OSINT News - November 10, by Bart Otten

by in Security

Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945

https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html 

Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945 | FireEye Inc

Through Mandiant investigation of intrusions, the FLARE Advanced Practices team observed a group we track as UNC1945 compromise managed service providers and operate against a tailored set of targets within the financial and professional consulting industries by leveraging access to third-party networks (see this blog post for an in-depth description of “UNC” groups).

www.fireeye.com

 

---

REvil Ransomware member win the auction for KPot stealer source code

https://securityaffairs.co/wordpress/110407/malware/revil-ransomware-kpot-stealer.html 

REvil Ransomware member win the auction for KPot stealer source code--Security Affairs

The authors of KPot information stealer have put its source code up for auction, and the REvil ransomware operators will likely be the only group to bid. KPOT Stealer is a “stealer” malware […]

securityaffairs.co

 

---

Someone emptied a $1 billion BitCoin wallet ahead of Presidential Election

https://securityaffairs.co/wordpress/110391/digital-id/1billion-bitcoin-wallet-emptied.html 

Someone emptied a $1 billion BitCoin wallet ahead of Presidential Election--Security Affairs

Ahead of the 2020 Presidential election a mysterious transaction was noticed by cyber security experts and researchers. Someone has transferred almost $1 billion worth of cryptocurrency contained in a password-protected BitCoin wallet to another wallet. It is […]

securityaffairs.co

 

---

Maze ransomware gang shuts down operations, states their press release

https://securityaffairs.co/wordpress/110318/cyber-crime/maze-ransomware-teminates-operations.html 

Maze ransomware gang shuts down operations, states their press release--Security Affairs

Today the Maze ransomware gang announced that they have officially shut down their operations, the news was anticipated last week. The cybercrime gang announced that it will no longer leak data of new companies infected with their ransomware.

securityaffairs.co

 

---

New Pay2Key ransomware encrypts networks within one hour

https://www.bleepingcomputer.com/news/security/new-pay2key-ransomware-encrypts-networks-within-one-hour/ 

COEST_0-1605014605576.jpeg

 

New Pay2Key ransomware encrypts networks within one hour

A new ransomware called Pay2Key has been targeting organizations from Israel and Brazil, encrypting their networks within an hour in targeted attacks still under investigation. Michael Gillespie ...

www.bleepingcomputer.com

 

QBot phishing lures victims using US election interference emails

https://www.bleepingcomputer.com/news/security/qbot-phishing-lures-victims-using-us-election-interference-emails/ 

COEST_1-1605014605594.jpeg

 

QBot phishing lures victims using US election interference emails

The Qbot botnet is now spewing U.S. election-themed phishing emails used to infect victims with malicious payloads designed to harvest user data and emails for use in future campaigns.

www.bleepingcomputer.com

 

---

Critical bug actively used to deploy Cobalt Strike on Oracle servers

https://www.bleepingcomputer.com/news/security/critical-bug-actively-used-to-deploy-cobalt-strike-on-oracle-servers/ 

Critical bug actively used to deploy Cobalt Strike on Oracle servers

Threat actors are actively exploiting vulnerable Oracle WebLogic servers unpatched against CVE-2020-14882 to deploy Cobalt Strike beacons to gain persistent remote access to compromised devices.

www.bleepingcomputer.com

 

---

Nuclear Regulation Authority shut down email systems after a cyber attack

https://securityaffairs.co/wordpress/110284/hacking/nuclear-regulation-authority-cyber-attack.html 

COEST_2-1605014605600.jpeg

 

Nuclear Regulation Authority shut down email systems after a cyber attack--Security Affairs

The Japan’s Nuclear Regulation Authority (NRA) temporarily suspended its email systems, the interruption is likely caused by a cyber attack. The agency published a warning on its website, it is asking people to contact […]

securityaffairs.co

 

