OSN June 9, 2021

Fortify Security Team
Jun 9, 2021

Title: Stealthy Gelsemium Cyberspies Linked to Noxplayer Supply-Chain Attack
Date Published: June 9, 2021

https://www.bleepingcomputer.com/news/security/stealthy-gelsemium-cyberspies-linked-to-noxplayer-supply-chain-attack/

Excerpt: “Gelsemium uses three components and a plug-in system to give the operators a range of possibilities to gather information: the dropper Gelsemine, the loader Gelsenicine, and the main plugin Gelsevirine. According to reports from G DATA and Verint Systems, the cyberspies used spear-phishing emails with document attachments exploiting the CVE-2012-0158 Microsoft Office vulnerability to deliver the malware. They’ve also been observed by VenusTech using watering holes set up on intranet servers in 2018, while ESET spotted them using a pre-authentication RCE exploit against vulnerable Exchange servers to deploy web shells.”

Title: Prometheus Ransomware Gang: A Group of REvil?
Date Published: June 9, 2021

https://unit42.paloaltonetworks.com/prometheus-ransomware/

Excerpt: “Only four victims have paid to date, according to the group’s leak site. It claims that a Peruvian agricultural company, a Brazilian healthcare services provider and transportation and logistics organizations in Austria and Singapore paid ransoms. However, we’re unable to confirm the ransom amounts. One interesting note is that Prometheus claims to be part of the notorious ransomware gang REvil. Unit 42 has seen no indication that these two ransomware gangs are related in any way. The claim may be an attempt to exploit REvil’s name to persuade victims to pay up, or it could be a false flag to take attention away from Thanos.”

Title: DarkSide Pwned Colonial With Old VPN Password
Date Published: June 9, 2021

https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/

Excerpt: “Indeed, the password used for the Colonial attack also was discovered inside a batch of leaked passwords on the dark web, according to Bloomberg, and company officials and investigators are still unclear about how hackers obtained the password in the first place. “We don’t see any evidence of phishing for the employee whose credentials were used,” Carmakal told Bloomberg. “We have not seen any other evidence of attacker activity before April 29.” He speculated that perhaps the password may have gotten into the wrong hands when a Colonial employee used it on another account that was previously hacked, according to the report.”

Title: Ransomware Struck Another Pipeline Firm—and 70GB of Data Leaked
Date Published: June 7, 2021

https://www.wired.com/story/linestar-pipeline-ransomware-leak/

Excerpt: “But the unredacted files, which WIRED has reviewed, remain online. And they may include information that could enable follow-on targeting of other pipelines. While Slowik notes that it’s still not clear what sensitive information might be included in the leak’s 70 GB, he worries that it could include information about the software architecture or physical equipment used by LineStar’s customers, given that LineStar provides information technology and industrial control system software to pipeline customers.”

Title: CISA and Bugcrowd to Launch Federal Crowdsourced VDP Platform
Date Published: June 8, 2021

https://www.infosecurity-magazine.com/news/cisa-bugcrowd-federal-vdp-platform/

Excerpt: “The move will allow Federal Civilian Executive Branch (FCEB) agencies to coordinate with the civilian hacker community about vulnerabilities in their critical systems. FCEB agencies will now be able to receive security feedback from Bugcrowd’s community of ethical hackers around the world, helping them quickly identify and monitor vulnerabilities in their critical systems.”

Title: Huawei Reveals ‘Cybersecurity Framework’ With Launch of China Transparency Centre
Date Published: June 9, 2021

https://www.zdnet.com/article/huawei-reveals-cybersecurity-framework-with-launch-of-china-transparency-centre/

Excerpt: “Along with the launch, Huawei unveiled the security baseline framework that it said was integrated into its product development process and developed to address legal and regulatory requirements. The framework comprised 54 requirements spanning 15 categories for product implementation, such as backdoor prevention, access channel control, encryption, application security, and secure compilation.The vendor added that this was the first time its security baseline was made available to the industry.”

