OSINT News - May18 by Bart Otten

Micro Focus Expert
Micro Focus Expert
0 0 89
0 Likes

Ramsay: A cyberespionage toolkit tailored for air‑gapped networks

https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/ 

Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks | WeLiveSecurity

ESET researchers have discovered Ramsay, a previously unreported cyber-espionage framework that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air-gapped networks.

www.welivesecurity.com

 

 

A cyber attack hit a port on Strait of Hormuz, Iran said

https://securityaffairs.co/wordpress/103088/cyber-warfare-2/iran-strait-hormuz-port-cyberattack.html 

A cyber attack hit a port on Strait of Hormuz, Iran said  Security Affairs

Iran ‘s officials revealed that hackers compromised and damaged a small number of computers at the port of Shahid Rajaei in the city of Bandar Abbas. Iranian officials announced on sunday that hackers damaged a small number of systems at the port of Shahid Rajaei in the city of Bandar Abbas. Bandar Abbas is the […]

securityaffairs.co

 

---

Updated BackConfig Malware Targeting Government and Military Organizations in South Asia

https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations 

Updated BackConfig Malware Targeting Government and Military Organizations in South Asia

Conclusion. The Hangover group (aka Neon, Viceroy Tiger, MONSOON) is active and targeting, according to Unit 42’s visibility, government and military organisations in South Asia using spear-phishing emails containing letters or government forms to lure victims into browsing to compromised websites serving weaponized Excel documents that install the BackConfig Trojan.

unit42.paloaltonetworks.com

 

---

Backdoors in recent espionage attempts link to Microcin malware

https://www.bleepingcomputer.com/news/security/backdoors-in-recent-espionage-attempts-link-to-microcin-malware/ 

Backdoors in recent espionage attempts link to Microcin malware

Antivirus engines foiled an advanced attacker's attempts to infiltrate a governmental institution and corporate networks of two companies in the telecommunications and gas sector.

www.bleepingcomputer.com

 

---

Interserve UK defense contractor hacked, up to 100,000 past and present employees details exposed

https://securityaffairs.co/wordpress/103285/data-breach/interserve-data-breach.html 

Interserve UK defense contractor hacked, up to 100,000 records exposedSecurity Affairs

Britain’s Ministry of Defence contractor Interserve has been hacked, intruders have stolen up to 100,000 past and present employees’ details. Interserve, a contractor for the Britain’s Ministry of Defence suffered a security breach, hackers have stolen up to 100,000 of past and current employees details. The company currently has around 53,000 employees. Stolen data includes […]

securityaffairs.co

 

---

Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways

https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/ 

Mirai and Hoaxcalls Botnets Target Legacy Symantec Web Gateways

Executive Summary. As part of Unit 42’s efforts to proactively monitor threats circulating in the wild, I recently came across new Hoaxcalls and Mirai botnet campaigns targeting a post-authentication Remote Code Execution vulnerability in Symantec Secure Web Gateway 5.0.2.8, which is a product that became end-of-life (EOL) in 2015 and end-of-service-life (EOSL) in 2019.

unit42.paloaltonetworks.com

 

---

Threat Spotlight: Astaroth — Maze of obfuscation and evasion reveals dark stealer

https://blog.talosintelligence.com/2020/05/astaroth-analysis.html 

Threat Spotlight: Astaroth — Maze of obfuscation and evasion reveals dark stealer

A blog from the world class Intelligence Group, Talos, Cisco's Intelligence Group

blog.talosintelligence.com

 

---

Breaking news? App promises news feeds, brings DDoS attacks instead

https://www.welivesecurity.com/2020/05/11/breaking-news-app-promises-news-brings-ddos-attacks/ 

Breaking news? App promises news feeds, brings DDoS attacks instead | WeLiveSecurity

ESET researchers discovered a malicious Android app used for launching DDoS attacks that targeted ESET’s website. Here's what the subsequent research showed.

www.welivesecurity.com

 

---

Mandrake – owning Android devices since 2016

https://labs.bitdefender.com/2020/05/mandrake-owning-android-devices-since-2016/ 

Mandrake – owning Android devices since 2016 – Bitdefender Labs

In early 2020 we identified a new, highly sophisticated Android espionage platform that had been active in the wild for at least 4 years. We named the threat Mandrake as the actor(s) behind it used names of toxic plants, or other botanical references, for major development branches: e.g. Briar, Ricinus or Nerium. An investigation by Bitdefender researchers Marius TIVADAR, Rickey GEVERS, Rareș ...

labs.bitdefender.com

 

---

Backtracking MageCart infections

https://maxkersten.nl/2020/05/06/backtracking-magecart-infections/ 

Backtracking MageCart infections – Max Kersten

Max Kersten Security through explanation Menu. Home; Blog; Binary Analysis Course. Introduction. Practical case: Secura Grand Slam CTF “Easy Reverse”

maxkersten.nl

 

---

 

Zeus Sphinx continues to be used in Coronavirus-themed attacks

https://securityaffairs.co/wordpress/103075/cyber-crime/zeus-sphinx-coronavirus-attacks.html 