---

Oracle WebLogic Unauthenticated Complete Takeover (CVE-2020-14882/CVE-2020-14750): What You Need to Know

https://blog.rapid7.com/2020/10/29/oracle-weblogic-unauthenticated-complete-takeover-cve-2020-14882-what-you-need-to-know/ 

COEST_3-1605014605606.jpeg

 

CVE-2020-14882: Unauthenticated RCE, Oracle WebLogic Server

What’s up? As if October 2020 hasn’t been scary enough, Rapid7 Labs, the SANS Internet Storm Center (ISC), and other researchers have caught attackers opting for tricks instead of treats this week as they seek out and attempt to compromise internet-facing WebLogic servers that are vulnerable to CVE-2020-14882 (AttackerKB Analysis), which is an unauthenticated remote code execution ...

blog.rapid7.com

 

---

VMware finally fixed the critical CVE-2020-3992 flaw in ESXi

https://securityaffairs.co/wordpress/110433/security/vmware-cve-2020-3992-esxi.html 

VMware finally fixed critical CVE-2020-3992 flaw in ESXi--Security Affairs

The virtualization giant VMware has released new fixes for ESXi after learning that a patch released in October for the critical CVE-2020-3992 flaw was incomplete. The CVE-2020-3992 vulnerability is a use-after-free bug issue that affects […]

securityaffairs.co

 

---

Zero-day in Cisco AnyConnect Secure Mobility Client yet to be fixed

https://securityaffairs.co/wordpress/110414/security/zero-day-cisco-anyconnect-secure-mobility-client.html 

COEST_4-1605014605611.jpeg

 

Zero-day in Cisco AnyConnect Secure Mobility Client yet to be fixed--Security Affairs

Cisco has disclosed a zero-day vulnerability, tracked as CVE-2020-3556, in the Cisco AnyConnect Secure Mobility Client software with the public availability of a proof-of-concept exploit code. The CVE-2020-3556 flaw resided in the interprocess communication ...

securityaffairs.co

 

---

Malicious npm library removed from the repository due to backdoor capabilities

https://securityaffairs.co/wordpress/110348/malware/npm-library-backdoor.html 

COEST_5-1605014605612.png

 

Malicious npm library removed from the repo due to backdoor capabilities--Security Affairs

The npm security team has removed a malicious JavaScript library named “twilio-npm” from its repository because contained a code for establishing backdoors on the computers of the programmers. Npm is the largest package repository for any […]

securityaffairs.co

 

---

Apple patches three actively exploited iOS zero-days

https://www.bleepingcomputer.com/news/security/apple-patches-three-actively-exploited-ios-zero-days/ 

COEST_6-1605014605624.jpeg

 

Apple patches three actively exploited iOS zero-days

Apple has patched today three iOS zero-day vulnerabilities actively exploited in the wild and affecting iPhone, iPad, and iPod devices. "Apple is aware of reports that an exploit for this issue ...

www.bleepingcomputer.com

 

---

Hackers stole credit card data from JM Bullion online bullion dealer

https://securityaffairs.co/wordpress/110290/cyber-crime/jm-bullion-hacked.html 

Hackers stole credit card data from JM Bullion online bullion dealer--Security Affairs

JM Bullion, the online retailer of products made of precious metals (i.e. gold, silver, copper, platinum, and palladium) has disclosed a data breach. JM Bullion has sent a ‘Notice of Data Security Incident‘ to its […]

securityaffairs.co

 

---

Campari hit by Ragnar Locker Ransomware, $15 million demanded

https://www.bleepingcomputer.com/news/security/campari-hit-by-ragnar-locker-ransomware-15-million-demanded/ 

COEST_7-1605014605635.jpeg

 

Campari hit by Ragnar Locker Ransomware, $15 million demanded

Italian liquor company Campari Group was hit by a Ragnar Locker ransomware attack, where 2 TB of unencrypted files was allegedly stolen. To recover their files, Ragnar Locker is demanding $15 million.

www.bleepingcomputer.com

 

---

Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen

https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/ 

COEST_8-1605014605648.jpeg

 

Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen

Japanese game developer Capcom has suffered a ransomware attack where threat actors claim to have stolen 1TB of sensitive data from their corporate networks in the US, Japan, and Canada. Capcom is ...

www.bleepingcomputer.com

 

---

Brazil’s court system shut down after a massive ransomware attack

https://securityaffairs.co/wordpress/110484/malware/brazils-court-system-ransomware.html 

COEST_9-1605014605653.jpeg

 

Brazil's court system shut down after a massive ransomware attack--Security Affairs

Brazil’s Superior Court of Justice was hit by a ransomware attack on Tuesday during judgment sessions, the attack forced a temporary shut down of the court’s information technology network. “The Superior Court of Justice (STJ) announces that the ...

securityaffairs.co

 

---

Toymaker giant Mattel disclosed a ransomware attack

https://securityaffairs.co/wordpress/110381/cyber-crime/mattel-ransowmare-attack.html 

Toymaker giant Mattel disclosed a ransomware attack--Security Affairs

Toy industry giant Mattel announced that it has suffered a ransomware attack that took place on July 28th, 2020, and impacted some of its business operations. The good news that the company excluded the theft of […]

securityaffairs.co

 

---

United States Files A Civil Action To Forfeit Cryptocurrency Valued At Over One Billion U.S. Dollars

https://www.justice.gov/usao-ndca/pr/united-states-files-civil-action-forfeit-cryptocurrency-valued-over-one-billion-us 

United States Files A Civil Action To Forfeit Cryptocurrency Valued At Over One Billion U.S. Dollars | USAO-NDCA | Department of Justice

SAN FRANCISCO - The United States filed a civil complaint today to forfeit thousands of Bitcoins, valued at over $1 billion dollars, seized by law enforcement on November 3, 2020, announced United States Attorney David L. Anderson of the Northern District of California and Special Agent in Charge of the Washington DC Field Office, Internal Revenue Service Criminal Investigation (IRS-CI) Kelly ...

www.justice.gov

 

---

Russian cybercriminal Aleksandr Brovko sentenced to 8 years in jail

https://securityaffairs.co/wordpress/110358/cyber-crime/aleksandr-brovko-sentenced-jail.html

Russian cybercriminal Aleksandr Brovko sentenced to 8 years in jail--Security Affairs

The Russian cybercriminal Aleksandr Brovko (36) has been sentenced to eight years in jail for his role in a sophisticated botnet scheme that caused at least $100 […]

securityaffairs.co

 


APT groups chain VPN and Windows Zerologon bugs to attack US government networks

https://securityaffairs.co/wordpress/109392/hacking/vpn-zerologon-bugs-attacks.html 

APT groups chain VPN and Windows Zerologon bugs to attack US government networks--Security Affairs

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published a joint security alert to warn of attackers combining VPN and Windows Zerologon flaws to target government networks. […]

securityaffairs.co

 

German authorities raid the offices of the FinFisher surveillance firm

https://securityaffairs.co/wordpress/109488/malware/german-authorities-raid-finfisher-offices.html 

German authorities raid the offices of the FinFisher surveillance firm--Security Affairs

German authorities have raided the offices of FinFisher, the popular German surveillance firm as part of an investigation into the alleged sale of their software to oppressive regimes. The news was first reported […]

securityaffairs.co

 

---

Fancy Bear Imposters Are on a Hacking Extortion Spree

https://www.wired.com/story/ddos-extortion-hacking-fancy-bear-lazarus-group/ 

Fancy Bear Imposters Are on a Hacking Extortion Spree

Nice looking website you've got there. It'd be a shame if someone DDoS'd it.

www.wired.com

 

---

Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security

https://www.dfs.ny.gov/Twitter_Report 

Twitter Investigation Report | Department of Financial Services

The New York State Department of Financial Services. Governor Andrew M. Cuomo and the New York State Legislature created the Department in 2011 as the merger of the former Banking and Insurance Departments, and widened the Department’s purview to include “the regulation of new financial services products,” by establishing “a modern system of regulation, rulemaking and adjudication ...

