November 8, 2021

Fortify Security Team
Nov 8, 2021

Title: Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer
Date Published: November 7, 2021

Excerpt: “On Sept. 16, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced persistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password management and single sign-on solution known as ManageEngine ADSelfService Plus. The alert explained that malicious actors were observed deploying a specific webshell and other techniques to maintain persistence in victim environments; however, in the days that followed, we observed a second unrelated campaign carry out successful attacks against the same vulnerability.”

Title: Five Affiliates to Sodinokibi/Revil Unplugged
Date Published: November 8, 2021

Excerpt: “On 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5 000 infections, which in total pocketed half a million euros in ransom payments. Since February 2021, law enforcement authorities have arrested three other affiliates of Sodinokibi/REvil and two suspects connected to GandCrab. These are some of the results of operation GoldDust, which involved 17 countries*, Europol, Eurojust and INTERPOL. All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab.”

Title: Electronics Retail Giant Mediamarkt Hit by Ransomware Attack
Date Published: November 8, 2021

Excerpt: “While online sales continue to function as expected, cash registers cannot accept credit cards or print receipts at affected stores. The system’s outage is also preventing returns due to the inability to lookup previous purchases. Local media reports that internal MediaMarkt communications tell employees to avoid encrypted systems and disconnect cash registers from the network.

Screenshots posted on Twitter of alleged internal communications state that 3,100 servers were affected in this attack. However, BleepingComputer has not been able to corroborate those statements at this time.”

Title: Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Date Published: November 5, 2021

Excerpt: “This single domain led us down a path where we would uncover multiple ransomware attacks, and an APT command-and-control (C2). The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104. IABs typically first gain entry into a victim’s network, then sell that access to the highest bidder on underground forums located in the dark web. Later, the winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign. This discovery presented a great opportunity for us to understand the attribution of IABs. Performing intelligence correlation can help us build a clearer picture of how these disparate threat groups create partnerships and share resources to further enhance their nefarious goals.”

Title: Critical Flaws in Philips TASY EMR Could Expose Patient Data
Date Published: November 8, 2021

Excerpt: “”Successful exploitation of these vulnerabilities could result in patients’ confidential data being exposed or extracted from Tasy’s database, give unauthorized access, or create a denial-of-service condition,” CISA said in a medical bulletin issued on November 4. Used by over 950 healthcare institutions primarily in Latin America, Philips Tasy EMR is designed as an integrated healthcare informatics solution that enables centralized management of clinical, organizational and administrative processes, including incorporating analytics, billing, and inventory and supply management for medical prescriptions.”

Title: Notorious Ransomware Attacks by REvil in 2021
Date Published: November 8, 2021

Excerpt: “REvil (Ransomware Evil), also known as Sodinokibi, is an infamous private ransomware-as-a-service (RaaS) group held responsible for several vicious ransomware attacks on organizations worldwide. According to an article by Dark Reading, REvil was the most common ransomware variant responsible for 25% of ransomware attacks from January 2021 to July 2021.”

Title: Operation Cyclone targets Clop Ransomware affiliates
Date Published: November 8, 2021

Excerpt: “Interpol announced the arrest of six alleged affiliates with the Clop ransomware operation as part of an international joint law enforcement operation codenamed Operation Cyclone. Law enforcement authorities from South Korea, Ukraine, and the United States, joined their efforts in a 30-month investigation that was coordinated by Interpol. In June, six Ukrainian law enforcement arrested individuals and conducted 21 raids at the homes of suspects, in Kyiv and elsewhere. The police also seized computers, smartphones, and server equipment, 5 million Ukrainian hryvnias (+$180K) in cash, and several cars, including Tesla, Mercedes, and Lexus models.”

Title: Google Will Kill Chrome Sync Support on Chrome 48 and Earlier
Date Published: November 8, 2021

Excerpt: “Google will end support for the Chrome sync feature for all users still running Google Chrome 48 and earlier after Chrome 96 reaches the stable channel. When enabled, Chrome sync will keep the users’ bookmarks, passwords, history, open tabs, settings, preferences, and, in some cases, Google Pay payment info. It also automatically signs them into Gmail, YouTube, Search, and other Google services. The move was previously announced on the company’s enterprise blog, with the release notes for Chrome 94 published last month, on October 19.”

Title: Insurers Tap Cyber “Opportunity” as Rates Continue to Rise
Date Published: November 8, 2021

Excerpt: “A large chunk of these price rises come from the firm’s Cyber & Executive Risk Division, which saw rates increase 48% year-to-date (YTD) compared to the same period last year. That means the division accounted for $991m in Q3, almost a third of total premium income for the period. “I remain excited about the opportunity in the cyber market and with our disciplined and prudent risk selection, our market leading product offering and the ongoing investment in our cyber infrastructure, I believe we are in a great position to capitalize on this,” said Beazley CEO, Adrian Cox. Prices for cyber-insurance continue to rise despite a “downward trajectory” of claims following remediation work done with customers over the past year, it said.”

Title: Could Cyber Diplomacy Be the Ultimate Answer to American Ransomware Woes?
Date Published: November 8, 2021

Excerpt: “As these cyber events have made headlines over the past several months, the Cyber Diplomacy Act has mostly languished in Congress. As a result, the existence and alignment of the Office of the Coordinator for Cyber Issues is still subject to the desires of the Secretary of State, a reality that has resulted in the office’s devaluation in recent years. The Cyber Diplomacy Act of 2021 (HR 1251) is the third iteration of a cyber diplomacy bill since 2017, and the third attempt to create a permanent cyber diplomacy office through congressional mandate, as recommended by the Cyberspace Solarium Commission.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...