OSN July 2, 2021

Fortify Security Team
Jul 2, 2021
Title: U.S. Insurance Giant AJG Reports Data Breach After Ransomware Attack

Date Published: July 2, 2021

https://www.bleepingcomputer.com/news/security/us-insurance-giant-ajg-reports-data-breach-after-ransomware-attack/

Excerpt: “Arthur J. Gallagher (AJG), a US-based global insurance brokerage and risk management firm, is mailing breach notification letters to potentially impacted individuals following a ransomware attack that hit its systems in late September. “Working with the cybersecurity and forensic specialists to determine what may have happened and what information may have been affected, we determined that an unknown party accessed or acquired data contained within certain segments of our network between June 3, 2020 and September 26, 2020,” AJG said.”

Title: Israeli Researchers Discover Global Cyberattack in Over 1,300 Locations
Date Published: July 2, 2021

https://www.jpost.com/jpost-tech/israeli-researchers-discover-global-cyber-attack-in-1300-locations-672656

Excerpt: “The attack hit Microsoft’s SMB protocol, where the hackers found a way to access user data and possibly sell the information on the dark web. The estimated value of these exploits is listed at hundreds of dollars. Guardicore, which also develops software for malware protection, used its analysts to to help identify cyberattacks and provide recommendations for protection against them. The company employs over 270 people, with offices in Israel, the United States, Canada, South America, India, Western Europe and Ukraine.”

Title: Babuk Ransomware, if You Hit and Run Do Not Leave a Trace
Date Published: July 2, 2021

https://www.databreaches.net/babuk-ransomware-if-you-hit-and-run-do-not-leave-a-trace/

Excerpt: “On the Server, we saw a weird directory that we start to check, after the scan we were able to see that the website onion is full with Active Chat sessions. In the active session, we can view all conversations between the Babuk ransomware group and the victims. the sessions basically get you inside the “Chat Conversation Page” with all the History chats. that gives us an inside look into the negotiations process.”

Title: Cybersecurity: Hacker Gets Thousands of Confidential Data on LimeVPN Users
Date Published: July 2, 2021

https://www.techtimes.com/articles/262327/20210702/hacker-gets-thousands-confidential-data-linevpn-users.htm

Excerpt: “The supposed leak has turned into an all-out website breach as slashx has shut down the website himself. LimeVPN has spoken with PrivacySharks and said that there is a Trojan lingering on the website.  The hacker is asking for a $400 bitcoin payment to anyone willing to part with the sensitive information of thousands of users that include usernames, email addresses, passwords, and billing information. The hacker said that he has all the private keys of every LimeVPN user, in which case he can decrypt the user’s traffic without any problems.”

Title: Former Anonymous and Lulzsec Hacker Discusses His Criminal Past and Gives His Top Tips for Avoiding Ransomware
Date Published: July 2, 2021

https://texasnewstoday.com/former-anonymous-and-lulzsec-hacker-discusses-his-criminal-past-and-gives-his-top-tips-for-avoiding-ransomware/343342/

Excerpt: “Things got a little out of hand. We were 17 and 18 at the time. We didn’t realize the scope of how the real world would respond, until we saw our ridiculous imagery of a man in a top hat sipping wine with a cat flying through space, on the front page of the Wall Street Journal. The headline was ‘Hackers broaden their attacks’. “People started to dress like us, and we were trending on Twitter with boy band One Direction at number two. We realized things have gone too far and we were doomed. And indeed we were”.”

Title: Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software
Date Published: July 2, 2021

https://thehackernews.com/2021/07/mongolian-certificate-authority-hacked.html

Excerpt: “The malicious installer is an unsigned [Portable Executable] file,” the researchers said. “It starts by downloading the legitimate version of the installer from the MonPass official website. This legitimate version is dropped to the ‘C:\Users\Public\’ folder and executed under a new process. This guarantees that the installer behaves as expected, meaning that a regular user is unlikely to notice anything suspicious.”

Title: CISA Offers New Mitigation for PrintNightmare Bug
Date Published: July 2, 2021

https://threatpost.com/cisa-mitigation-printnightmare-bug/167515/

Excerpt: “Regarding the latter, the company dropped a notice Thursday for a bug called “Windows Print Spooler Remote Code Execution Vulnerability” that appears to be the same vulnerability, but with a different CVE number—in this case, CVE-2021-34527. The description of the bug sounds like PrintNightmare; indeed, Microsoft acknowledges that it is “an evolving situation. “A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” according to the notice. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights”.”

Title: Microsoft Exec Reveals “Routine” Secrecy Orders From Government Investigators
Date Published: July 1, 2021

https://blog.malwarebytes.com/security-world/government/2021/07/microsoft-exec-reveals-routine-secrecy-orders-from-government-investigators/

Excerpt: “In this case, the subpoena, which was issued by a federal grand jury and included a nondisclosure order signed by a federal magistrate judge, provided no information on the nature of the investigation and it would have been virtually impossible for Apple to understand the intent of the desired information without digging through users’ accounts,” said Apple spokesperson Fred Sainz in the statement. “Consistent with the request, Apple limited the information it provided to account subscriber information and did not provide any content such as emails or pictures.”

Title: NSA, FBI Reveal Hacking Methods Used by Russian Military Hackers
Date Published: July 1, 2021

https://thehackernews.com/2021/07/nsa-fbi-reveal-hacking-methods-used-by.html

Excerpt: “The threat actor is also tracked under various monikers, including APT28 (FireEye Mandiant), Fancy Bear (CrowdStrike), Sofacy (Kaspersky), STRONTIUM (Microsoft), and Iron Twilight (Secureworks). APT28 has a track record of leveraging password spray and brute-force login attempts to harvest valid credentials that enable future surveillance or intrusion operations. In November 2020, Microsoft disclosed credential harvesting activities staged by the adversary aimed at companies involved in researching vaccines and treatments for COVID-19.”

Title: Spanish Telecom Giant Masmovil Hit by Revil Ransomware Gang
Date Published: July 1, 2021

https://www.hackread.com/revil-ransomware-gang-hits-masmovil-telecom/

Excerpt: “Spain’s 4th largest telecom operator MasMovil Ibercom or MasMovil is the latest victim of the infamous REvil ransomware gang (aka Sodinokibi). On its official blog accessible via Tor browser, as seen by Hackread.com, the ransomware operator claims to have “downloaded databases and other important data” belonging to the telecom giant. As proof of its hack, the group has also shared screenshots apparently of the stolen MasMovil data that shows folders named Backup, RESELLERS, PARLEM, and OCU, etc.”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...

OSN August 23, 2021

Title: WARNING: Microsoft Exchange Under Attack With ProxyShell Flaws Date Published: August 22, 2021 https://thehackernews.com/2021/08/microsoft-exchange-under-attack-with.html Excerpt: “Now according to researchers from Huntress Labs, at least five distinct styles...