November 9, 2021

Fortify Security Team
Nov 9, 2021

Title: Medical Software Firm Urges Password Resets After Ransomware Attack
Date Published: November 9, 2021

https://www.bleepingcomputer.com/news/security/medical-software-firm-urges-password-resets-after-ransomware-attack/

Excerpt: “The ransomware attack on Mediatixx took place last week, and the company is still recovering, so far only managing to restore email and central telephone systems. Also, regional sales partners and all customer support lines are up and running, so clients can reach out to company representatives to address any concerns they may have. There’s no estimate for when the company will return to normal operational status. Finally, it has not been determined if the actors managed to exfiltrate any client, doctor, or patient data. However, the company states they informed Germany’s data protection authority about the incident and will issue an update after the investigations are concluded.”

Title: Multiple BusyBox Security Bugs Threaten Embedded Linux Devices
Date Published: November 9, 2021

https://threatpost.com/busybox-security-bugs-linux-devices/176098/

Excerpt: “The discovery of the flaws are significant because of the proliferation of BusyBox not just for the embedded Linux world, but also for numerous Linux applications outside of devices, Menashe said in an email to Threatpost. “These new vulnerabilities that we’ve disclosed only manifest in specific cases, but could be extremely problematic when exploitable,” he said. However, the good news for the security of devices using BusyBox is that generally the vulnerabilities require a bit of effort to exploit, researchers reported.”

Title: The Cyber Insurance Dilemma: The Risks of a Safety Net
Date Published: November 9, 2021

https://www.helpnetsecurity.com/2021/11/09/cyber-insurance-dilemma/

Excerpt: “According to a report published by the Howden Group in June 2021, the average global cyber insurance premium rate has increased by 32% year on year. Additionally, the insurers now require third-party IT companies to conduct a field examination on the companies’ cybersecurity protocols to see if they reach the standard. Before, the checking process was mainly conducted via a self-assessment sheet; now, if the company doesn’t meet the standards, the vendor the insurers hire will tell the applicant companies what they need to add, and the insurer won’t sign the contract until everything is in place.”

Title: Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
Date Published: November 5, 2021

https://blogs.blackberry.com/en/2021/11/zebra2104

Excerpt: “This single domain led us down a path where we would uncover multiple ransomware attacks, and an APT command-and-control (C2). The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104. IABs typically first gain entry into a victim’s network, then sell that access to the highest bidder on underground forums located in the dark web. Later, the winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign. This discovery presented a great opportunity for us to understand the attribution of IABs. Performing intelligence correlation can help us build a clearer picture of how these disparate threat groups create partnerships and share resources to further enhance their nefarious goals.”

Title: Robinhood Reveals Data Breach and Extortion Shakedown
Date Published: November 9, 2021

https://www.bankinfosecurity.com/robinhood-reveals-data-breach-extortion-shakedown-a-17869

Excerpt: “The attacker obtained email addresses for 5 million people and full names for a “different group” of 2 million people, Robinhood says. More personal information and data, meanwhile, were also stolen, albeit for a smaller number of customers. For 310 individuals, this stolen data included their name, birthdate and ZIP code. A group of 10 customers also had “more extensive account details revealed,” but Robinhood did not specify the precise information stolen by the attacker.”

Title: US Charges Ukrainian National for Kaseya Ransomware Attack
Date Published: November 8, 2021

https://www.darkreading.com/attacks-breaches/us-charges-ukrainian-national-for-kaseya-ransomware-attack

Excerpt: “Vasinskyi is one of five individuals who have been arrested worldwide since February 2021 for allegedly deploying REvil (aka Sodinokibi) on systems belonging to organizations in multiple countries, including the US, Germany, and France. Two were arrested Nov. 4 in Romania, two were arrested in South Korea, and Vasinskyi was arrested in October in Poland. It’s not clear when the two REvil-related arrests in South Korea happened. These five are believed to have been responsible for deploying REvil on systems belonging to some 5,000 organizations. In addition to the arrests related to REvil, international law enforcement authorities have arrested two other individuals for deploying Gandcrab, the predecessor to REvil.”

Title: Nation-state Actors Target Critical Sectors by Exploiting the CVE-2021-40539 Flaw
Date Published: November 8, 2021

https://securityaffairs.co/wordpress/124315/hacking/nation-state-actors-critical-sectors-cve-2021-40539.html

Excerpt: “In the middle of September, the FBI, CISA, and the Coast Guard Cyber Command (CGCYBER) warned that nation-state APT groups were actively exploiting the CVE-2021-40539 flaw. Experts also observed a series of unrelated attacks that failed to compromise their targets; these attacks have been attributed to separated threat actors. “As early as Sept. 17 the actor leveraged lease infrastructure in the United States to scan hundreds of vulnerable organizations across the internet. Subsequently, exploitation attempts began on Sept. 22 and likely continued into early October. During that window, the actor successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries.” reads the analysis published by Palo Alto Networks.”

Title: BlackBerry Uncovers Initial Access Broker Linked to 3 Distinct Hacker Groups
Date Published: November 8, 2021

https://thehackernews.com/2021/11/blackberry-uncover-initial-access.html

Excerpt: “”IABs typically first gain entry into a victim’s network, then sell that access to the highest bidder on underground forums located in the dark web,” BlackBerry researchers noted in a technical report published last week. “Later, the winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign.” An August 2021 analysis of more than 1,000 access listings advertised for sale by IABs in underground forums on the dark web found that the average cost of network access was $5,400 for the period July 2020 to June 2021, with the most valuable offers including domain admin privileges to enterprise systems.”

Title: US Sanctions Chatex Cryptoexchange Used by Ransomware Gangs
Date Published: November 8, 2021

https://www.bleepingcomputer.com/news/security/us-sanctions-chatex-cryptoexchange-used-by-ransomware-gangs/

Excerpt: “The US Treasury Department announced today sanctions against the Chatex cryptocurrency exchange for helping ransomware gangs evade sanctions and facilitating ransom transactions. The Treasury also sanctioned the Russian-linked Suex crypto exchange in September for helping at least eight ransomware groups, with over 40% of its known transaction linked to illicit actors. “Analysis of Chatex’s known transactions indicate that over half are directly traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware,” the Treasury Department said.”

Title: US Defense Contractor Discloses Data Breach
Date Published: November 5, 2021

https://www.darkreading.com/attacks-breaches/us-defense-contractor-discloses-data-breach

Excerpt: “Electronic Warfare Associates (EWA), a US defense contractor, has confirmed a data breach in which attackers exfiltrated files containing personal information. The breach began with a phishing attack that had “some limited impact” on EWA email accounts, officials report in a notification letter. Their investigation determined an attacker broke into EWA email accounts on Aug. 2, 2021; the organization learned of the attack when the intruder attempted wire fraud. “We have no reason to believe the purpose of the infiltration was to obtain personal information,” the notification states. “Nevertheless, the threat actor’s activities did result in the exfiltration of files with certain personal information”.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...