OSN July 14, 2021

Fortify Security Team
Jul 14, 2021

Title: Hackers Use New Solarwinds Zero-Day to Target U.S. Defense Orgs
Date Published: July 13, 2021

https://www.bleepingcomputer.com/news/microsoft/hackers-use-new-solarwinds-zero-day-to-target-us-defense-orgs/

Excerpt: “Tonight, Microsoft revealed that the attacks are attributed with high confidence to a China-based threat group tracked as ‘DEV-0322.’ “This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure,” says a new blog post by the Microsoft Threat Intelligence Center. This threat group targets publicly exposed Serv-U FTP servers belonging to entities in the US Defense Industrial Base Sector and software companies.”

Title: REvil Ransomware Group Vanishes After Mounting U.S. Pressure
Date Published: July 14, 2021

https://www.hackread.com/revil-ransomware-group-offline-us-pressure/

Excerpt: “To conclude, we are yet to know if the Russian government will take responsibility for the take-down. Although that may be conciliatory for both governments, it will cement the fact that Russia has been for long allowing cybercriminals to operate under its jurisdiction while looking the other way. This isn’t true only for them, other countries including the USA are well known to engage in state-sponsored attacks and allowing criminals to continue operating under them as well. Nevertheless, in the future, it is also possible that the REvil group re-brands and comes back under another name.”

Title: Trickbot Improve Its VNC Module in Recent Attacks
Date Published: July 14, 2021

https://securityaffairs.co/wordpress/120090/malware/trickbot-botnet-vnc-module.html

Excerpt: “Bitdefender researchers spotted a new version of Trickbot’s VNC module (vncDLL) which was employed in attacks aimed at high-profile targets. “In May 2021, our systems started to pick up an updated version of the vncDll module that Trickbot uses against select high-profile targets. This module, known as tvncDll, is used for monitoring and intelligence gathering. It seems to be still under development, since the group has a frequent update schedule, regularly adding new functionalities and bug fixes.” states the report published by BitDefender.”

Title: Chinese Cyberspies’ Wide-Scale Apt Campaign Hits Asian Govt Entities
Date Published: July 14, 2021

https://www.bleepingcomputer.com/news/security/chinese-cyberspies-wide-scale-apt-campaign-hits-asian-govt-entities/

Excerpt: “Kaspersky researchers have revealed an ongoing and large-scale advanced persistent threat (APT) campaign with hundreds of victims from Southeast Asia, including Myanmar and the Philippines government entities. This cluster of APT activity, tracked as LuminousMoth by Kaspersky, has been linked to the HoneyMyte Chinese-speaking threat group with medium to high confidence.”

Title: Four In-The-Wild Exploits, 13 Critical Patches Headline Bumper Patch Tuesday
Date Published: July 14, 2021

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/07/four-in-the-wild-exploits-13-critical-patches-headline-bumper-patch-tuesday/

Excerpt: “Six vulnerabilities were previously disclosed and four are being exploited in-the-wild, according to Microsoft. One of those CVE’s is a familiar one, 2021-34527 aka the anyone-can-run-code-as-domain-admin RCE known as PrintNightmare. Microsoft issued out-of-band patches for that vulnerability a week ago, but those were not as comprehensive as one might have hoped. Since then, the Cybersecurity and Infrastructure Security Agency’s (CISA) has issued Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability” because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. This directive list required actions for all Federal Civilian Executive Branch agencies.”

Title: Emergency Directive 21-04: Mitigate Windows Print Spooler Service Vulnerability
Date Published: July 13, 2021

https://cyber.dhs.gov/ed/21-04/

Excerpt: “CISA has determined that this vulnerability poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on the current exploitation of this vulnerability by threat actors in the wild, the likelihood of further exploitation of the vulnerability, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems.”

Title: Luminousmoth APT: Sweeping Attacks for the Chosen Few
Date Published: July 14, 2021

https://securelist.com/apt-luminousmoth/103332/

Excerpt: “Further analysis revealed that the underlying actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda. This is evident in both network infrastructure connections, and the usage of similar TTPs to deploy the Cobalt Strike Beacon as a payload. In fact, our colleagues at ESET and Avast recently assessed that HoneyMyte was active in the same region. The proximity in time and common occurrence in Myanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been borrowed for the activity of LuminousMoth.”

Title: Thousands of PS4s Seized in Ukraine in Illegal Cryptocurrency Mining Sting
Date Published: July 14, 2021

https://www.zdnet.com/article/thousands-of-ps4s-seized-in-ukraine-in-illegal-cryptocurrency-mining-sting/

Excerpt: “Ukraine’s Security Service said last week that in the city of Vinnytsia, located along the Southern Bug river, there was an abandoned warehouse in its industrial area that once belonged to an electricity company, JSC Vinnytsiaoblenergo. Upon entry, law enforcement found what it has called the country’s “largest underground cryptocurrency farm.” In total, roughly 3,800 gaming consoles were rigged together and stored on metal racks — and over 500 graphics cards and 50 processors were also found.”

Title: Choosing Your MSP: What the Kaseya Incident Tells Us About Third-party Cyber Risk
Date Published: July 13, 2021

https://www.welivesecurity.com/2021/07/13/msp-kaseya-incident-third-party-cyber-risk/

Excerpt: “Although Gandcrab has been linked to REvil, there’s no suggestion that these attacks were perpetrated by the same group. But in any case, the cybercrime underground does a far better job of sharing intelligence and tooling than the infosec community. That means if attacks have been proven to work in the past, they will usually be repeated in the future. This is bad news for MSPs and their customers, as there’s a mounting body of historic evidence that shows campaigns against MSPs can be highly successful.”

Title: New Phishing Campaign Targets Individuals of Interest to Iran
Date Published: July 13, 2021

https://www.darkreading.com/attacks-breaches/new-phishing-campaign-targets-individuals-of-interest-to-iran/d/d-id/1341525

Excerpt: “TA453, a threat actor that security researchers have previously linked to Iran’s Revolutionary Guard Corps (IRGC), has launched a new phishing campaign aimed at individuals focused on Middle East affairs in the US and UK. Researchers at Proofpoint who spotted the campaign are tracking it as “Operation SpoofedScholars” because the phishing emails being sent to intended victims purport to be from scholars with the University of London’s School of Oriental and African Studies (SOAS).”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...

OSN August 23, 2021

Title: WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws Date Published: August 22, 2021 https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html Excerpt: “Now according to researchers from Huntress Labs, at least five distinct styles...