OSN June 8, 2021

by | Jun 8, 2021 | Open Source News

Title: TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint
Date Published: June 8, 2021

https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operations/

Excerpt: “The copying and incorporation of cryptomining operational codebase or script functions have become a central behavioral indicator of cryptojacking groups and their operations. However, the use of command and control (C2) infrastructure, full tool sets and directory infrastructure patterns is a different matter. Unit 42 researchers have identified indicators traditionally pointing to the WatchDog cryptojacking group, which have been incorporated in the tactics, techniques and procedures (TTPs) used by the TeamTNT cryptojacking group. The new scripts from TeamTNT are overtly copying infrastructure naming conventions and hijacking a known WatchDog C2 hosting system, 199.199.226[.]117.”

Title: Evil Corp Impersonates PayloadBin Group to Avoid Federal Sanctions
Date Published: June 8, 2021

https://threatpost.com/evil-corp-impersonates-payloadbin/166710/

Excerpt: “The move is not the first time Evil Corp has tried to obscure its activity by changing the names of its ransomware operations. The group is originally known for distributing the Zeus malware and then the Dridex banking trojan, the latter of which allowed the group allegedly to steal millions of dollars from a combination of capturing banking credentials and then making unauthorized transfers from the compromised accounts.”

Title: Large Parts of Internet Offline Today Following Cloud Provider Issue
Date Published: June 8, 2021

https://www.infosecurity-magazine.com/news/internet-offline-cloud-provider/

Excerpt: “Large parts of the internet were temporarily offline today, including Amazon, Reddit and Twitch, it has been reported. Other significant organizations whose websites were affected by the incident included media outlets the Financial Times, The Guardian and New York Times and the UK’s Gov.uk. When users attempted to enter these websites, they were met with messages like “Error 503 Service Unavailable” and “connection failure”.”

Title: FBI Recovers Millions in Ransom From Darkside Ransomware Gang
Date Published: June 8, 2021

https://www.hackread.com/fbi-recovers-ransom-darkside-ransomware-gang/

Excerpt: “The move by the Department of Justice to recover ransom payments from the operators who disrupted U.S. critical infrastructure is a welcome development. It has become clear that we need to use several tools to stem the tide of this serious problem, and even law enforcement agencies need to broaden their approach beyond building cases against criminals who may be beyond the grasp of the law.”

Title: Four Security Vulnerabilities were Found in Microsoft Office
Date Published: June 7, 2021

https://blog.checkpoint.com/2021/06/08/four-security-vulnerabilities-were-found-in-microsoft-office/

Excerpt: “Check Point Research (CPR) identified four security vulnerabilities affecting products in the Microsoft Office suite, including Excel and Office online. If exploited, the vulnerabilities would grant an attacker the ability to execute code on targets via malicious Office documents, such as Word (.DOCX), Excel (.XLS) and Outlook (.EML). The vulnerabilities are the result of parsing mistakes made in legacy code found in Excel95 File Formats, giving researchers reason to believe that the security flaws have existed for several years.”

Title: Kubernetes Clusters Targeted by Siloscape Malware
Date Published: June 7, 2021

https://www.hackread.com/kubernetes-clusters-targeted-siloscape-malware/

Excerpt: “The malware is labeled as CloudMalware.exe. Instead of using Hyper-V isolation, it uses Server to target Windows containers and launches attacks by exploiting known and unpatched vulnerabilities to gain initial access against web pages, servers, and/or databases. It then achieves remote code execution on the container’s underlying node using various Windows container escape techniques like impersonating the container image service CExecSvc.exe to obtain SeTcbPrivilege privileges.”

Title: Hacker Group Gunning for Musk
Date Published: June 7, 2021

https://www.infosecurity-magazine.com/news/hacker-group-gunning-for-musk/

Excerpt: “Anonymous accuses the billionaire Tesla CEO and SpaceX founder, CEO, and chief engineer of using his immense wealth and influence to toy with cryptocurrency markets with no regard for how others might be affected. “The games you have played with the crypto markets have destroyed lives,” said the group in their latest video. Musk’s messages on social media have had a major impact on the cryptocurrency market. In March, a few weeks after Tesla revealed it had bought $1.5bn of Bitcoin, the electric carmaker said that it would accept the cryptocurrency as payment.”

Title: Modify HTTP request headers with Transform Rules
Date Published: June 8, 2021

https://blog.cloudflare.com/transform-http-request-headers/

Excerpt: “HTTP headers are set on both the ‘request’ and ‘response’ interactions; ‘request’ being when the client asks for the file and ‘response’ being what the server returns as a result. The functionality announced today pertains specifically to HTTP request headers only. Many organizations use HTTP request headers to ensure visitor requests are served correctly. They are used to route requests to different clusters, serve mobile-friendly content, and legacy-browser friendly content.”

Title: Billions of Compromised Records and Counting: Why the Application Layer is Still the Front Door for Data Breaches
Date Published: June 8, 2021

https://threatpost.com/billions-of-compromised-records-and-counting/166633/

Excerpt: “Attackers continue to evolve their tactics to get access to sensitive data. They’re using more sophisticated methods that evade traditional perimeter or endpoint solutions. In fact, research finds that nearly 50% of data breaches over the past several years originated at the web application layer. While this isn’t a new trend, attackers continue to use SQL injection (SQLi) or remote code execution (RCE) to exploit vulnerabilities in web applications that are connected to an organization’s data stores.”

Title: A Deep Dive Into Nefilim, a Ransomware Group With an Eye for $1bn+ Revenue Companies
Date Published: June 8, 2021

https://www.zdnet.com/article/a-deep-dive-into-nefilim-a-double-extortion-ransomware-group/

Excerpt: “The decryption key is the carrot dangled in front of victims, who are usually promised a key and the means to restore their systems in return for payment. When it comes to enterprise players, ransom demands can reach millions of dollars — and there is never a guarantee a key will be issued or will be technically suitable for restoration efforts. The phrase “ransomware” has become a familiar one to the general public as week-on-week we hear of more cases.”