OSN June 4, 2021

by | Jun 4, 2021 | Open Source News

Title: Meat Giant JBS Now Fully Operational After Ransomware Attack

Date Published: June 4, 2021

https://www.bleepingcomputer.com/news/security/meat-giant-jbs-now-fully-operational-after-ransomware-attack/

Excerpt: “JBS was able to get its systems back online sooner than expected since its backup servers were not impacted during the incident, and the restoration of systems critical to production was prioritized to reduce the impact on the food supply chain, producers, and consumers. It also received strong support from the US, Australian and Canadian governments, with the FBI and CISA offering their technical support to JBS in recovering from the ransomware attack. “The company’s swift response, robust IT systems and encrypted backup servers allowed for a rapid recovery,” JBS USA said in a press release on Thursday.”

Title: Fujifilm Confirms Ransomware Attack Disrupted Business Operations

Date Published: June 4, 2021

https://www.bleepingcomputer.com/news/security/fujifilm-confirms-ransomware-attack-disrupted-business-operations/

Excerpt: “While it has not been disclosed what ransomware gang was behind the attack, it is believed to be the REvil ransomware operation. Fujifilm had recently been infected by the Qbot trojan, which is currently partnering with the REvil ransomware operation to provide remote access to compromised networks. Using the remote access provided by the trojan, the REvil ransomware gang will infiltrate a network and spread slowly to other devices while stealing unencrypted data. Once they gain access to a Windows domain administrator account and have harvested any data of value, they deploy the ransomware throughout the system to encrypt devices.”

Title: REvil Ransomware Gang Spill Details on US Attacks

Date Published: June 4, 2021

https://threatpost.com/revil-spill-details-us-attacks/166669/

Excerpt: “Key claims made by the REvil gang on the Russian OSINT channel included: The recent attack, impacting JBS Foods, was originally directed at a Brazilian entity. REvil doesn’t understand why the U.S. has intervened in this case. The gang member said current U.S. legislation, if passed, that would restrict ransomware victims from paying a ransom, would not be a deterrent for future attacks. The group is not afraid of being considered terrorists. The group originally restricted U.S. targets in cyberattacks. In the interview the anonymous REvil gang member said that in light of U.S. actions and posturing to retaliate for the JBS Foods attack, the group will now lift the restriction on attacking U.S. targets.”

Title: Hackers Use Colonial Pipeline Ransomware News for Phishing Attack

Date Published: June 4, 2021

https://www.zdnet.com/article/hackers-use-colonial-pipeline-ransomware-news-for-phishing-attack/

Excerpt: “The malicious links take users to websites with convincing names — ms-sysupdate[.]com and selectivepatch[.]com — both of which are newly created and registered with NameCheap. The same domain that sent the emails also controlled the links, INKY explained in a blog post. The people behind the attack were able to make the fake websites look even more convincing by designing them with the logo and images from the target company. A download button on the page downloads a “Cobalt Strike” file onto the user’s computer called “Ransomware_Update.exe.”

Title: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations

Date Published: June 4, 2021

https://heimdalsecurity.com/blog/revil-ransomware-responsible-for-the-jbs-attack-fbi-says/

Excerpt: “TeamTNT operations are now using compromised AWS credentials to enumerate AWS cloud environments, via the AWS platform’s API. These actions attempt to identify all Identity and Access Management (IAM) permissions, Elastic Compute Cloud (EC2) instances, Simple Storage Service (S3) buckets, CloudTrail configurations and CloudFormation operations granted to the compromised AWS credential. TeamTNT operations are now also targeting the credentials of 16 additional applications, including those of AWS and Google Cloud credentials, which may be stored on the compromised cloud instance, if installed.”

Title: Positive Technologies Uncovers Critical Vulnerabilities in CODESYS; Serious Threat to Industrial Control Systems Worldwide

Date Published: June 3, 2021

https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-critical-vulnerabilities-in-codesys-serious-threat-to-industrial-control-systems-worldwide/

Excerpt: “To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough. According to the researchers, the main cause of the vulnerabilities is insufficient verification of input data, which may itself be caused by failure to comply with the secure development recommendations. The most dangerous problems were revealed in the CODESYS V2.3 web server component used by CODESYS WebVisu to display a human-machine interface in a web browser.”

Title: Dark Web Price Index 2021

Date Published: June 1, 2021

https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html

Excerpt: “With the massive influx of supply, buyers seem to be gravitating towards bigger, “trustworthy” sites, with White House Market holding the largest market share of sales. The Dark Web markets are even starting to parody traditional markets with comical offers of “buy 2 cloned credit cards and get 1 for free!!” for example. In an effort to mitigate detection and tracking by law enforcement, the Dark Web is moving towards increased security on all ends. The markets have abandoned Bitcoin (BTC) as it is not secure, and vendors are demanding buyers to use Monero as payment and communicate only through PGP encryption.”

Title: DNS Attacks on the Rise, Costing $1 Million Each

Date Published: June 4, 2021

https://www.infosecurity-magazine.com/news/dns-attacks-on-rise/

Excerpt: “The most common forms of attack were DNS phishing (49%), DNS-based malware (38%), DDoS (29%), DNS hijacking (27%), DNS tunnelling for command and control (24%), zero-day bugs (23%) and cloud misconfiguration abuse (23%). Phishing appears to have been particularly popular due to the large number of potentially at-risk remote workers. These attacks frequently led to cloud service and in-house app downtime, compromised websites, brand damage, lost business and sensitive data theft, the report claimed.”

Title: Zero-day in Popular WordPress Plugin Exploited to Take Over Website

Date Published: June 3, 2021

https://www.welivesecurity.com/2021/06/03/zero-day-popular-wordpress-plugin-exploited-take-over-websites/

Excerpt: “Based on Defiant’s analysis, the majority of the attacks appear to come from three specific IP addresses. The attackers are targeting e-commerce websites with the aim of getting their hands on order information from the vendor’s databases. The data that could be extracted from these orders may include customers’ personally identifiable information. Thich could spell problems for website operators since it puts them at risk of violating PCI-DSS (Payment Card Industry Data Security Standard) compliance rules.”

Title: Mandiant to Re-Emerge After $1.2 Billion FireEye Sale

Date Published: June 3, 2021

https://www.infosecurity-magazine.com/news/mandiant-to-reemerge-fireeye/

Excerpt: “FireEye has agreed to sell its FireEye Products business and brand name to a private equity firm in a deal that will see the Mandiant business it bought several years ago become a standalone company again. The $1.2 billion all-cash sale to a consortium led by Symphony Technology Group (STG) is expected to close by the end of Q4 2021. It will see STG acquire FireEye’s network, email, endpoint and cloud security products — alongside its related security management and orchestration platform.”