www.dfs.ny.gov

 

---

20 arrests in QQAAZZ multi-million money laundering case

https://www.europol.europa.eu/newsroom/news/20-arrests-in-qqaazz-multi-million-money-laundering-case 

20 arrests in QQAAZZ multi-million money laundering case | Europol

An unprecedented international law enforcement operation involving 16 countries has resulted in the arrest of 20 individuals suspected of belonging to the QQAAZZ criminal network which attempted to launder tens of millions of euros on behalf of the world’s foremost cybercriminals.

www.europol.europa.eu

 

---

Trickbot disrupted

https://microsoft.com/security/blog/2020/10/12/trickbot-disrupted/ 

Trickbot disrupted - Microsoft Security

As announced today, Microsoft took action against the Trickbot botnet, disrupting one of the world’s most persistent malware operations. Microsoft worked with telecommunications providers around the world to disrupt key Trickbot infrastructure. As a result, operators will no longer be able to use ...

microsoft.com

 

---

Underestimating the FONIX – Ransomware as a Service could be an error

https://securityaffairs.co/wordpress/109369/cyber-crime/fonix-raas.html 

Underestimating the FONIX - Ransomware as a Service could be an error--Security Affairs

FONIX is a new Ransomware as a Service available in the threat landscape that was analyzed by SentinelLabs researchers. FONIX is a relatively new Ransomware as a Service (RaaS) analyzed by researchers from Sentinel Labs, its operators were previously specialized in the developers of binary crypters/packers. The actors behind FONIX RaaS advertised several products on […]

securityaffairs.co

 

---

Hackers targeted the US Census Bureau network, DHS report warns

https://securityaffairs.co/wordpress/109358/reports/dhs-us-census-attacks.html 

Hackers targeted the US Census Bureau network, DHS report warns--Security Affairs

The US Department of Homeland Security revealed that unknown threat actors have targeted the network of the US Census Bureau during the last year. The attacks were reported in the first Homeland Threat Assessment (HTA) report released earlier […]

securityaffairs.co

 

---

FIN11 hackers jump into the ransomware money-making scheme

https://www.bleepingcomputer.com/news/security/fin11-hackers-jump-into-the-ransomware-money-making-scheme/ 

FIN11 hackers jump into the ransomware money-making scheme

FIN11, a financially-motivated hacker group with a history starting since at least 2016, has adapted malicious email campaigns to transition to ransomware as the main monetization method.

www.bleepingcomputer.com

 

---

Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135

https://securityaffairs.co/wordpress/109560/hacking/sonicwall-cve-2020-5135-flaw.html 

Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135

The Tripwire VERT security team spotted almost 800,000 SonicWall VPN appliances exposed online that are vulnerable to the CVE-2020-5135 RCE flaw. Security experts from the Tripwire VERT security team have discovered 795,357 SonicWall VPN appliances that were exposed online that are vulnerable to the CVE-2020-5135 RCE flaw. “A buffer overflow vulnerability in SonicOS allows a […]

securityaffairs.co

---

Microsoft fixes Windows certificate spoofing bug abusing CAT files

https://www.bleepingcomputer.com/news/security/microsoft-fixes-windows-certificate-spoofing-bug-abusing-cat-files/ 

Microsoft fixes Windows certificate spoofing bug abusing CAT files

Microsoft's October 2020 Patch Tuesday fixed 87 security bugs, one of which is an "Important" Windows Spoofing Vulnerability that abuses CAT files. The vulnerability enables attackers to create ...

www.bleepingcomputer.com

 

---

QBot uses Windows Defender Antivirus phishing bait to infect PCs

https://www.bleepingcomputer.com/news/security/qbot-uses-windows-defender-antivirus-phishing-bait-to-infect-pcs/ 

