Cyber security news May 2021

This posting is here to collect cyber security news in May 2021.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Colonial Pipeline restores operations, $5 million ransom demanded
    Colonial Pipeline has recovered quickly from the ransomware attack suffered less than a week ago and expects all its infrastructure to be fully operational today. The company has already brought much of the pipeline system online and is currently delivering refined petroleum products to most of the markets it services. Multiple media publications on Wednesday, citing people familiar with the matter, reported that the company had no plan to pay the ransom, albeit Colonial Pipeline did not communicate its official position on this..
    Also: YLE:

  2. Tomi Engdahl says:

    Threat Actors Use MSBuild to Deliver RATs Filelessly
    Anomali Threat Research discovered a campaign in which threat actors used MSBuild – a tool used for building apps and gives users an XML schema that controls how the build platform processes and builds software – to filelessly deliver RemcosRAT, and RedLine stealer using callbacks. The malicious MSBuild files we observed in this campaign contained encoded executables and shellcode, with some, hosted on Russian image-hosting site, joxi[.]net. While we were unable to determine the distribution method of the .proj files, the objective of these files was to execute either Remcos or RedLine Stealer. The majority of the samples we analyzed deliver Remcos as the final payload.

  3. Tomi Engdahl says:

    Meet Lorenz A new ransomware gang targeting the enterprise
    A new ransomware operation known as Lorenz targets organizations worldwide with customized attacks demanding hundreds of thousands of dollars in ransoms. The Lorenz ransomware gang began operating last month and has since amassed a growing list of victims whose stolen data has been published on a ransomware data leak site. Michael Gillespie of ID Ransomware has told BleepingComputer that the Lorenz ransomware encryptor is the same as a previous operation known as ThunderCrypt.

  4. Tomi Engdahl says:

    Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity
    Web skimming continues to be a real and impactful threat to online merchants and shoppers. The threat actors in this space greatly range in sophistication from amateurs all the way to nation state groups like Lazarus. In terms of security, many e-commerce shops remain vulnerable because they have not upgraded their content management software (CMS) in years. The campaign we are looking at today is about a number of Magento 1 websites that have been compromised by a very active skimmer group.

  5. Tomi Engdahl says:

    The New Ransomware Threat: Triple Extortion
    Global surge in ransomware attacks hits 102% increase this year compared to the beginning of 2020, and shows no sign of slowing down.
    Number of organizations impacted by ransomware globally has more than doubled in the first half of 2021 compared with 2020. The healthcare and utilities sectors are the most targeted sectors since the beginning of April 2021. Organizations in Asia Pacific are targeted more than any other region. Check Point Research (CPR) warns of new ransomware threat: Triple Extortion.

  6. Tomi Engdahl says:

    FragAttack: New Wi-Fi vulnerabilities that affect basically everything
    A new set of vulnerabilities with an aggressive name and their own website almost always bodes ill. The name FragAttack is a contraction of fragmentation and aggregation attacks, which immediately indicates the main area where the vulnerabilities were found. The vulnerabilities are mostly in how Wi-Fi and connected devices handle data packets, and more particularly in how they handle fragments and frames of data packets. As far as the researcher is aware every Wi-Fi product is affected by at least one vulnerability.. Also:

  7. Tomi Engdahl says:

    Microsoft: Threat actors target aviation orgs with new malware
    Microsoft warns of an ongoing spear-phishing campaign targeting aerospace and travel organizations with multiple remote access trojans
    (RATs) deployed using a new and stealthy malware loader. “In the past few months, Microsoft has been tracking a dynamic campaign targeting the aerospace and travel sectors with spear-phishing emails that distribute an actively developed loader, which then delivers RevengeRAT or AsyncRAT,” Microsoft said.

  8. Tomi Engdahl says:

    Ransomware Gang Leaks Metropolitan Police Data After Failed Negotiations
    The cybercrime syndicate behind Babuk ransomware has leaked more personal files belonging to the Metropolitan Police Department (MPD) after negotiations with the DC Police broke down, warning that they intend to publish all data if their ransom demands are not met. “The negotiations reached a dead end, the amount we were offered does not suit us, we are posting 20 more personal files on officers, you can download this archive, the password will be released tomorrow. if during tomorrow they do not raise the price, we will release all the data,” the gang said in a statement on their data leak site.

  9. Tomi Engdahl says:

    Microsofts May Patch Tuesday release addressed a modest 55 cybersecurity vulnerabilities, including just four critical bugs. Its the smallest monthly update from the computing giant since 2020, but it does contain a patch for a concerning wormable vulnerability found in the Windows OS
    The good news is that none of the vulnerabilities are being actively exploited in the wild, according to Microsoft, though three are listed as publicly known.

  10. Tomi Engdahl says:

    Microsoft fixes WSUS bug blocking May Windows security updates
    Microsoft has resolved a known issue preventing managed devices from receiving the May 2021 Patch Tuesday Windows security updates. “When checking for updates within Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager and managed devices that connect to these servers,” this month’s security updates “might not be available or offered,” as Microsoft explained on the Windows Health Dashboard.

  11. Tomi Engdahl says:

    FBI warns of cybercriminals abusing search ads to promote phishing sites
    The Federal Bureau of Investigation says that cybercrime gangs are using search results and search engine ads to lure victims on phishing sites for financial institutions in order to collect their login credentials. The schemes resulted in illicit ACH transfers amounting to hundreds of thousands of dollars in financial losses, the FBI said in a private industry notification (PIN) send to the US private sector on Tuesday.

