $1.2 Billion FireEye Sale

Date Published: June 3, 2021

https://www.infosecurity-magazine.com/news/mandiant-to-reemerge-fireeye/

Excerpt: “FireEye has agreed to sell its FireEye Products business and brand name to a private equity firm in a deal that will see the Mandiant business it bought several years ago become a standalone company again. The $1.2 billion all-cash sale to a consortium led by Symphony Technology Group (STG) is expected to close by the end of Q4 2021. It will see STG acquire FireEye’s network, email, endpoint and cloud security products — alongside its related security management and orchestration platform.”

Recent Posts

January 20, 2022

Title: New MoonBounce UEFI Malware Used by APT41 in Targeted Attacks Date Published: January 20, 2022 https://www.bleepingcomputer.com/news/security/new-moonbounce-uefi-malware-used-by-apt41-in-targeted-attacks/ Excerpt: "Security analysts have discovered and linked...

January 19, 2022

Title: Office 365 Phishing Attack Impersonates the US Department of Labor Date Published: January 19, 2022 https://www.bleepingcomputer.com/news/security/office-365-phishing-attack-impersonates-the-us-department-of-labor/ Excerpt: "A new phishing campaign...

January 18, 2022

Title: Europol Shuts Down VPN Service Used by Ransomware Groups Date Published: January 18, 2022 https://www.bleepingcomputer.com/news/security/europol-shuts-down-vpn-service-used-by-ransomware-groups/ Excerpt: "Law enforcement authorities from 10 countries took down...

January 14, 2022

Title: Android users can now disable 2G to block Stingray attacks Date Published: January 13, 2022 https://www.bleepingcomputer.com/news/security/android-users-can-now-disable-2g-to-block-stingray-attacks/ Excerpt: "Google has finally rolled out an option on Android...

November 23, 2021

Title: Over 4000 UK Retailers Compromised by Magecart Attacks Date Published: November 23, 2021 https://www.infosecurity-magazine.com/news/4000-uk-retailers-compromised/ Excerpt: “UK government security experts have been forced to notify over 4000 domestic online...

November 2, 2021

Title: Possible Cyber Attack Hits ‘Brain’ of N.L. Health-care System, Delaying Thousands of Appointments Date Published: November 1, 2021 cbc.ca/news/canada/newfoundland-labrador/health-services-it-outage-update-nov-1-1.6232426 Excerpt: "A cyberattack appears to be...

OSN November 1, 2021

Title: New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code Date Published: November 1, 2021 https://thehackernews.com/2021/11/new-trojan-source-technique-lets.html Excerpt: "A novel class of vulnerabilities could be leveraged by threat...