Security daily (28-07-2021)

Threat intel firms suggest ransomware gang 'BlackMatter' has ties to DarkSide, REvil hackers

Digital sleuths at cyber threat intelligence firms have found clues that a seemingly new ransomware organization has links to DarkSide and REvil, two gangs that suddenly disappeared shortly after major attacks. From the moment DarkSide vanished following the Colonial Pipeline incident and REvil went dark after locking up JBS and customers of Kaseya, questions swirled about whether a government took them down, whether attackers quit, or whether they simply went underground to rebrand. Flashpoint, Mandiant and Recorded Future on Tuesday and Wednesday said they discovered at least some connection between DarkSide and/or REvil and BlackMatter, a group that emerged last week. “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit,” BlackMatter itself proclaimed, according to Recorded Future. LockBit is another ransomware operation that first appeared in 2019, and all three are thought to operate out of Russia. Exactly what “best features” BlackMatter borrowed from other […] The post Threat intel firms suggest ransomware gang 'BlackMatter' has ties to DarkSide, REvil hackers appeared first on CyberScoop. (CyberScoop)

Why grassroots efforts like #ShareTheMicInCyber play a vital role in a whole-of-society approach to cyber

Amid increasingly sophisticated ransomware and supply chain attacks, the cybersecurity community needs a cultural shift and novel ideas to help new executive branch leadership operationalize President Biden’s recent Executive Order. The insight and authority of the government — coupled with the agility and innovation of the private sector — will create a powerful force multiplier capable of painting a clearer picture of the threat landscape, timelier coordination of defensive activities, and quicker recovery. Unfortunately, for many reasons, like fear of legal or regulatory liability, lack of regulations and incentives, and uncertainty in where to turn, strong collaboration is largely unrealized today and is limiting US’s ability to get ahead of cyber threats. The lack of trust between the public and private sectors must be overcome at the grassroots level by creating strong communities and humanizing practitioners. But the onus of creating partnerships across sectors cannot rest with the government or the private sector alone. The entire […] The post Why grassroots efforts like #ShareTheMicInCyber play a vital role in a whole-of-society approach to cyber appeared first on CyberScoop. (CyberScoop)

Biden says 'shooting war' could break out with foreign heavyweights over cyberattacks

The U.S. is “more likely” to end up in a “real shooting war with a major power” over a cyber incident than other kinds of conflict, President Joe Biden suggested on Tuesday. “We’ve seen how cyber threats, including ransomware attacks, increasingly are able to cause damage and disruption to the real world,” he said at a speech at the Office of the Director of National Intelligence’s National Counterterrorism Center in McLean, Virginia. “And it’s increasing exponentially — the capabilities.” While Biden delivered his speech before intelligence personnel, at least one of his intended recipients appeared to be Russian President Vladimir Putin. The Biden administration has been talking tough about Russia providing safe haven for ransomware gangs believed to be responsible for headline-making attacks on Colonial Pipeline, JBS and Kaseya. Biden has pressed that message to Putin directly as recently as July. Russia has rejected U.S. suggestions of wrongdoing. “I can’t […] The post Biden says 'shooting war' could break out with foreign heavyweights over cyberattacks appeared first on CyberScoop. (CyberScoop)

Biden issues memo to push critical infrastructure cybersecurity upgrades

President Joe Biden on Wednesday signed a national security memorandum tasking a group of federal agencies to develop cybersecurity performance goals for critical infrastructure. The directive is the latest effort from the Biden administration to get critical industries on board with improving cybersecurity in areas that could impact national security and the economy. The executive memo follows a security directive handed down by the Transportation Security Administration last week requiring owners and operators of TSA-designated critical pipelines to implement mitigations to protect against ransomware and other threats. “Our current posture is woefully insufficient given the evolving threat we face today,” a senior administration official told reporters in a call on Tuesday. “We really kicked the can down the road for a long time. The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory.” The Department of Homeland […] The post Biden issues memo to push critical infrastructure cybersecurity upgrades appeared first on CyberScoop. (CyberScoop)

Three Zero-Day Bugs Plague Kaseya Unitrends Backup Servers

(News ≈ Packet Storm)

LEAs, CISA Lobby For Breach Reporting Requirement

(News ≈ Packet Storm)

Enterprise Data Breach Cost Reached Record High During Pandemic

(News ≈ Packet Storm)

Biden: Major Cyber Attack Could Lead To A Real Shooting War

(News ≈ Packet Storm)

Stylish Magento Card Stealer loads Without Script Tags

Recently one of our analysts, Weston H., found a very interesting credit card stealer in a Magento environment which loads a malicious JavaScript without using any script tags. In this post I will go over how it was found, how to decode it and how it works! One of our clients was reporting that one of their website visitors was receiving a warning from their antivirus program when navigating to their checkout page:

Calls were being made to a known malicious domain that was already blacklisted by multiple vendors for distributing malware and involvement in carding attacks:

This certainly indicated that a card stealer was present somewhere on our client’s website. Continue reading Stylish Magento Card Stealer loads Without Script Tags at Sucuri Blog. (Sucuri Blog)

UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild

An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into an entirely new botnet as part of a renewed campaign that began in May 2021. Italy's CERT-AGID, in late January, disclosed details about Oscorp, a mobile malware developed to attack multiple financial targets with the goal of stealing (The Hacker News)

Chinese Hackers Implant PlugX Variant on Compromised MS Exchange Servers

A Chinese cyberespionage group known for targeting Southeast Asia leveraged flaws in the Microsoft Exchange Server that came to light earlier this March to deploy a previously undocumented variant of a remote access trojan (RAT) on compromised systems. Attributing the intrusions to a threat actor named PKPLUG (aka Mustang Panda and HoneyMyte), Palo Alto Networks' Unit 42 threat intelligence team (The Hacker News)

Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

An Iranian cyberespionage group masqueraded as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an aerospace defense contractor with malware as part of a years-long social engineering and targeted malware campaign. Enterprise security firm Proofpoint attributed the covert operation to a state-aligned threat actor it tracks as TA456, and by the wider (The Hacker News)

Hackers Turning to 'Exotic' Programming Languages for Malware Development

Threat actors are increasingly shifting to "exotic" programming languages such as Go, Rust, Nim, and Dlang that can better circumvent conventional security protections, evade analysis, and hamper reverse engineering efforts. "Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies," said Eric Milam, Vice President of (The Hacker News)

Dutch Police Arrest Two Hackers Tied to "Fraud Family" Cybercrime Ring

Law enforcement authorities in the Netherlands have arrested two alleged individuals belonging to a Dutch cybercriminal collective who were involved in developing, selling, and renting sophisticated phishing frameworks to other threat actors in what's known as a "Fraud-as-a-Service" operation. The apprehended suspects, a 24-year-old software engineer and a 15-year-old boy, are said to have been (The Hacker News)

BlackMatter & Haron: Evil Ransomware Newborns or Rebirths

They’re either new or old REvil & DarkSide wine in new bottles. Both have a taste for deep-pocketed targets and DarkSide-esque virtue-signaling. (Threatpost)

Reboot of PunkSpider Tool at DEF CON Stirs Debate

Researchers plan to introduce a revamp of PunkSpider, which helps identify flaws in websites so companies can make their back-end systems more secure, at DEF CON. (Threatpost)

Podcast: Why Securing Active Directory Is a Nightmare

Researchers preview work to be presented at Black Hat on how AD “misconfiguration debt” lays out a dizzying array of attack paths, such as in PetitPotam. (Threatpost)


/security-daily/ 29-07-2021 23:44:22