OSN June 9, 2021

Title: Stealthy Gelsemium Cyberspies Linked to Noxplayer Supply-Chain Attack
Date Published: June 9, 2021

https://www.bleepingcomputer.com/news/security/stealthy-gelsemium-cyberspies-linked-to-noxplayer-supply-chain-attack/

Excerpt: “Gelsemium uses three components and a plug-in system to give the operators a range of possibilities to gather information: the dropper Gelsemine, the loader Gelsenicine, and the main plugin Gelsevirine. According to reports from G DATA and Verint Systems, the cyberspies used spear-phishing emails with document attachments exploiting the CVE-2012-0158 Microsoft Office vulnerability to deliver the malware. They’ve also been observed by VenusTech using watering holes set up on intranet servers in 2018, while ESET spotted them using a pre-authentication RCE exploit against vulnerable Exchange servers to deploy web shells.”

Title: Prometheus Ransomware Gang: A Group of REvil?
Date Published: June 9, 2021

https://unit42.paloaltonetworks.com/prometheus-ransomware/

Excerpt: “Only four victims have paid to date, according to the group’s leak site. It claims that a Peruvian agricultural company, a Brazilian healthcare services provider and transportation and logistics organizations in Austria and Singapore paid ransoms. However, we’re unable to confirm the ransom amounts. One interesting note is that Prometheus claims to be part of the notorious ransomware gang REvil. Unit 42 has seen no indication that these two ransomware gangs are related in any way. The claim may be an attempt to exploit REvil’s name to persuade victims to pay up, or it could be a false flag to take attention away from Thanos.”

Title: DarkSide Pwned Colonial With Old VPN Password
Date Published: June 9, 2021

https://threatpost.com/darkside-pwned-colonial-with-old-vpn-password/166743/

Excerpt: “Indeed, the password used for the Colonial attack also was discovered inside a batch of leaked passwords on the dark web, according to Bloomberg, and company officials and investigators are still unclear about how hackers obtained the password in the first place. “We don’t see any evidence of phishing for the employee whose credentials were used,” Carmakal told Bloomberg. “We have not seen any other evidence of attacker activity before April 29.” He speculated that perhaps the password may have gotten into the wrong hands when a Colonial employee used it on another account that was previously hacked, according to the report.”

Title: Ransomware Struck Another Pipeline Firm—and 70GB of Data Leaked
Date Published: June 7, 2021

https://www.wired.com/story/linestar-pipeline-ransomware-leak/

Excerpt: “But the unredacted files, which WIRED has reviewed, remain online. And they may include information that could enable follow-on targeting of other pipelines. While Slowik notes that it’s still not clear what sensitive information might be included in the leak’s 70 GB, he worries that it could include information about the software architecture or physical equipment used by LineStar’s customers, given that LineStar provides information technology and industrial control system software to pipeline customers.”

Title: CISA and Bugcrowd to Launch Federal Crowdsourced VDP Platform
Date Published: June 8, 2021

https://www.infosecurity-magazine.com/news/cisa-bugcrowd-federal-vdp-platform/

Excerpt: “The move will allow Federal Civilian Executive Branch (FCEB) agencies to coordinate with the civilian hacker community about vulnerabilities in their critical systems. FCEB agencies will now be able to receive security feedback from Bugcrowd’s community of ethical hackers around the world, helping them quickly identify and monitor vulnerabilities in their critical systems.”

Title: Huawei Reveals ‘Cybersecurity Framework’ With Launch of China Transparency Centre
Date Published: June 9, 2021

https://www.zdnet.com/article/huawei-reveals-cybersecurity-framework-with-launch-of-china-transparency-centre/

Excerpt: “Along with the launch, Huawei unveiled the security baseline framework that it said was integrated into its product development process and developed to address legal and regulatory requirements. The framework comprised 54 requirements spanning 15 categories for product implementation, such as backdoor prevention, access channel control, encryption, application security, and secure compilation.The vendor added that this was the first time its security baseline was made available to the industry.”

Title: Hundreds of Suspected Criminals Arrested After Being Tricked Into Using FBI-run Chat App
Date Published: June 9, 2021

https://www.welivesecurity.com/2021/06/08/hundreds-arrested-tricked-using-fbi-run-chat-app/

Excerpt: “The app AN0M was installed on mobile phones that were stripped of other capabilities. The mobile phones, which were bought on the black market, could not make calls or send emails. It could only send messages to another device that had the organized crime app. Criminals needed to know a criminal to get a device. The devices organically circulated and grew in popularity among criminals, who were confident of the legitimacy of the app because high-profile organized crime figures vouched for its integrity.”

Title: Phished Account Credentials Mostly Verified in Hours
Date Published: June 8, 2021

https://www.darkreading.com/threat-intelligence/phished-account-credentials-mostly-verified-in-hours/d/d-id/1341240

Excerpt: “While these actors are the ones using the credentials, they aren’t necessarily the same actors that stood up the phishing site. We know there’s a robust economy for compromised credentials, so it’s likely a share of these actors have been provided access to the accounts from another actor.” Most of the time, the credentials were used to send malicious links to gather credentials from targeted industries, including real estate and banking. In many cases, an attacker posed as a vendor and sent fictional invoices in an attempt to collect.”

Title: Microsoft Patches Six Zero-Day Security Holes
Date Published: June 8, 2021

https://krebsonsecurity.com/2021/06/microsoft-patches-six-zero-day-security-holes/

Excerpt: “Interestingly, two of the Windows zero-day flaws — CVE-2021-31201 and CVE-2021-31199 — are related to a patch Adobe released recently for CVE-2021-28550, a flaw in Adobe Acrobat and Reader that also is being actively exploited. “Attackers have been seen exploiting these vulnerabilities by sending victims specially crafted PDFs, often attached in a phishing email, that when opened on the victim’s machine, the attacker is able to gain arbitrary code execution,” said Christopher Hass, director of information security and research at Automox. “There are no workarounds for these vulnerabilities, patching as soon as possible is highly recommended”.”

Title: ThunderCats Hack the FSB | Your Taxes Didn’t Pay For This Op
Date Published: June 8, 2021

https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/ c

Excerpt: “Finally, while I’m quick to disparage the quality of the malware as not up to some exalted Western standard, it’s important to note that ThunderCats (and the larger TA428 umbrella) are pulling off custom-tailored region-specific supply chain attacks, successfully punching way above their weight in their intelligence collection efforts, and they should not be underestimated as an adversary.”