November 8, 2021

Fortify Security Team
Nov 8, 2021

Title: Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
Date Published: November 7, 2021

https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/

Excerpt: “On Sept. 16, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. The alert explained that malicious actors were observed deploying a specific webshell and other techniques to maintain persistence in victim environments; however, in the days that followed, we observed a second unrelated campaign carry out successful attacks against the same vulnerability.”

Title: Five Affiliates to Sodinokibi/Revil Unplugged
Date Published: November 8, 2021

https://www.europol.europa.eu/newsroom/news/five-affiliates-to-sodinokibi/revil-unplugged

Excerpt: “On 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5 000 infections, which in total pocketed half a million euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation GoldDust, which involved 17 countries*, Europol, Eurojust and INTERPOL. All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.”

Title: Electronics Retail Giant Mediamarkt Hit by Ransomware Attack
Date Published: November 8, 2021

https://www.bleepingcomputer.com/news/security/electronics-retail-giant-mediamarkt-hit-by-ransomware-attack/

Excerpt: “While online sales continue to function as expected, cash registers cannot accept credit cards or print receipts at affected stores. The system’s outage is also preventing returns due to the inability to lookup previous purchases. Local media reports that internal MediaMarkt communications tell employees to avoid encrypted systems and disconnect cash registers from the network.

Screenshots posted on Twitter of alleged internal communications state that 3,100 servers were affected in this attack. However, BleepingComputer has not been able to corroborate those statements at this time.”

Title: Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Date Published: November 5, 2021

https://blogs.blackberry.com/en/2021/11/zebra2104

Excerpt: “This single domain led us down a path where we would uncover multiple ransomware attacks, and an APT command-and-control (C2). The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104. IABs typically first gain entry into a victim’s network, then sell that access to the highest bidder on underground forums located in the dark web. Later, the winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign. This discovery presented a great opportunity for us to understand the attribution of IABs. Performing intelligence correlation can help us build a clearer picture of how these disparate threat groups create partnerships and share resources to further enhance their nefarious goals.”

Title: Critical Flaws in Philips TASY EMR Could Expose Patient Data
Date Published: November 8, 2021

https://thehackernews.com/2021/11/critical-flaws-in-philips-tasy-emr.html

Excerpt: “”Successful exploitation of these vulnerabilities could result in patients’ confidential data being exposed or extracted from Tasy’s database, give unauthorized access, or create a denial-of-service condition,” CISA said in a medical bulletin issued on November 4. Used by over 950 healthcare institutions primarily in Latin America, Philips Tasy EMR is designed as an integrated healthcare informatics solution that enables centralized management of clinical, organizational and administrative processes, including incorporating analytics, billing, and inventory and supply management for medical prescriptions.”

Title: Notorious Ransomware Attacks by REvil in 2021
Date Published: November 8, 2021

https://threatcop.medium.com/notorious-ransomware-attacks-by-revil-in-2021-f9228dbcdb5a

Excerpt: “REvil (Ransomware Evil), also known as Sodinokibi, is an infamous private ransomware-as-a-service (RaaS) group held responsible for several vicious ransomware attacks on organizations worldwide. According to an article by Dark Reading, REvil was the most common ransomware variant responsible for 25% of ransomware attacks from January 2021 to July 2021.”

Title: Operation Cyclone targets Clop Ransomware affiliates
Date Published: November 8, 2021

https://securityaffairs.co/wordpress/124328/uncategorized/interpol-operation-cyclone-clop-ransomware.html

Excerpt: “Interpol announced the arrest of six alleged affiliates with the Clop ransomware operation as part of an international joint law enforcement operation codenamed Operation Cyclone. Law enforcement authorities from South Korea, Ukraine, and the United States, joined their efforts in a 30-month investigation that was coordinated by Interpol. In June, six Ukrainian law enforcement arrested individuals and conducted 21 raids at the homes of suspects, in Kyiv and elsewhere. The police also seized computers, smartphones, and server equipment, 5 million Ukrainian hryvnias (+$180K) in cash, and several cars, including Tesla, Mercedes, and Lexus models.”

Title: Google Will Kill Chrome Sync Support on Chrome 48 and Earlier
Date Published: November 8, 2021

https://www.bleepingcomputer.com/news/google/google-will-kill-chrome-sync-support-on-chrome-48-and-earlier/

Excerpt: “Google will end support for the Chrome sync feature for all users still running Google Chrome 48 and earlier after Chrome 96 reaches the stable channel. When enabled, Chrome sync will keep the users’ bookmarks, passwords, history, open tabs, settings, preferences, and, in some cases, Google Pay payment info. It also automatically signs them into Gmail, YouTube, Search, and other Google services. The move was previously announced on the company’s enterprise blog, with the release notes for Chrome 94 published last month, on October 19.”

Title: Insurers Tap Cyber “Opportunity” as Rates Continue to Rise
Date Published: November 8, 2021

https://www.infosecurity-magazine.com/news/insurers-tap-cyber-opportunity/

Excerpt: “A large chunk of these price rises come from the firm’s Cyber & Executive Risk Division, which saw rates increase 48% year-to-date (YTD) compared to the same period last year. That means the division accounted for $991m in Q3, almost a third of total premium income for the period. “I remain excited about the opportunity in the cyber market and with our disciplined and prudent risk selection, our market leading product offering and the ongoing investment in our cyber infrastructure, I believe we are in a great position to capitalize on this,” said Beazley CEO, Adrian Cox. Prices for cyber-insurance continue to rise despite a “downward trajectory” of claims following remediation work done with customers over the past year, it said.”

Title: Could Cyber Diplomacy Be the Ultimate Answer to American Ransomware Woes?
Date Published: November 8, 2021

https://www.darkreading.com/attacks-breaches/could-cyber-diplomacy-be-the-ultimate-answer-to-american-ransomware-woes-

Excerpt: “As these cyber events have made headlines over the past several months, the Cyber Diplomacy Act has mostly languished in Congress. As a result, the existence and alignment of the Office of the Coordinator for Cyber Issues is still subject to the desires of the Secretary of State, a reality that has resulted in the office’s devaluation in recent years. The Cyber Diplomacy Act of 2021 (HR 1251) is the third iteration of a cyber diplomacy bill since 2017, and the third attempt to create a permanent cyber diplomacy office through congressional mandate, as recommended by the Cyberspace Solarium Commission.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...