Title: Hundreds of Suspected Criminals Arrested After Being Tricked Into Using FBI-run Chat App
Date Published: June 9, 2021

https://www.welivesecurity.com/2021/06/08/hundreds-arrested-tricked-using-fbi-run-chat-app/

Excerpt: “The app AN0M was installed on mobile phones that were stripped of other capabilities. The mobile phones, which were bought on the black market, could not make calls or send emails. It could only send messages to another device that had the organized crime app. Criminals needed to know a criminal to get a device. The devices organically circulated and grew in popularity among criminals, who were confident of the legitimacy of the app because high-profile organized crime figures vouched for its integrity.”

Title: Phished Account Credentials Mostly Verified in Hours
Date Published: June 8, 2021

https://www.darkreading.com/threat-intelligence/phished-account-credentials-mostly-verified-in-hours/d/d-id/1341240

Excerpt: “While these actors are the ones using the credentials, they aren’t necessarily the same actors that stood up the phishing site. We know there’s a robust economy for compromised credentials, so it’s likely a share of these actors have been provided access to the accounts from another actor.” Most of the time, the credentials were used to send malicious links to gather credentials from targeted industries, including real estate and banking. In many cases, an attacker posed as a vendor and sent fictional invoices in an attempt to collect.”

Title: Microsoft Patches Six Zero-Day Security Holes
Date Published: June 8, 2021

https://krebsonsecurity.com/2021/06/microsoft-patches-six-zero-day-security-holes/

Excerpt: “Interestingly, two of the Windows zero-day flaws — CVE-2021-31201 and CVE-2021-31199 — are related to a patch Adobe released recently for CVE-2021-28550, a flaw in Adobe Acrobat and Reader that also is being actively exploited. “Attackers have been seen exploiting these vulnerabilities by sending victims specially crafted PDFs, often attached in a phishing email, that when opened on the victim’s machine, the attacker is able to gain arbitrary code execution,” said Christopher Hass, director of information security and research at Automox. “There are no workarounds for these vulnerabilities, patching as soon as possible is highly recommended”.”

Title: ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op
Date Published: June 8, 2021

https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/ c

Excerpt: “Finally, while I’m quick to disparage the quality of the malware as not up to some exalted Western standard, it’s important to note that ThunderCats (and the larger TA428 umbrella) are pulling off custom-tailored region-specific supply chain attacks, successfully punching way above their weight in their intelligence collection efforts, and they should not be underestimated as an adversary.”

Recent Posts

January 19, 2022

Title: Office 365 Phishing Attack Impersonates the US Department of Labor Date Published: January 19, 2022 https://www.bleepingcomputer.com/news/security/office-365-phishing-attack-impersonates-the-us-department-of-labor/ Excerpt: "A new phishing campaign...

January 18, 2022

Title: Europol Shuts Down VPN Service Used by Ransomware Groups Date Published: January 18, 2022 https://www.bleepingcomputer.com/news/security/europol-shuts-down-vpn-service-used-by-ransomware-groups/ Excerpt: "Law enforcement authorities from 10 countries took down...

January 14, 2022

Title: Android users can now disable 2G to block Stingray attacks Date Published: January 13, 2022 https://www.bleepingcomputer.com/news/security/android-users-can-now-disable-2g-to-block-stingray-attacks/ Excerpt: "Google has finally rolled out an option on Android...

November 23, 2021

Title: Over 4000 UK Retailers Compromised by Magecart Attacks Date Published: November 23, 2021 https://www.infosecurity-magazine.com/news/4000-uk-retailers-compromised/ Excerpt: “UK government security experts have been forced to notify over 4000 domestic online...

November 2, 2021

Title: Possible Cyber Attack Hits ‘Brain’ of N.L. Health-care System, Delaying Thousands of Appointments Date Published: November 1, 2021 cbc.ca/news/canada/newfoundland-labrador/health-services-it-outage-update-nov-1-1.6232426 Excerpt: "A cyberattack appears to be...

OSN November 1, 2021

Title: New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code Date Published: November 1, 2021 https://thehackernews.com/2021/11/new-trojan-source-technique-lets.html Excerpt: "A novel class of vulnerabilities could be leveraged by threat...

OSN October 29, 2021

Title: Footprinting and Reconnaissance using Windows OS Date Published: October 29, 2021 https://medium.com/@the_harvester/footprinting-and-reconnaissance-using-windows-os-36760fb47870 Excerpt: "This blog is in continuation previous blog on footprinting and...