Tuesday, June 15, 2021

Overview of security incidents from May 29 to June 4, 2021

A brief overview of the main events in the world of information security for the week

Attacks on Linux servers, banking Trojans disguised as Kaspersky Lab anti-virus applications, a new generation of cyber ransomware groups, interruptions in the supply of meat to the United States due to cyber-attacks – these and other security incidents for the period from May 29 to June 4, 2021.

Last week, ransomware attacks most often hit the headlines. The most notorious attack was the attack on the world’s largest meat producer JBS, which stopped some meat production processes in Australia and the United States. According to informed sources, responsibility for the incident lies with the cybercriminal group REvil (Sodinokibi), which many information security experts associate with Russia.

Japanese multinational conglomerate FujiFilm also suffered at the hands of REvil this week. Due to the attack, the company had to turn off part of its IT network, as a result of which some services in its offices around the world became unavailable. The company has initiated an investigation and is assessing the damage.

On June 2, unidentified ransomware operators launched a cyberattack on the systems of the US Steamship Authority, the legislative regulator for all ferry services between mainland Massachusetts and Martha’s Vineyard and Nantucket. As a result of the incident, ferry service between the mainland of the United States and the islands was disrupted.

US hospital network UF Health Central Florida has been the victim of a ransomware cyberattack that forced two hospitals in Florida to shut down their IT networks and switch to manual operation.

The ending workweek was also marked by the return of the sensational cyber ransomware group Babuk with a new project for “young and promising” cybercriminals and the emergence of new cyber ransomware groups.

Babuk announced the termination of its activities at the end of April this year. Nevertheless, two weeks later, the hackers made themselves felt again, presenting a new, “really cool” project. The group announced the Payload Bin platform, where young cyber ransomware who do not have their own name and website will be able to publish their leaks.

Researchers have discovered two new ransomware groups – Prometheus and Grief. Prometheus members are targeting businesses from various industries around the world. To date, Prometheus has released data on 27 victims, and this seems to be just the beginning of their “career”. The list of victims of the ransomware includes the gas company Ghana National Gas, the Tulsa Center of Excellence in Cardiovascular System (Oklahoma, USA), the Nyack Hotel (New York, USA), as well as enterprises in France, Norway, Switzerland, the Netherlands, Brazil, Malaysia and the UAE. Grief is a lesser-known cyber ransomware group. According to the criminals, they stole data from 5 organizations.

Operators of a new ransomware called Red Epsilon are exploiting vulnerabilities in Microsoft Exchange servers to compromise computer systems. Epsilon Red is written in the Golang (Go) language and contains a set of unique PowerShell scripts that prepare the device for file encryption. Scripts are capable of disabling processes and services of security solutions, databases, backup programs, Office applications and email clients, deleting Volume Shadow Copies, stealing the Security Account Manager (SAM) file with password hashes, deleting Windows event logs, disabling Windows Defender, elevating privileges on the system, etc.

There were also new reports of cyber espionage operations. Allegedly, hackers working for the Chinese government hacked into the computer system of the Metropolitan Transportation Authority (MTA), a US transportation company that operates 12 counties in southwestern New York and two counties in southwestern Connecticut. The attackers did not pursue financial gain, did not use ransomware, and did not demand a ransom. The attack on the company was carried out as part of a large-scale cyber operation carried out by hackers allegedly working for the Chinese government.

The US National Security Agency used its connections with the Danish intelligence services to spy on high-ranking officials in France, Sweden, Norway and Germany. An internal investigation by Danish intelligence, in 2012-2014, through Danish information cables, the US NSA monitored the political “elite” of the aforementioned states, including the then German Chancellor Angela Merkel, Frank-Walter Steinmeier, who at the time was the German Foreign Minister, and now he is the Federal President of Germany and the ex-Minister of Finance Peer Steinbrück.

Researchers have discovered a new malware called SkinnyBoy that has been used in targeted phishing attacks. The malicious campaign has been linked to the Russian-speaking hacker group APT28 (also known as Fancy Bear, Sednit, Sofacy, Strontium, or PwnStorm). Criminals used SkinnyBoy to launch attacks on military and government agencies earlier this year. SkinnyBoy is designed for the intermediate stage of the attack, collecting information about the victim and receiving payload from the C&C server.

The Swedish Health Authority (Folkhälsomyndigheten) has disabled its SmiNet infectious disease database after a series of hacking attempts. SmiNet, which is also used to store electronic reports and statistics on the incidence of COVID-19, has been disabled while the cyberattack attempts are being investigated. In this regard, Sweden has not received statistics on the incidence of coronavirus for several days.

Attackers are actively exploiting a zero-day vulnerability ( CVE-2021-24370 ) in a popular WordPress plugin called Fancy Product Designer. Using this vulnerability, an attacker could achieve remote code execution on an infected website and completely take control of it.

A professional cyber criminal group attacks Linux servers, installing rootkits and backdoors on them through a vulnerability in the web hosting software Control Web Panel (formerly called CentOS Web Panel). Since at least February of this year, the cybercriminal group has been scanning the Internet for CWP installations, using an exploit for the old vulnerability, it gains access to the administration panel and installs the Facefish backdoor. Its main purpose is to collect information about a device, execute arbitrary commands, and steal SSH credentials from an infected host.

Attackers distribute malware under the guise of popular Android applications from well-known companies. Fake VLC player, Kaspersky Anti-Virus, and fake FedEx and DHL applications install the Teabot or Flubot banking Trojans on victims’ devices, which were first discovered earlier this year. Fake apps are not featured in the Google Play Store and are only distributed through third-party stores.

Catch up on more articles here

Follow us on Twitter here

Latest news

Related news

- Advertisement -spot_img