header image

Cyber Intelligence Briefing: 16 July 2021

Billy Gouveia, Kyle Schwaeble 16 July 2021
16 July 2021    Billy Gouveia, Kyle Schwaeble

CHALLENGING INSECURITY: A ROADMAP TO CYBER CONFIDENCE

In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.


Another ransomware group has gone quiet

REvil, the ransomware group behind the recent attack leveraging Kaseya’s VSA platform, appears to have gone offline. The group’s online infrastructure is no longer accessible. It’s unclear if the development is related to recent discussions between the US and Russian governments or if the group is laying low to avoid further scrutiny by law enforcement following the recent high-profile attack.

 

 SO WHAT?  The group is unlikely to remain away for too long. Ransomware groups often go quiet for short periods, before returning and/or rebranding to continue their operations. Organisation’s should not let their guard down. The ransomware threat is not going away.


Kaseya patch progress

Kaseya has now released patches for both the on-premise and Software-as-a-Service (SaaS) versions of its VSA platform, addressing the vulnerabilities recently exploited by REvil. According to Kaseya, almost all of its SaaS customers are back online after it initially shut down its servers to contain the attack.

 

 SO WHAT?  If you use the platform, ensure you have applied the latest patches and have changed all passwords. Organisations are also advised to follow Kaseya’s guide to harden their on-premise and SaaS systems.


Vulnerabilities identified affecting SolarWinds and Sage

  • SolarWinds have patched a zero-day vulnerability affecting its Serv-U products that was being actively exploited. The vulnerability, tracked as CVE-2021-35211, allows for a threat actor to execute remote code.
  • Separately, researchers identified four vulnerabilities affecting the Sage X3 ERP platform, one of which is rated 10 out of 10 on the CVSS vulnerability-severity scale. Sage has addressed the vulnerabilities with recent software updates.

 

 SO WHAT?  Users should update their systems to the latest versions. Customers potentially impacted by the SolarWinds vulnerability can check the Serv-U DebugSocketLog.txt log file for Indicators of Compromise.


US charges Apostolos Trovias for insider trading on Dark Web

On 9 July, the US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) charged Greek national Trovias for marketing insider trading information. Operating as “The Bull”, Trovias used dark web forums to sell stock tips and also tried to build his own dark web site for his dealings.

The DOJ charged Trovais with one count of securities fraud and one count of money laundering. These carry maximum penalties of 25 and 20 years in jail, respectively.

 

 SO WHAT?  Dark web monitoring can reveal evidence of a variety of criminal activity beyond cybercrime, including insider trading, fraud schemes targeting specific companies or sectors, and emerging threats facing organisations. Consider an intelligence program to identify potential threats facing your organisation on the dark web.


Return of the Joker

A new version of the billing-fraud malware, ‘Joker’, has been found in apps on the Google Play store. Apps infected with Joker stealthily subscribe users to paid services owned by attackers. Attackers are using legitimate developer and anti-detection techniques to evade the Google Play store vetting process.

 

 SO WHAT?  Review permission requests by apps carefully, even when downloading them from official app stores like Google Play.


Patch Tuesday!

  • Microsoft released patches for 117 vulnerabilities, 13 of which are marked ‘critical’. The vulnerabilities that were addressed included four zero-days being actively exploited in the wild.
  • Adobe also released fixes for 22 critical vulnerabilities across six programs, including the popular Adobe Acrobat and Reader, none of which are being actively exploited.

 

 SO WHAT?  Find further detail on the patches at these respective pages, Microsoft and Adobe.


Indicators of Compromise

The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with the most recent Joker malware campaign.

 

SHA-256 App Hashes

a18508d9047fe87da2bf14211c3f31c5ad48277348eb5011fdfe4dd7dac13d52

0840f6feef265393c929ac61e0b1b04faa3999e1ae5655fd332ec674be2661a0

f772532dc7b83242e54cfec2bf740f12c13b1f2fce9da188da19b6df55da4fab

3aac23064f58f32f8cd345b9455be3d638f5ae8658bbc6badcedcb111b002572

 

Interesting URLs

hxxp://onemoretime.oss-us-east-1.aliyuncs.com/notice.ai

hxxp://onemoretime.oss-us-east-1.aliyuncs.com/hd.ai

hxxp://onemoretime.oss-us-east-1.aliyuncs.com/huadi

hxxp://161.117.46.64/svhyqj/mjcxzy

hxxp://161.117.46.64/svhyqj/bwytmw

 

IP Addresses

161.117.46[.]64

 

Cyber Threat Intelligence Briefing

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy gouveia Senior Managing Director Email Billy
Kyle Schwaeble
Kyle schwaeble Analyst Email Kyle

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report