Zeus Sphinx continues to be used in Coronavirus-themed attacksSecurity Affairs

The Zeus Sphinx banking Trojan continues to evolve while receiving new updates it is employed in ongoing coronavirus-themed scams. The Zeus Sphinx banking Trojan is based on the code of the Zeus v.2 Trojan that was leaked online. At the end of March, experts from IBM X-Force uncovered a hacking ...

securityaffairs.co

 

---

The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet

https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/ 

 

---

Zoom Acquires Keybase and Announces Goal of Developing the Most Broadly Used Enterprise End-to-End Encryption Offering

https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keybase-and-announces-goal-of-developing-the-most-broadly-used-enterprise-end-to-end-encryption-offering 

Zoom Acquires Keybase and Announces Goal of Developing the Most Broadly Used Enterprise End-to-End Encryption Offering - Zoom Blog

Zoom announces the acquisition of Keybase and announces a plan to build end-to-end encryption that can reach current Zoom scalability.

blog.zoom.us

 

---

Microsoft Patch for Reverse RDP Flaw Leaves Room for Other Attacks

https://www.darkreading.com/vulnerabilities---threats/microsoft-patch-for-reverse-rdp-flaw-leaves-room-for-other-attacks-/d/d-id/1337828 

Microsoft Patch for Reverse RDP Flaw Leaves Room ...

Turns out a patch Microsoft issued in February to address a previous — but improper — fix released last August for a security flaw in its Remote Desktop Protocol (RDP) doesn't fully do the job ...

www.darkreading.com

 

---

Making MITRE ATT&CK Actionable

https://swimlane.com/blog/making-mitre-attck-actionable/?utm_source=bambu&utm_medium=social&utm_campaign=advocacy&blaid=550515 

Making MITRE ATT&CK Actionable | Swimlane

The Swimlane Deep Dive team is excited to announce the release of pyattck 2.0 and an equivalent PowerShell version called PSAttck.

swimlane.com

 

---

The RE&CT Framework is designed for accumulating, describing and categorizing actionable Incident Response techniques.

https://atc-project.github.io/atc-react 

RE&CT Framework (EN) - RE&CT

🇷🇺 Русская версия. RE&CT. The RE&CT Framework is designed for accumulating, describing and categorizing actionable Incident Response techniques.

atc-project.github.io

 

---

Wannabe ransomware operators arrested before hospital attacks

https://www.bleepingcomputer.com/news/security/wannabe-ransomware-operators-arrested-before-hospital-attacks/ 

Wannabe ransomware operators arrested before hospital attacks

Law enforcement in Romania today arrested a group of individuals that were planning ransomware attacks against healthcare institutions in the country.

www.bleepingcomputer.com

 

---

STAMINA, a new approach to malware detection by Microsoft, Intel

https://securityaffairs.co/wordpress/103043/malware/stamina-malware-detection.html 

STAMINA, a new approach to malware detection by Microsoft, IntelSecurity Affairs

Microsoft and Intel have devised a new approach to malware detection, dubbed STAMINA, that involves deep learning and the representation of malware as images. STAtic Malware-as-Image Network Analysis (STAMINA) is a new approach to malware detection proposed by Microsoft and Intel. The study is based on a previous work of Intel’s researchers on static malware […]

securityaffairs.co

 

---

Trojan Lampion is back after 3 months

https://securityaffairs.co/wordpress/103128/malware/trojan-lampion-3-months-later.html 

Trojan Lampion is back after 3 months ....................Security Affairs

Trojan Lampion is back after 3 months. The malware was observed last days with a new obfuscation layer, new C2, and distributed inside an MSI file. Trojan Lampion is a malware observed at the end of the year 2019 impacting Portuguese users using template emails from the Portuguese Government Finance & Tax and EDP. The latest campaigns in Portugal were observed […]

securityaffairs.co

 

---

Ransomware Hit ATM Giant Diebold Nixdorf

https://krebsonsecurity.com/2020/05/ransomware-hit-atm-giant-diebold-nixdorf 

Ransomware Hit ATM Giant Diebold Nixdorf — Krebs on Security

Tags: BleepingComputer, Diebold Nixdorf, Emsisoft, Fabian Wosar, Lawrence Abrams, ProLock ransomware This entry was posted on Monday, May 11th, 2020 at 12:37 pm and is filed under Ransomware.You ...

krebsonsecurity.com

 

---

Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents

https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html 

Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents | FireEye Inc

Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment.

www.fireeye.com

 

---

Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking

https://www.wired.com/story/thunderspy-thunderbolt-evil-maid-hacking/ 

Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking | WIRED

The so-called Thunderspy attack takes less than five minutes to pull off with physical access to a device, and it affects any PC manufactured before 2019.

www.wired.com

 

---

Sodinokibi ransomware uses MS API to encrypt open and locked files

https://securityaffairs.co/wordpress/103030/malware/sodinokibi-ransomware-new-feature.html 

Sodinokibi ransomware uses MS API to encrypt open and locked filesSecurity Affairs

