OSN June 8, 2021

Fortify Security Team
Jun 8, 2021

Title: TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint
Date Published: June 8, 2021


Excerpt: “The copying and incorporation of cryptomining operational codebase or script functions have become a central behavioral indicator of cryptojacking groups and their operations. However, the use of command and control (C2) infrastructure, full tool sets and directory infrastructure patterns is a different matter. Unit 42 researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT cryptojacking group. The new scripts from TeamTNT are overtly copying infrastructure naming conventions and hijacking a known WatchDog C2 hosting system, 199.199.226[.]117.”

Title: Evil Corp Impersonates PayloadBin Group to Avoid Federal Sanctions
Date Published: June 8, 2021


Excerpt: “The move is not the first time Evil Corp has tried to obscure its activity by changing the names of its ransomware operations. The group is originally known for distributing the Zeus malware and then the Dridex banking trojan, the latter of which allowed the group allegedly to steal millions of dollars from a combination of capturing banking credentials and then making unauthorized transfers from the compromised accounts.”

Title: Large Parts of Internet Offline Today Following Cloud Provider Issue
Date Published: June 8, 2021


Excerpt: “Large parts of the internet were temporarily offline today, including Amazon, Reddit and Twitch, it has been reported. Other significant organizations whose websites were affected by the incident included media outlets the Financial Times, The Guardian and New York Times and the UK’s Gov.uk. When users attempted to enter these websites, they were met with messages like “Error 503 Service Unavailable” and “connection failure”.”

Title: FBI Recovers Millions in Ransom From Darkside Ransomware Gang
Date Published: June 8, 2021


Excerpt: “The move by the Department of Justice to recover ransom payments from the operators who disrupted U.S. critical infrastructure is a welcome development. It has become clear that we need to use several tools to stem the tide of this serious problem, and even law enforcement agencies need to broaden their approach beyond building cases against criminals who may be beyond the grasp of the law.”

Title: Four Security Vulnerabilities were Found in Microsoft Office
Date Published: June 7, 2021


Excerpt: “Check Point Research (CPR) identified four security vulnerabilities affecting products in the Microsoft Office suite, including Excel and Office online. If exploited, the vulnerabilities would grant an attacker the ability to execute code on targets via malicious Office documents, such as Word (.DOCX), Excel (.XLS) and Outlook (.EML). The vulnerabilities are the result of parsing mistakes made in legacy code found in Excel95 File Formats, giving researchers reason to believe that the security flaws have existed for several years.”

Title: Kubernetes Clusters Targeted by Siloscape Malware
Date Published: June 7, 2021


Excerpt: “The malware is labeled as CloudMalware.exe. Instead of using Hyper-V isolation, it uses Server to target Windows containers and launches attacks by exploiting known and unpatched vulnerabilities to gain initial access against web pages, servers, and/or databases. It then achieves remote code execution on the container’s underlying node using various Windows container escape techniques like impersonating the container image service CExecSvc.exe to obtain SeTcbPrivilege privileges.”

Title: Hacker Group Gunning for Musk
Date Published: June 7, 2021


Excerpt: “Anonymous accuses the billionaire Tesla CEO and SpaceX founder, CEO, and chief engineer of using his immense wealth and influence to toy with cryptocurrency markets with no regard for how others might be affected. “The games you have played with the crypto markets have destroyed lives,” said the group in their latest video. Musk’s messages on social media have had a major impact on the cryptocurrency market. In March, a few weeks after Tesla revealed it had bought $1.5bn of Bitcoin, the electric carmaker said that it would accept the cryptocurrency as payment.”

Title: Modify HTTP request headers with Transform Rules
Date Published: June 8, 2021


Excerpt: “HTTP headers are set on both the ‘request’ and ‘response’ interactions; ‘request’ being when the client asks for the file and ‘response’ being what the server returns as a result. The functionality announced today pertains specifically to HTTP request headers only. Many organizations use HTTP request headers to ensure visitor requests are served correctly. They are used to route requests to different clusters, serve mobile-friendly content, and legacy-browser friendly content.”

Title: Billions of Compromised Records and Counting: Why the Application Layer is Still the Front Door for Data Breaches
Date Published: June 8, 2021


Excerpt: “Attackers continue to evolve their tactics to get access to sensitive data. They’re using more sophisticated methods that evade traditional perimeter or endpoint solutions. In fact, research finds that nearly 50% of data breaches over the past several years originated at the web application layer. While this isn’t a new trend, attackers continue to use SQL injection (SQLi) or remote code execution (RCE) to exploit vulnerabilities in web applications that are connected to an organization’s data stores.”

Title: A Deep Dive Into Nefilim, a Ransomware Group With an Eye for $1bn+ Revenue Companies
Date Published: June 8, 2021


Excerpt: “The decryption key is the carrot dangled in front of victims, who are usually promised a key and the means to restore their systems in return for payment. When it comes to enterprise players, ransom demands can reach millions of dollars — and there is never a guarantee a key will be issued or will be technically suitable for restoration efforts. The phrase “ransomware” has become a familiar one to the general public as week-on-week we hear of more cases.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...