Recent Webinar: Building an Adaptive Cyber Resilient Cloud
arrow-white arrow-white Watch now
close

Security News In Review: REvil Attacks Nuclear Contractor Sol Oriens

Posted by Nuni Snowden on June 12, 2021
Find me on:

Security News in Review: Linux System Service Bug

This week we have good news and bad news. On the one hand, a COO was caught and charged with potentially attacking a rival medical institution. A stolen data marketplace was shut down and bugs were found (all around). However, there has also been an increase in high-profile cyber-attacks. Keep reading to get this week’s top cybernews.

A COO is charged with a medical center cyberattack

Vikas Singla, the former chief operating officer of Securolytics, a network security company providing services for the healthcare industry, was charged with allegedly conducting a cyberattack on Georgia-based Gwinnett Medical Center (GMC). Allegedly, Singla conducted the cyberattack partially "for purpose of commercial advantage and private financial gain.” Although a breach had not occurred, this incident clearly could have had dire consequences both for the patients and professionals associated with the hospital. Read more about the cybercriminal COO here.

REvil Hits the US where it hurts, its nuclear weapons contractor

Sol Oriens was hit by a cyberattack that experts say came from the REvil ransomware-as-a-service (RaaS) gang. The company’s website has been unreachable since at least June 3, but Sol Oriens officials confirmed to Fox News and to CNBC that the firm became aware of the breach sometime last month. Apparently, the data stolen was “benign” and includes a handful of employees’ names, social security numbers, quarterly pay, a company contracts ledger, and a portion of a memo outlining a worker training plan. It’s unclear if more sensitive information was also obtained in the breach. Read more about the REvil ransomware attack here.

Slilpp has been seized 

A multinational operation has led to the seizure of Slilpp, a well-known marketplace for selling stolen online logins. At the time of the seizure, it offered more than 80 million sets of credentials for sale. This is not the first 2021 win we’ve seen for cyber protectors. Earlier this week, the FBI and the Australian Federal Police (AFP) announced that, along with the help of other countries, they had set up an encrypted chat service called Anom/An0m, and ran it for over three years, seizing weapons, drugs and over $48m in cash and arresting over 800 threat actors. To read more about the fight against malicious platforms like Slilpp, click here.

SIP protocol abused to trigger XSS attacks via VoIP call monitoring software 

New call-to-actionEarlier this week, Enable Security’s Juxhin Dyrmishi Brigjaj said that the Session Initiation Protocol (SIP) -- the technology used to manage communication across services like Voice over IP (VoIP), audio, and instant messaging -- could be used as a conduit to perform app-based assaults on software. This includes XSS attacks, in which users’ browser sessions may be compromised, same-origin policies circumvented, and user impersonation may take place for purposes including theft, phishing, or the deployment of malware. Enable Security reported and resolved its findings to VoIPmonitor earlier this year. The security issue was resolved by the project’s developers through the inclusion of new XSS protection mechanisms. It is recommended that VoIPmonitor users update to the latest version available, v.24.71. To read more about protocol abuse, click here.

There’s a Linux system service bug

Threat actors can get a root shell by exploiting an authentication bypass vulnerability in the polkit auth system service installed by default on many modern Linux distributions. The polkit local privilege escalation bug (tracked as CVE-2021-3560) was publicly disclosed, and a fix was released on June 3, 2021. Even though many Linux distributions haven't shipped with the vulnerable polkit version until recently, any Linux system shipping with polkit 0.113 or later installed is exposed to attacks. GitHub Security Lab security researcher Kevin Backhouse, is quoted as saying, “[the vulnerability] is very simple and quick to exploit, so it’s important that you update your Linux installations as soon as possible.” To read more about the Linux bug, click here.

Cybercriminals Steal FIFA 21 Source Code tools in EA Breach

Electronic Arts has confirmed that attackers have breached their networks and stolen source code, in addition to related tools, from the company’s extensive game library. At this time, EA has not disclosed how attackers breached its network. It is suspected, however, that threat actors probably exploited an unpatched, known vulnerability in EA’s network, an all-too-common way for attackers to infiltrate corporate servers. The company has said, “No player data was accessed, and we have no reason to believe there is any risk to player privacy.” 

Still, this sort of breach could take down an organization as, “Game source code is highly proprietary and sensitive intellectual property that is the heartbeat of a company’s service or offering.” To read more about the EA breach, click here.

Edward Don has been hit by a ransomware attack

Foodservice supplier Edward Don suffered a ransomware attack that has caused the company to shut down portions of the network to prevent the attack's spread. Although it is not clear what ransomware operation has conducted the attack, Advanced Intel CEO Vitali Kremez believes that Edward Don may have been infected by the Qbot malware. 

Qbot is known to partner with ransomware operations to provide them remote access to infected networks. Ransomware gangs then use this remote access to spread laterally through a network, steal data, and ultimately deploy the ransomware to encrypt devices. Gangs like ProLock and Egregor had partnered with Qbot in the past. Now, due to their shutdown, the REvil ransomware gang has been utilizing the botnet. To read more about the Edward Don attack, click here.

Prometheus is the newest ransomware gang to beware

It’s also the latest example of how the ransomware-as-a-service model is letting new gangs scale up operations quickly. Prometheus claims to have connections to REvil and they also claim to have breached at least 30 organizations across multiple sectors, including government, manufacturing, financial services, logistics, insurance, and health care. On average, the group has demanded between $6,000 and $100,000 in Monero cryptocurrency as a ransom. To read more about this new group of threat actors, click here.

'Fancy Lazarus' is back

After a short break away from crime, Fancy Lazarus, a cybercriminal group with a rotating list of names, has resurfaced with a new email attack campaign threatening to launch a distributed denial-of-service (DDoS) attack against target organizations that refuse to pay a ransom. Although it also calls itself, "Fancy Bear," "Lazarus," "Lazarus Group," and "Armada Collective" researchers say there is no known connection between this group and advanced persistent threat (APT) actors of the same name, such as the Lazarus Group (linked to North Korea) and Fancy Bear (linked to Russia). To read more about Fancy Lazarus, the organizations they target, and how much they demand ransom click here.

CD Projekt: Data stolen in attack now circulating online

In February, CD Projekt suffered a ransomware attack that allowed threat actors to steal source code and business data before encrypting devices. The attack was conducted by a ransomware operation known as HelloKitty, who breached CD Projekt’s network and allegedly stole the complete source code of Cyberpunk 2077, the Witcher 3, Gwent, as well as for an unreleased Witcher 3 version. In addition to game code, they also claim to have exfiltrated accounting, administration, legal, HR, and investor relations documents.

Another threat actor group known as PayLoad Bin, previously known as Babuk Locker, had recently published what they claim is the full source code for CD Projekt games, consisting of 364GB of data. It’s unclear how PayLoadBin has obtained the information apparently stolen by HelloKitty. To read more about the stolen data, click the link here.

New call-to-action