Researchers warn of a new feature implemented in the Sodinokibi ransomware, the threat can now encrypt open and locked files. The Sodinokibi ransomware (REvil) continues to evolve, operators implemented a new feature that allows the malware to encrypt victim’s files, even if they are opened and locked by another process. Many applications lock files to prevent […]

securityaffairs.co

 

---

Swiss rail vehicle manufacturer Stadler hit by a malware-based attack

https://securityaffairs.co/wordpress/103012/cyber-crime/stadler-data-breach.html 

Swiss rail vehicle manufacturer Stadler hit by a malware-based attackSecurity Affairs

Stadler, a Swiss manufacturer of railway rolling stock disclosed a data breach, hackers attempted to blackmail the company. International rail vehicle manufacturer, Stadler, disclosed a security breach that might have also allowed the attackers to steal company data. Attackers confirmed that attackers compromised the IT network of the company and deployed some of its machines with malware that

securityaffairs.co

 

---

BSC Bulletin 335 -ELEXON’s internal IT systems have been impacted by a cyber attack

https://www.elexonportal.co.uk/news/view/27108 

---

Crooks stole $10 million from Norway’s state investment fund Norfund

https://securityaffairs.co/wordpress/103242/cyber-crime/norway-norfund-scam.html 

Crooks stole $10 million from Norway's state investment fund NorfundSecurity Affairs

Norway’s state investment fund, Norfund, suffered a business email compromise (BEC) attack, hackers stole $10 million. Hackers stole $10 million from Norway’s state investment fund, Norfund, in a business email compromise (BEC) attack. Norfund is a private equity company established by the Norwegian Storting (parliament) in 1997 and owned by the Norwegian Ministry of Foreign […]

securityaffairs.co

 

---

Healthcare giant Magellan Health discloses data breach after ransomware attack

https://securityaffairs.co/wordpress/103167/breaking-news/magellan-health-ransomware-attack.html 

Healthcare giant Magellan discloses data breach after ransomware attackSecurity Affairs

Magellan Health, a for-profit managed health care and insurance firm, was the victim of a ransomware attack. Magellan Health Inc. is an American for-profit managed health care company, its customers include health plans and other managed care organizations, employers, labor unions, various military and governmental agencies and third-party administrators. The company ranks 417 on the Fortune […]

securityaffairs.co

 

---

Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently

https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/ 

Security Flaws in Adobe Acrobat Reader Allow Malicious Program to Gain Root on macOS Silently | Yuebin Sun's Blog

Yuebin Sun(@yuebinsun) of Tencent Security Xuanwu Lab 0x0 SummaryToday, Adobe Acrobat Reader DC for macOS patched three critical vulnerabilities(CVE-2020-9615, CVE-2020-9614, CVE-2020-9613) I reported

rekken.github.io

 

---

PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more)

https://windows-internals.com/printdemon-cve-2020-1048/ 

PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more) – Winsider Seminars & Solutions Inc.

We promised you there would be a Part 1 to FaxHell, and with today’s Patch Tuesday and CVE-2020-1048, we can finally talk about some of the very exciting technical details of the Windows Print Spooler, and interesting ways it can be used to elevate privileges, bypass EDR rules, gain persistence, and more.Ironically, the Print Spooler continues to be one of the oldest Windows components that ...

windows-internals.com

 

---

Palo Alto Networks addresses tens of serious issues in PAN-OS 

https://securityaffairs.co/wordpress/103265/security/palo-alto-networks-pan-os-flaws.html 

Palo Alto Networks addresses tens of serious issues in PAN-OSSecurity Affairs

Palo Alto Networks addressed tens of vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls. Palo Alto Networks has issued security updates to address tens of vulnerabilities in PAN-OS, the software that runs on the company’s next-generation firewalls. One of the most severe vulnerabilities, tracked as CVE-2020-2018, is an authentication bypass ...

securityaffairs.co

 

---

Google WordPress Site Kit plugin grants attacker Search Console Access

https://securityaffairs.co/wordpress/103219/hacking/google-wordpress-site-kit-flaw.html 

Google WordPress Site Kit plugin grants attacker Search Console AccessSecurity Affairs

Experts found a critical bug in Google’s official WordPress plugin ‘Site Kit’ that could allow hackers to gain owner access to targeted sites’ Google Search Console. The Site Kit WordPress plugin makes it easy to set up and configure key Google products (i.e. Search Console, Analytics, Tag Manager, PageSpeed Insights, Optimize, and AdSense), giving users authoritative and […]

securityaffairs.co

 

---

Patch now your vBulletin install before hacker will target your forum

https://securityaffairs.co/wordpress/103099/hacking/vbulletin-critical-flaw.html

Patch now your vBulletin install before hacker will target your forumSecurity Affairs

Maintainers of the vBulletin project have released an important fix to address a security vulnerability tracked as CVE-2020-12720. Administrators of online discussion forums based on the popular vBulletin CMS urge to update their install to address a critical security vulnerability tracked as CVE-2020-12720. “A security exploit has been reported within vBulletin 5.6.1. To fix this issue, […]

securityaffairs.co

 

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.