OSN July 14, 2021

Fortify Security Team
Jul 14, 2021

Title: Hackers Use New Solarwinds Zero-Day to Target U.S. Defense Orgs
Date Published: July 13, 2021


Excerpt: “Tonight, Microsoft revealed that the attacks are attributed with high confidence to a China-based threat group tracked as ‘DEV-0322.’ “This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” says a new blog post by the Microsoft Threat Intelligence Center. This threat group targets publicly exposed Serv-U FTP servers belonging to entities in the US Defense Industrial Base Sector and software companies.”

Title: REvil Ransomware Group Vanishes After Mounting U.S. Pressure
Date Published: July 14, 2021


Excerpt: “To conclude, we are yet to know if the Russian government will take responsibility for the take-down. Although that may be conciliatory for both governments, it will cement the fact that Russia has been for long allowing cybercriminals to operate under its jurisdiction while looking the other way. This isn’t true only for them, other countries including the USA are well known to engage in state-sponsored attacks and allowing criminals to continue operating under them as well. Nevertheless, in the future, it is also possible that the REvil group re-brands and comes back under another name.”

Title: Trickbot Improve Its VNC Module in Recent Attacks
Date Published: July 14, 2021


Excerpt: “Bitdefender researchers spotted a new version of Trickbot’s VNC module (vncDLL) which was employed in attacks aimed at high-profile targets. “In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets. This module, known as tvncDll, is used for monitoring and intelligence gathering. It seems to be still under development, since the group has a frequent update schedule, regularly adding new functionalities and bug fixes.” states the report published by BitDefender.”

Title: Chinese Cyberspies’ Wide-Scale Apt Campaign Hits Asian Govt Entities
Date Published: July 14, 2021


Excerpt: “Kaspersky researchers have revealed an ongoing and large-scale advanced persistent threat (APT) campaign with hundreds of victims from Southeast Asia, including Myanmar and the Philippines government entities. This cluster of APT activity, tracked as LuminousMoth by Kaspersky, has been linked to the HoneyMyte Chinese-speaking threat group with medium to high confidence.”

Title: Four In-The-Wild Exploits, 13 Critical Patches Headline Bumper Patch Tuesday
Date Published: July 14, 2021


Excerpt: “Six vulnerabilities were previously disclosed and four are being exploited in-the-wild, according to Microsoft. One of those CVE’s is a familiar one, 2021-34527 aka the anyone-can-run-code-as-domain-admin RCE known as PrintNightmare. Microsoft issued out-of-band patches for that vulnerability a week ago, but those were not as comprehensive as one might have hoped. Since then, the Cybersecurity and Infrastructure Security Agency’s (CISA) has issued Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability” because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. This directive list required actions for all Federal Civilian Executive Branch agencies.”

Title: Emergency Directive 21-04: Mitigate Windows Print Spooler Service Vulnerability
Date Published: July 13, 2021


Excerpt: “CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”

Title: Luminousmoth APT: Sweeping Attacks for the Chosen Few
Date Published: July 14, 2021


Excerpt: “Further analysis revealed that the underlying actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda. This is evident in both network infrastructure connections, and the usage of similar TTPs to deploy the Cobalt Strike Beacon as a payload. In fact, our colleagues at ESET and Avast recently assessed that HoneyMyte was active in the same region. The proximity in time and common occurrence in Myanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been borrowed for the activity of LuminousMoth.”

Title: Thousands of PS4s Seized in Ukraine in Illegal Cryptocurrency Mining Sting
Date Published: July 14, 2021


Excerpt: “Ukraine’s Security Service said last week that in the city of Vinnytsia, located along the Southern Bug river, there was an abandoned warehouse in its industrial area that once belonged to an electricity company, JSC Vinnytsiaoblenergo. Upon entry, law enforcement found what it has called the country’s “largest underground cryptocurrency farm.” In total, roughly 3,800 gaming consoles were rigged together and stored on metal racks — and over 500 graphics cards and 50 processors were also found.”

Title: Choosing Your MSP: What the Kaseya Incident Tells Us About Third-party Cyber Risk
Date Published: July 13, 2021


Excerpt: “Although Gandcrab has been linked to REvil, there’s no suggestion that these attacks were perpetrated by the same group. But in any case, the cybercrime underground does a far better job of sharing intelligence and tooling than the infosec community. That means if attacks have been proven to work in the past, they will usually be repeated in the future. This is bad news for MSPs and their customers, as there’s a mounting body of historic evidence that shows campaigns against MSPs can be highly successful.”

Title: New Phishing Campaign Targets Individuals of Interest to Iran
Date Published: July 13, 2021


Excerpt: “TA453, a threat actor that security researchers have previously linked to Iran’s Revolutionary Guard Corps (IRGC), has launched a new phishing campaign aimed at individuals focused on Middle East affairs in the US and UK. Researchers at Proofpoint who spotted the campaign are tracking it as “Operation SpoofedScholars” because the phishing emails being sent to intended victims purport to be from scholars with the University of London’s School of Oriental and African Studies (SOAS).”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...