News – June 2021


  • ‘Oddball’ Malware Blocks Access to Pirated Software

    June 18, 2021

    The objective of most malware is some kind of gain — financial or otherwise — for the attackers who use it. However, researchers recently observed a unique malware with a single intent: Blocking the infected computers from visiting websites dedicated to software piracy. The malware (which SophosLabs principal researcher Andrew Brandt called “one of the strangest ...

  • Fake DarkSide Campaign Targets Energy and Food Sectors

    June 18, 2021

    The ransomware attack on the major fuel supply company Colonial Pipeline recently made headlines. The incident has been attributed to the DarkSide threat actor, once again thrusting the group’s name into the spotlight. With this, it would not be surprising to find threat actors taking advantage of this incident for their own socially-engineered campaigns. Several companies ...

  • A deep dive into the operations of the LockBit ransomware group

    June 18, 2021

    Researchers have provided an in-depth look at how LockBit, one of the newer ransomware groups on the scene, operates. Ransomware has become one of the most disruptive forms of cyberattack this year. It was back in 2017 with the global WannaCry outbreak that we first saw the severe disruption the malware could cause, and in 2021, ...

  • Carnival Cruise Cyber-Torpedoed by Cyberattack

    June 18, 2021

    Carnival Corp., the world’s largest cruise-ship operator, has sprung another leak: For the second time in a year, attackers have breached email accounts and accessed personal, financial and health information belonging to guests, employees and crew. Carnival has quite the armada: Its cruise brands include Carnival Cruise Line, Princess Cruises, Holland America Line, Seabourn, P&O Cruises ...

  • Black Kingdom ransomware

    June 17, 2021

    Black Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021. The ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065). The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. ...

  • Kremlin spokesman lists top countries where cyber attacks originate

    June 17, 2021

    Kremlin Spokesman Dmitry Peskov has prepared a list of the top countries, where cyber attacks originate, at the request of Russian President Vladimir Putin, handing over this list to reporters. “In the first half of 2020, the leaders among all countries where all types of cyber attacks originated are: the US, Canada, Brazil, Mexico, the UK,” ...

  • Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions

    June 17, 2021

    A recently discovered Bash ransomware piqued our interest in multiple ways. Upon investigating, we found that the attack chain is fully implemented as a bash script, but it also seems that the scripts are still under development. Most components of this attack mainly target Red Hat and CentOS Linux distributions; however, in some scripts Debian-based Linux ...

  • Biden gave Putin list of 16 critical infrastructure entities ‘off limits’ to cyberattacks

    June 17, 2021

    President Biden told reporters Wednesday he gave President Vladimir Putin a list of 16 critical infrastructure entities that are “off limits” to a Russian cyberattack. Those entities include energy, water, health care, emergency, chemical, nuclear, communications, government, defense, food, commercial facilities, IT, transportation, dams, manufacturing and financial services. “We’ll find out whether we have a cybersecurity arrangement ...

  • Russia’s Cyber Policy Efforts in the United Nations

    June 17, 2021

    This paper presents and examines the activities and views of Russia, one of the most (if not the most) important members of the latter group. Although Russia initiated discussions in the UN and has since actively shaped various processes, widespread awareness of the breadth and depth of Russian activities has been lagging. In particular, Russia’s ...

  • Matanbuchus: Malware-as-a-Service with Demonic Intentions

    June 16, 2021

    Unit 42 researchers often spend time investigating what we call non-traditional sources. Non-traditional sources often include underground marketplaces and sites, spanning from forums on the Tor network to Telegram channels and other marketplaces. One such case that we investigated involves a threat actor called BelialDemon, who is a member of several underground forums and marketplaces. In ...

  • Billions of records belonging to CVS Health exposed online

    June 16, 2021

    In another example of misconfigured cloud services impacting security, billions of records belonging to CVS Health have been exposed online. On Thursday, WebsitePlanet, together with researcher Jeremiah Fowler, revealed the discovery of an online database belonging to CVS Health. The database was not password-protection and had no form of authentication in place to prevent unauthorized entry. Upon ...

  • Ferocious Kitten: 6 years of covert surveillance in Iran

    June 16, 2021

    Ferocious Kitten is an APT group that since at least 2015 has been targeting Persian-speaking individuals who appear to be based in Iran. Although it has been active for a long time, the group has mostly operated under the radar and has not been covered by security researchers to the best of our knowledge. It ...

  • Ukraine arrests Clop ransomware gang members, seizes servers

    June 16, 2021

    Ukrainian law enforcement arrested cybercriminals associated with the Clop ransomware gang and shut down infrastructure used in attacks targeting victims worldwide since at least 2019. According to the Cyberpolice Department of the National Police of Ukraine the ransomware group is behind total financial damages of roughly $500 million. Read more… Source: Bleeping Computer  

  • Ransomware Poll: 80% of Victims Don’t Pay Up

    June 16, 2021

    Ransomware is on the rise, but what toll does it take on the real world? Threatpost set out to answer that question in an exclusive poll aimed at taking the pulse of organizations wrestling with attacks, including looking at mitigations and the defenses organizations have in place. When viewed against the backdrop of complementary reports from ...

  • Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise

    June 16, 2021

    Mandiant observed DARKSIDE affiliate UNC2465 accessing at least one victim through a Trojanized software installer downloaded from a legitimate website. While this victim organization detected the intrusion, engaged Mandiant for incident response, and avoided ransomware, others may be at risk. As reported in the Mandiant post, “Shining a Light on DARKSIDE Ransomware Operations,” Mandiant Consulting has ...