OSN July 19, 2021

Fortify Security Team
Jul 19, 2021

Title: U.S. Government Releases Indictment and Several Advisories Detailing Chinese Cyber Threat Activity

Date Published: July 19, 2021


Excerpt: “The White House has released a statement attributing recent Microsoft Exchange server exploitation activity to the People’s Republic of China (PRC). The Department of Justice has indicted four Chinese cyber actors from the advanced persistent threat (APT) group APT40 for malicious cyber activities, carried out on orders from PRC Ministry of State Security (MSS) Hainan State Security Department (HSSD). These activities resulted in the theft of trade secrets, intellectual property, and other high-value information from companies and organizations in the United States and abroad, as well as from multiple foreign governments. CISA and FBI have released Joint Cybersecurity Advisory: TTPs of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department to help network defenders identify and remediate APT40 intrusions and established footholds.”

Title: Saudi Aramco Data Breach Sees 1 Tb Stolen Data for Sale

Date Published: July 19, 2021


Excerpt: “This month, a threat actor group known as ZeroX is offering 1 TB of proprietary data belonging to Saudi Aramco for sale. ZeroX claims the data was stolen by hacking Aramco’s “network and its servers,” sometime in 2020. As such, the files in the dump are as recent as 2020, with some dating back to 1993, according to the group. When asked by BleepingComputer as to what method was used to gain access to the systems, the group did not explicitly spell out the vulnerability but instead called it “zero-day exploitation”.”

Title: NSO Group’s Pegasus Spyware Used Against Journalists, Political Activists Worldwide: Report

Date Published: July 19, 2021


Excerpt: “Pegasus is a spyware tool with remote access capabilities that is able to extract handset information, harvest conversations taking place over apps including WhatsApp and Facebook, monitor email clients and browser activity, record calls, and spy on victims through their microphone and camera. Based in Israel, NSO Group markets its products as intended for governments to detect and “prevent a wide range of local and global threats,” as well as a way to tackle criminal and terrorist activity.”

Title: Ransomware Risk in Unpatched, EOL SonicWall SRA and SMA 8.x Products

Date Published: July 15, 2021


Excerpt: “CISA is aware of threat actors actively targeting a known, previously patched, vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware. Threat actors can exploit this vulnerability to initiate a targeted ransomware attack. CISA encourages users and administrators to review the SonicWall security advisory and upgrade to the newest firmware or disconnect EOL appliances as soon as possible. Review the CISA Bad Practices webpage to learn more about bad cybersecurity practices, such as using EOL software, that are especially dangerous for organizations supporting designated Critical Infrastructure or National Critical Functions.”

Title: Campbell Conroy & O’Neil Provides Notice of Data Privacy Incident

Date Published: July 16, 2021


Excerpt: “What Happened? On February 27, 2021, Campbell became aware of unusual activity on its network.  Campbell conducted an investigation and determined that the network was impacted by ransomware, which prevented access to certain files on the system.  In response, Campbell began working with third-party forensic investigators to investigate the full nature and scope of the event and to determine what information may have been impacted and to whom the information relates. Campbell also alerted the FBI of the incident. Campbell is providing notice because the investigation thus far determined that certain information relating to individuals was accessed by the unauthorized actor.”

Title: Ecuador’s State-Run Cnt Telco Hit by Ransomexx Ransomware

Date Published: July 17, 2021


Excerpt: “In CNT’s press statement, the company states that corporate and customer data are secure and have not been exposed. However, the RansomEXX gang claims to have stolen 190 GB of data and shared screenshots of some of the documents on the hidden data leak page. The screenshots seen by BleepingComputer, include contact lists, contracts, and support logs. This ransomware operation is responsible for numerous high-profile attacks, including Brazil’s Rio Grande do Sul court system, nuclear weapons contractor Sol Oriens, and JBS, the world’s largest meat producer.”

Title: Researchers Warn of Linux Cryptojacking Attackers Operating from Romania

Date Published: July 19, 2021


Excerpt: “While the goal of the campaign is to deploy Monero mining malware by remotely compromising the devices via brute-force attacks, the researchers connected the gang to at least two DDoS botnets, including a Demonbot variant called chernobyl and a Perl IRC bot, with the XMRig mining payload hosted on a domain named mexalz[.]us since February 2021. The Romanian cybersecurity technology company said it began its investigation into the group’s cyber activities in May 2021, leading to the subsequent discovery of the adversary’s attack infrastructure and toolkit.”

Title: UK Blames China for Microsoft Exchange Server Hack

Date Published: July 19, 2021


Excerpt: “On Monday, the government joined others — including the victim company itself, Microsoft — in claiming the cyberattack was the work of Chinese state-sponsored hackers, namely Hafnium, an advanced persistent threat (APT) group. Foreign Secretary Dominic Raab deemed the attack “by Chinese state-backed groups” as a “reckless but familiar pattern of behavior.” “The Chinese Government must end this systematic cyber sabotage and can expect to be held [to] account if it does not,” Raab added.”

Title: Chinese State-Sponsored Cyber Operations: Observed TTPs

Date Published: July 19, 2021


Excerpt: “To increase the defensive posture of their critical networks and reduce the risk of Chinese malicious cyber activity, NSA, CISA, and FBI urge government, CI, DIB, and private industry organizations to apply the recommendations listed in the Mitigations section of this advisory and in Appendix A: Chinese State-sponsored Cyber Actors’ Observed Procedures. Note: NSA, CISA, and FBI encourage organization leaders to review CISA Joint Insights: Chinese Malicious Cyber Activity: Threat Overview for Leaders for information on this threat to their organization.”

Title: “Seven or Eight” Zero-Days: The Failed Race to Fix Kaseya Vsa, With Victor Gevers, Lock and Code S02e13

Date Published: July 19, 2021


Excerpt: “In the long term, Gevers stressed that software vendors take greater responsibility of their products. He asked vendors to invite third party reviewers to analyze software code, and to step away from meaningless marketing language. By giving consumers more information from trusted analysts about how a product performs and what vulnerabilities it may have, Gevers said the market will then hopefully reward secure, transparent software. Finally, Gevers said that countries around the world should better incentivize independent security research so that cybersecurity researchers do not feel intimidated or afraid to report their findings.”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...