QBot uses Windows Defender Antivirus phishing bait to infect PCs

The Qbot botnet uses a new template for the distribution of their malware that uses a fake Windows Defender Antivirus theme to trick you into enabling Excel macros. Qbot, otherwise known as QakBot ...

www.bleepingcomputer.com

 

---

Joker’s Stash Breaches Dickey’s Barbecue Pit

https://geminiadvisory.io/jokers-stash-breaches-dickeys/ 

Joker’s Stash Breaches Dickey’s Barbecue Pit

Key Findings The Joker’s Stash dark web marketplace, known for advertising and uploading major breaches containing millions of compromised cards, has uploaded its latest breach, titled “BLAZINGSUN.…

geminiadvisory.io

 

---

Crooks hit Puerto Rico Firefighting Department Servers

https://securityaffairs.co/wordpress/109551/hacking/puerto-rico-firefighting-department-attack.html 

Crooks hit Puerto Rico Firefighting Department Servers

Puerto Rico’s firefighting department discloses a security breach, hackers breached its database and demanded a $600,000 ransom. According to the department’s director, Alberto Cruz, the ability of the department to respond to emergencies was not impacted by the attack. The […]

securityaffairs.co

 

---

Egregor ransomware gang leaked data alleged stolen from Ubisoft, Crytek

https://securityaffairs.co/wordpress/109530/malware/egregor-ransomware-gang-ubisoft-crytek.html 

Egregor ransomware gang leaked data alleged stolen from Ubisoft, Crytek

The Egregor ransomware gang has hit the game developer Crytek and leaked files allegedly stolen from the systems of the gaming firm Ubisoft. A previously unknown ransomware gang dubbed Egregor has hit the game developer Crytek and leaked files allegedly stolen from the internal network of another leading gaming firm, Ubisoft. A few days ago, the Egregor […]

securityaffairs.co

 

---

U.S. Bookstore giant Barnes & Noble hit by cyberattack

https://securityaffairs.co/wordpress/109511/hacking/barnes-noble-cyber-attack.html

U.S. Bookstore giant Barnes & Noble hit by cyberattack

U.S. Bookstore giant Barnes & Noble has disclosed a cyber attack and that the threat actors have exposed the customers’ data. Barnes & Noble, Inc., is an American bookseller with the largest number of retail outlets in the United States in fifty states. The bookseller also operated the Nook Digital, which is a spin-off division that […]

securityaffairs.co

 

---

Leading Law firm Seyfarth Shaw discloses ransomware attack

https://securityaffairs.co/wordpress/109435/malware/seyfarth-shaw-ransomware-attack.html 

Leading Law firm Seyfarth Shaw discloses ransomware attack--Security Affairs

Seyfarth Shaw, one of the leading global legal firms announced that it was a victim of an “aggressive malware” attack, likely a ransomware attack. Seyfarth Shaw LLP is an international AmLaw 100 law firm headquartered in Chicago, Illinois, its clients include over 300 of the Fortune 500 companies, and its practice reflects virtually every industry and segment of the economy. […]

securityaffairs.co

 

---

Crytek hit by Egregor ransomware, Ubisoft data leaked

https://www.bleepingcomputer.com/news/security/crytek-hit-by-egregor-ransomware-ubisoft-data-leaked/ 

Crytek hit by Egregor ransomware, Ubisoft data leaked

The Egregor ransomware gang has hit game developer Crytek in a confirmed ransomware attack and leaked what they claim are files stolen from Ubisoft's network.

www.bleepingcomputer.com

 

---

London Borough of Hackney suffers ‘serious’ cyberattack

https://www.bleepingcomputer.com/news/security/london-borough-of-hackney-suffers-serious-cyberattack/ 

London Borough of Hackney suffers ‘serious’ cyberattack

The city council systems for the London Borough of Hackney have been hit with a 'serious' cyberattack that impacts many of their services and IT systems. Not much is known about the attack, but in ...

www.bleepingcomputer.com



 

 

 

 

Anonymous