OSINT News - November 23, by Bart Otten

by in Security

FIN7 recruiter Andrii Kolpakov pleads guilty to role in global hacking scheme

https://www.cyberscoop.com/fin7-recruiter-andrii-kolpakov-pleads-guilty-role-global-hacking-scheme/ 

COEST_0-1606128616728.jpeg

 

FIN7 recruiter Andrii Kolpakov pleads guilty to role in global hacking scheme - CyberScoop

One of the ringleaders of FIN7, a global hacking crew accused of stealing more than $1 billion by posing as a cybersecurity vendor, has admitted his role in the scheme. Andrii Kolpakov pleaded guilty on Monday to conspiracy to commit wire and bank fraud and conspiracy to commit computer hacking as part of his involvement with FIN7. U.S. prosecutors had accused Kolpakov, a Ukrainian national ...

www.cyberscoop.com

 

---

Ukraine’s Top Cyber Cop on Defending Against Disinformation and Russian Hackers

https://therecord.media/ukraines-top-cyber-cop-on-defending-against-disinformation-and-russian-hackers/ 

COEST_1-1606128617006.png

 

Ukraine's Top Cyber Cop on Defending Against Disinformation and Russian Hackers | The Record by Recorded Future

In recent years, Ukraine has become an involuntary testing ground for some of the most dangerous cyberweapons in the world.

therecord.media

 

---

TA505: A Brief History Of Their Time

https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/ 

COEST_2-1606128617050.png

 

TA505: A Brief History Of Their Time – NCC Group Research

Threat Intel Analyst: Antonis Terefos (@Tera0017)Data Scientist: Anne Postma (@A_Postma) 1. Introduction TA505 is a sophisticated and innovative threat actor, with plenty of cybercrime experience, that engages in targeted attacks across multiple sectors and geographies for financial gain. Over time, TA505 evolved from a lesser partner to a mature, self-subsisting and versatile crime operation ...

research.nccgroup.com

 

---

The adventures of lab ED011—“Nobody would be able to duplicate what happened there”

https://arstechnica.com/features/2018/08/the-secret-history-of-ed011-the-obscure-computer-lab-that-hacked-the-world/ 

COEST_3-1606128617068.jpeg

 

The adventures of lab ED011—“Nobody would be able to duplicate what happened there” | Ars Technica

Lari remembers first going to ED011 in 1993 as a freshman at the Faculty of Automatic Control. The room was dark at night, only a neon tube flickering.

arstechnica.com

 

---

Back from vacation: Analyzing Emotet’s activity in 2020

https://blog.talosintelligence.com/2020/11/emotet-2020.html 

COEST_4-1606128617128.png

 

Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Back from vacation: Analyzing Emotet’s activity in 2020

During our analysis of various orphaned domains, we discovered many domains that were used previously for C2 by systems infected with a variety of threats like Dyre, Necurs, StealthWorker, and others.While many of the domains we investigated were part of time-based DGAs and not particularly useful, we identified several domains previously associated with SMTP servers that systems infected with ...

blog.talosintelligence.com

 

---

Mitsubishi Electric Corp. was hit by a new cyberattack

https://securityaffairs.co/wordpress/111201/hacking/mitsubishi-electric-cyberattack.html 

COEST_5-1606128617132.jpeg

 

Mitsubishi Electric Corp. was hit by a new cyberattack--Security Affairs

Mitsubishi Electric Corp. was hit again by a massive cyberattack that may have caused the leakage of information related to its business partners. “Company officials on Nov. 20 said they were checking […]

securityaffairs.co

 

---

QakBot Big Game Hunting continues: the operators drop ProLock ransomware for Egregor

https://securityaffairs.co/wordpress/111197/cyber-crime/qakbot-egregor-ransomware.html 

COEST_6-1606128617138.png

 

QakBot Big Game Hunting continues: the operators drop ProLock ransomware for Egregor--Security Affairs

Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has discovered that QakBot (aka Qbot) operators have abandoned ProLock for Egregor ransomware. Egregor has been actively distributed since September 2020 and has so far hit […]

securityaffairs.co

 

---

New Grelos skimmer variant reveals murkiness in tracking Magecart operations

https://securityaffairs.co/wordpress/111165/malware/grelos-skimmer.html 

COEST_8-1606128617144.jpeg

 

New Grelos skimmer variant reveals murkiness in tracking Magecart ops--Security Affairs

Researchers from RiskIQ analyzed the increased overlap of a new variant of the skimmer dubbed Grelos and the operations of the groups under the Magecart umbrella. The analysis demonstrates the difficulty in associating new strains of skimmer to groups […]

securityaffairs.co

 

---

REvil ransomware demands 500K ransom to Managed.com hosting provider

https://securityaffairs.co/wordpress/111154/cyber-crime/managed-com-revil-ransomware.html 

REvil ransomware demands 500K ransom to Managed.com provider--Security Affairs

Managed web hosting provider Managed.com was hit by a REvil ransomware attack over the weekend that took their servers and web hosting systems offline. At the time of writing this post, Managed.com hosting […]

securityaffairs.co

 

---

Cisco fixed flaws in WebEx that allow ghost participants in meetings

https://securityaffairs.co/wordpress/111145/hacking/cisco-webex-meetings-flaws.html 

Cisco fixed flaws in WebEx that allow ghost participants in meetings--Security Affairs

Cisco has addressed three vulnerabilities in Webex Meetings (CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419) that would have allowed unauthenticated remote attackers to join ongoing meetings as ghost participants. “A vulnerability in ...

securityaffairs.co

 

---

Phishing campaign targets LATAM e-commerce users with Chaes Malware

https://securityaffairs.co/wordpress/111133/cyber-crime/chaes-malware.html 

Phishing campaign targets LATAM e-commerce users with Chaes Malware--Security Affairs

Cybereason Nocturnus security researchers have identified an active campaign focused on the users of a large e-commerce platform in Latin America. Experts at Cybereason Nocturnus have uncovered an active campaign targeting the users […]

securityaffairs.co

 

---

Office 365 phishing campaign uses redirector URLs and detects sandboxes to evade detection

https://securityaffairs.co/wordpress/111120/cyber-crime/office-365-phishing-campaign.html 

Office 365 phishing campaign uses redirector URLs and detects sandboxes to evade detection--Security Affairs

Microsoft is tracking an ongoing Office 365 phishing campaign that is targeting enterprises, the attacks are able to detect sandbox solutions and evade detection. “We’re tracking an active credential phishing attack targeting enterprises […]

securityaffairs.co

 

---

Unixfreaxjp at #R2CON2020 presented shellcode basics for radare2

https://securityaffairs.co/wordpress/111062/hacking/unixfreaxjp-r2con2020-shellcode-basics.html 

Unixfreaxjp at #R2CON2020 presented shellcode basics for radare2--Security Affairs

Shellcode play an essential role in cyber attacks, the popular expert Unixfreaxjp explained how to utilize radare2 for variation of shellcode analysis

 

Shellcode is having an important part in cyber intrusion activities and mostly spotted to be executed during the process/thread injection or during the exploitation of memory space that mostly related to a vulnerability. […]

securityaffairs.co

 

---

VoltPillager: Hardware-based fault injection attacks against Intel SGX enclaves

https://securityaffairs.co/wordpress/111033/hacking/voltpillager-attack-intel-sgx.html 

VoltPillager: Hardware-based fault injection attacks against Intel SGX--Security Affairs

A group of six researchers from the University of Birmingham has devised a new attack technique, dubbed VoltPillager, that can break the confidentiality and integrity of Intel Software Guard Extensions (SGX) […]

securityaffairs.co

 

---

Unprotected database exposed a scam targeting 100K Facebook accounts

https://securityaffairs.co/wordpress/111018/cyber-crime/100k-facebook-accounts-scam.html 

