OSN July 19, 2021

Fortify Security Team
Jul 19, 2021

Title: U.S. Government Releases Indictment and Several Advisories Detailing Chinese Cyber Threat Activity

Date Published: July 19, 2021

https://us-cert.cisa.gov/ncas/current-activity/2021/07/19/us-government-releases-indictment-and-several-advisories-detailing

Excerpt: “The White House has released a statement attributing recent Microsoft Exchange server exploitation activity to the People’s Republic of China (PRC). The Department of Justice has indicted four Chinese cyber actors from the advanced persistent threat (APT) group APT40 for malicious cyber activities, carried out on orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD). These activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments. CISA and FBI have released Joint Cybersecurity Advisory: TTPs of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department to help network defenders identify and remediate APT40 intrusions and established footholds.”

Title: Saudi Aramco Data Breach Sees 1 Tb Stolen Data for Sale

Date Published: July 19, 2021

https://www.bleepingcomputer.com/news/security/saudi-aramco-data-breach-sees-1-tb-stolen-data-for-sale/

Excerpt: “This month, a threat actor group known as ZeroX is offering 1 TB of proprietary data belonging to Saudi Aramco for sale. ZeroX claims the data was stolen by hacking Aramco’s “network and its servers,” sometime in 2020. As such, the files in the dump are as recent as 2020, with some dating back to 1993, according to the group. When asked by BleepingComputer as to what method was used to gain access to the systems, the group did not explicitly spell out the vulnerability but instead called it “zero-day exploitation”.”

Title: NSO Group’s Pegasus Spyware Used Against Journalists, Political Activists Worldwide: Report

Date Published: July 19, 2021

https://www.zdnet.com/article/nso-groups-pegasus-spyware-used-against-journalists-political-activists-worldwide-report/

Excerpt: “Pegasus is a spyware tool with remote access capabilities that is able to extract handset information, harvest conversations taking place over apps including WhatsApp and Facebook, monitor email clients and browser activity, record calls, and spy on victims through their microphone and camera. Based in Israel, NSO Group markets its products as intended for governments to detect and “prevent a wide range of local and global threats,” as well as a way to tackle criminal and terrorist activity.”

Title: Ransomware Risk in Unpatched, EOL SonicWall SRA and SMA 8.x Products

Date Published: July 15, 2021

https://us-cert.cisa.gov/ncas/current-activity/2021/07/15/ransomware-risk-unpatched-eol-sonicwall-sra-and-sma-8x-products

Excerpt: “CISA is aware of threat actors actively targeting a known, previously patched, vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware. Threat actors can exploit this vulnerability to initiate a targeted ransomware attack. CISA encourages users and administrators to review the SonicWall security advisory and upgrade to the newest firmware or disconnect EOL appliances as soon as possible. Review the CISA Bad Practices webpage to learn more about bad cybersecurity practices, such as using EOL software, that are especially dangerous for organizations supporting designated Critical Infrastructure or National Critical Functions.”

Title: Campbell Conroy & O’Neil Provides Notice of Data Privacy Incident

Date Published: July 16, 2021

https://www.prnewswire.com/news-releases/campbell-conroy–oneil-provides-notice-of-data-privacy-incident-301335655.html

Excerpt: “What Happened? On February 27, 2021, Campbell became aware of unusual activity on its network.  Campbell conducted an investigation and determined that the network was impacted by ransomware, which prevented access to certain files on the system.  In response, Campbell began working with third-party forensic investigators to investigate the full nature and scope of the event and to determine what information may have been impacted and to whom the information relates. Campbell also alerted the FBI of the incident. Campbell is providing notice because the investigation thus far determined that certain information relating to individuals was accessed by the unauthorized actor.”

Title: Ecuador’s State-Run Cnt Telco Hit by Ransomexx Ransomware

Date Published: July 17, 2021

https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/

Excerpt: “In CNT’s press statement, the company states that corporate and customer data are secure and have not been exposed. However, the RansomEXX gang claims to have stolen 190 GB of data and shared screenshots of some of the documents on the hidden data leak page. The screenshots seen by BleepingComputer, include contact lists, contracts, and support logs. This ransomware operation is responsible for numerous high-profile attacks, including Brazil’s Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens, and JBS, the world’s largest meat producer.”

Title: Researchers Warn of Linux Cryptojacking Attackers Operating from Romania

Date Published: July 19, 2021

https://thehackernews.com/2021/07/researchers-warn-of-linux-cryptojacking.html

Excerpt: “While the goal of the campaign is to deploy Monero mining malware by remotely compromising the devices via brute-force attacks, the researchers connected the gang to at least two DDoS botnets, including a Demonbot variant called chernobyl and a Perl IRC bot, with the XMRig mining payload hosted on a domain named mexalz[.]us since February 2021. The Romanian cybersecurity technology company said it began its investigation into the group’s cyber activities in May 2021, leading to the subsequent discovery of the adversary’s attack infrastructure and toolkit.”

Title: UK Blames China for Microsoft Exchange Server Hack

Date Published: July 19, 2021

https://www.zdnet.com/article/uk-blames-china-for-microsoft-exchange-server-hack/

Excerpt: “On Monday, the government joined others — including the victim company itself, Microsoft — in claiming the cyberattack was the work of Chinese state-sponsored hackers, namely Hafnium, an advanced persistent threat (APT) group. Foreign Secretary Dominic Raab deemed the attack “by Chinese state-backed groups” as a “reckless but familiar pattern of behavior.” “The Chinese Government must end this systematic cyber sabotage and can expect to be held [to] account if it does not,” Raab added.”

Title: Chinese State-Sponsored Cyber Operations: Observed TTPs

Date Published: July 19, 2021

https://us-cert.cisa.gov/ncas/alerts/aa21-200b

Excerpt: “To increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors’ Observed Procedures. Note: NSA, CISA, and FBI encourage organization leaders to review CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders for information on this threat to their organization.”

Title: “Seven or Eight” Zero-Days: The Failed Race to Fix Kaseya Vsa, With Victor Gevers, Lock and Code S02e13

Date Published: July 19, 2021

https://blog.malwarebytes.com/podcast/2021/07/seven-or-eight-zero-days-kaseya-vsa-victor-gevers-lock-and-code-s02e13/

Excerpt: “In the long term, Gevers stressed that software vendors take greater responsibility of their products. He asked vendors to invite third party reviewers to analyze software code, and to step away from meaningless marketing language. By giving consumers more information from trusted analysts about how a product performs and what vulnerabilities it may have, Gevers said the market will then hopefully reward secure, transparent software. Finally, Gevers said that countries around the world should better incentivize independent security research so that cybersecurity researchers do not feel intimidated or afraid to report their findings.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...