AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 07/06/2021

Colombia catches hacker wanted in the U.S. for ‘Gozi’ virus

Colombian officials say they have arrested a Romanian hacker who is wanted in the U.S. for distributing a virus that infected more than a million computers from 2007 to 2012. Mihai Ionut Paunescu faces computer intrusion and banking fraud charges in New York, where prosecutors say he was part of a ring of criminals that developed and spread the “Gozi” virus and other forms of malware that were used to steal money from bank accounts. Prosecutors say that Gozi infected computers in at least eight countries, including the United States, Germany, Finland and the United Kingdom. Victims included individuals, corporations and also computers belonging to NASA. The virus traveled within PDF documents and once it entered a computer it was able to steal bank account passwords, enabling cyber criminals to take “tens of millions of dollars” from victims according to an indictment filed in the Southern District Court of New York.


REvil ransomware hits 1,000+ companies in MSP supply-chain attack

A massive REvil ransomware attack affects multiple managed service providers and over a thousand of their customers through a reported Kaseya supply-chain attack. Starting this afternoon, the REvil ransomware gang, aka Sodinokibi, targeted MSPs with thousands of customers, through what appears to be a Kaseya VSA supply-chain attack. At this time, there eight known large MSPs that have been hit as part of this supply-chain attack. Kaseya VSA is a cloud-based MSP platform that allows providers to perform patch management and client monitoring for their customers. Huntress Labs’ John Hammond has told BleepingComputer that all of the affected MSPs are using Kaseya VSA and that they have proof that their customers are being encrypted as well. “We are tracking 20 MSPs where Kaseya VSA was used to encrypt over 1,000 business and are working in close collaboration with six of them,” Hammond shared in blog post about the attack. Kaseya issued a security advisory on their help desk site, warning all VSA customers to immediately shut down their VSA server to prevent the attack’s spread while investigating.


Gang behind huge cyber-attack demands $70m in Bitcoin

The gang behind a “colossal” ransomware attack has demanded $70m (£50.5m) paid in Bitcoin in return for a “universal decryptor” that it says will unlock the files of all victims. The REvil group claims its malware, which initially targeted US IT firm Kaseya, has hit one million “systems”. This number has not been verified and the exact total of victims is unknown. However, it does include 500 Swedish Coop supermarkets and 11 schools in New Zealand. Two Dutch IT firms have also been hit, according to local media reports.  Experts have expressed surprise at the group’s demand that the ransom should be paid in Bitcoin, as opposed to harder-to-trace cryptocurrencies such as Monero. On Twitter, Prof Martin called REvil’s decision to demand payment in Bitcoin, “weird”.


Popular Audacity audio app dubbed ‘spyware’ by users over policy changes from new owner

Since its first release in 2000, Audacity has served as a useful audio editing tool for both Windows and Mac. Audacity grew in popularity fast thanks to being both free and open-source. Earlier this year, Muse Group acquired the development project and would be continuing the main fork. There weren’t many issues with that change until now.  The Audacity Privacy notice was updated on July 2 to include new data collection provisions. The new owners break down the two main types of data they collect including data for analytics and for legal enforcement. The analytics are limited to more specific information including the OS version, CPU, user country (based on IP), and error codes. The main issue most have with the change is the vague and overarching wording, especially within the legal enforcement section. They list the personal data they collect as, “Data necessary for law enforcement, litigation and authorities’ requests (if any)” without any limitations. That’s a significant change to Audacity after over 20 years of development.


NSA, FBI Reveal Hacking Methods Used by Russian Military Hackers

An ongoing brute-force attack campaign targeting enterprise cloud environments has been spearheaded by the Russian military intelligence since mid-2019, according to a joint advisory published by intelligence agencies in the U.K. and U.S. The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the U.K.’s National Cyber Security Centre (NCSC) formally attributed the incursions to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS). The threat actor is also tracked under various monikers, including APT28 (FireEye Mandiant), Fancy Bear (CrowdStrike), Sofacy (Kaspersky), STRONTIUM (Microsoft), and Iron Twilight (Secureworks). APT28 has a track record of leveraging password spray and brute-force login attempts to plunder valid credentials that enable future surveillance or intrusion operations. In November 2020, Microsoft disclosed credential harvesting activities staged by the adversary aimed at companies involved in researching vaccines and treatments for COVID-19. What’s different this time around is the actor’s reliance on software containers to scale its brute-force attacks.

Related Posts