  12. Tomi Engdahl says:

    Hakkerit estivät koulujen avaamisen Venäjää syytetään rikollisten suojelusta
    Venäläisten hakkereiden toiminta on ollut tällä viikolla puheenaiheena, kun palvelunestohyökkäys sotki polttoainetoimitukset Yhdysvalloissa. BBC kirjoittaa, että Britannian ulkoministeri Dominic Raab on ladellut tiukkoja sanoja Moskovan suuntaan tästä huolimatta.
    Hän puhui asiasta brittien kyberturvallisuuskeskuksen (National Cyber Security Centre, NCSC) konferenssissa. Kun rikolliset toimivat Venäjän kaltaisten valtioiden maaperällä, maalla on velvollisuus saattaa heidät oikeuden eteen, ei suojella heitä, Raab sanoi. Hänen mukaansa demokraattiset ja autoritääriset valtiot seisovat eri puolilla rintamalinjaa tässäkin asiassa.

    Venäjä kiisti olevansa USA:ssa öljyputkeen kohdistetun kyberhyökkäyksen takana
    Yhdysvaltojen tiedustelun mukaan kiristysohjelman alkuperä on Venäjällä. Venäjä on kiistänyt, että se olisi vastuussa öljyputkijärjestelmään Yhdysvalloissa kohdistetusta kyberhyökkäyksestä. Kiistämme kategorisesti kaikki journalistien esittämät kuvitelmat. Toistamme, että Venäjä ei harjoita “pahantahtoista” toimintaa virtuaalisissa tiloissa, Venäjän Yhdysvaltain-suurlähetystö ilmoitti lausunnossa.

  13. Tomi Engdahl says:

    DarkSide Ransomware Shutdown: An Exit Scam or Running for Hills?

    The criminal gang behind the disruptive Colonial Pipeline ransomware hack says it is shutting down operations, but threat hunters believe the group will reemerge with a new name and new ransomware variants.

    The DarkSide cybercrime gang claims it is shuttering operations amidst massive blowback from U.S. government and global law enforcement officials.

    According to multiple threat hunters tracking darkweb communications, the DarkSide ransomware-as-a-service infrastructure has gone offline along with a naming-and-shaming website used by the criminal gang to pressure victims during extortion negotiations.

    Security vendor FireEye says its researchers have also seen the DarkSide announcement, which claims the criminals “lost access to their infrastructure, including their blog, payment, and CDN servers and would be closing their service.”

    However, FireEye says it has not independently validated the claims and warns that this could be part of “an exit scam.”

    Threat intelligence company Flashpoint believes — with moderate confidence based on code analysis — that the ransomware used in the Colonial Pipeline attack is a variant of the notorious REvil ransomware.

  14. Tomi Engdahl says:

    Impacted Vendors Release Advisories for FragAttacks Vulnerabilities

    Impacted vendors have released security advisories in response to the recently disclosed Wi-Fi vulnerabilities collectively tracked as FragAttacks.

    A dozen CVE identifiers have been assigned to the FragAttacks (fragmentation and aggregation attacks) flaws discovered last year by researcher Mathy Vanhoef, including three for design flaws and nine for implementation flaws.

    Vanhoef tested 75 Wi-Fi devices and found that they were all affected by at least one vulnerability, but most of them were impacted by multiple issues. This suggests that a vast majority — if not all — devices with Wi-Fi capabilities are exposed to attacks. The design flaws are more difficult to exploit, while the implementation weaknesses are easier to use in attacks.

    The researcher demonstrated that the vulnerabilities can allow an attacker who is within Wi-Fi range of the targeted device to conduct various activities, including redirect users to arbitrary websites, take control of devices on the network, bypass router firewalls, steal user information, and spy on victims.

    Some of the affected vendors have been notified and given 9 months to release patches. Shortly after Vanhoef made his findings public, more than a dozen vendors released advisories, and some organizations, such as the Wi-Fi Alliance, have released statements on FragAttacks.

    Some vendors say their products are affected only by the design flaws, but others appear to be impacted by multiple CVEs. Some companies noted that their products are affected due to the use of third-party components.

    A majority of vendors have assigned the flaws a moderate/medium severity rating. Some have already released updates that should address the vulnerabilities, while others say they are working on developing patches.

    Description The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.

  15. Tomi Engdahl says:

    Biden Signs Executive Order on Strengthening Cybersecurity Defenses: Feedback Friday

    U.S. President Joe Biden this week signed an executive order on improving the country’s cybersecurity defenses. The order represents the government’s response to the SolarWinds and other significant attacks carried out by foreign threat actors.

    The executive order focuses on removing barriers to threat information sharing, adopting more modern security solutions (e.g. zero trust architecture), enhancing the security of the software supply chain by requiring developers to improve their security practices, establishing a Cyber Safety Review Board that will review and assess significant incidents, and standardizing the government’s response to vulnerabilities and incidents.

    Executive Order on Improving the Nation’s Cybersecurity

  16. Tomi Engdahl says:

    Access To Arizona Government Routers Has Been Subpoenaed
    Cyber Ninjas has found a way to access voter information without having to do a canvas

    In the latest installment of the ongoing saga of the audit of the ballots cast in Maricopa County, Arizona in the November election, Cyber Ninjas, the firm with no election experience who is conducting the audit, has demanded access to the state government internet routers and passwords.
    The Arizona state Senate which is controlled by Republicans and hired Cyber Ninjas to do the audit, has issued a subpoena on their behalf for the routers and passwords.

    I’m not going to bore you with detailed explanations of how routers and password authorities work. I could because I used to work with that stuff and find it endlessly fascinating but I know that you don’t so I’ll spare you the geeky stuff.
    Instead, I’m just going to tell you what information can be gained using high level access to the routers. It’s pretty scary. I nearly fell out of my chair when I read about the subpoena because I know exactly how much sensitive data would be revealed.


Leave a Comment

Your email address will not be published. Required fields are marked *