Unprotected DB exposed a scam targeting 100K Facebook accounts--Security Affairs

Researchers at vpnMentor discovered an ElasticSearch database exposed online that contained an archive of over 100.000 compromised Facebook accounts. The archive was used by crooks as part of a global hacking campaign against users of the social network. “We […]

securityaffairs.co

 

---

Crooks use software skimmer that pretends to be a security firm

https://securityaffairs.co/wordpress/111009/cyber-crime/sucuri-software-skimmer.html 

Crooks use software skimmer that pretends to be security firm--Security Affairs

Researchers at Sucuri analyzed a software skimmer that is using their brand name in order to evade detection. The e-skimmer is a base64-encoded JavaScript blob that attackers inject into target webpages. During a routine investigation, the […]

securityaffairs.co

 

---

New skimmer attack uses WebSockets to evade detection

https://securityaffairs.co/wordpress/110982/hacking/skimmer-attack-websockets.html 

New skimmer attack uses WebSockets to evade detection--Security Affairs

Researchers from Akamai discovered a new skimmer attack that is targeting several e-stores with a new technique to exfiltrate data. Threat actors are using fake credit card forum and WebSockets to steal the financial and personal information of the […]

securityaffairs.co

 

---

New Jupyter information stealer appeared in the threat landscape

https://securityaffairs.co/wordpress/110967/malware/jupyter-malware.html 

New Jupyter information stealer appeared in the threat landscape--Security Affairs

Researchers at Morphisec have spotted Russian-speaking threat actors that have been using a piece of .NET infostealer, tracked as Jupyter, to steal information from their victims. The Jupyter malware is able to collect data from multiple […]

securityaffairs.co

 

---

The North Face website suffered a credential stuffing attack

https://securityaffairs.co/wordpress/110952/data-breach/the-north-face-credential-stuffing.html 

The North Face website suffered a credential stuffing attack--Security Affairs

Outdoor retail giant The North Face has forced a password reset for a number of its customers following a successful credential stuffing attack that took place on October 8th and 9th. Credential stuffing attacks involve botnets […]

securityaffairs.co

 

---

Officials confirm cyberattack on Saint John was ransomware

https://www.cbc.ca/news/canada/new-brunswick/saint-john-attack-was-ransonware-1.5805531 

Officials confirm cyberattack on Saint John was ransomware | CBC News

The recent cyber attack on the City of Saint John was ransomware, city officials confirmed at a news conference Tuesday afternoon.

www.cbc.ca

 

---

VMWare releases fix for critical ESXi, Workstation vulnerability

https://www.bleepingcomputer.com/news/security/vmware-releases-fix-for-critical-esxi-workstation-vulnerability/ 

VMWare releases fix for critical ESXi, Workstation vulnerability

VMware has released security updates to fix critical and high severity vulnerabilities in VMware ESXi, Workstation, Fusion, and Cloud Foundation, allowing for code execution and privilege escalation.

www.bleepingcomputer.com

 

---

QBot partners with Egregor ransomware in bot-fueled attacks

https://www.bleepingcomputer.com/news/security/qbot-partners-with-egregor-ransomware-in-bot-fueled-attacks/ 

QBot partners with Egregor ransomware in bot-fueled attacks

QBot partners with Egregor ransomware in bot-fueled attacks. Get 98% off the Complete 2020 Cloud Certification Training Bundle. Kali Linux 2020.4 switches the default shell from Bash to ZSH

www.bleepingcomputer.com

 

---

Mount Locker ransomware now targets your TurboTax tax returns

https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/ 

Mount Locker ransomware now targets your TurboTax tax returns

The Mount Locker ransomware operation is gearing up for the tax season by specifically targeting TurboTax returns for encryption. Mount Locker is a relatively new ransomware operation that began ...

www.bleepingcomputer.com

 

 

 

 

 

Anonymous