Industrial Cyber Attacks - Attacks against industries, productive infrastructures and OT
This week, data leaks of industrial companies that recently suffered ransomware attack include:
Non-Industrial Cyber Attacks - Covering notable, interesting attacks worldwide
Orange, the giant French telecommunications company has confirmed that it suffered a “Nephilim” ransomware attack exposing the data of twenty of their enterprise customers.
Throughout 2020, APT29, which is part of the Russian intelligence services, has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States, and the United Kingdom. APT29 is using custom malware known as ‘WellMess’ and ‘WellMail’ that is designed to execute arbitrary shell commands, upload, and download files.
3 cybersecurity companies have recently suffered security incidents:
ICS Vulnerabilities
New ICS-cert advisories this week include Moxa EDR Routers and 16 advisories for different Siemens products. The most critical vulnerabilities within these advisories are remote code executions with cvss score 9.8 in Siemens SICAM and Siemens LOGO! Web Server. Another CVE can lead to a denial of service condition in Siemens PCS7 DCS.
IOT
Trend Micro Research is warning consumers of a major new wave of attacks attempting to compromise their home routers for use in IoT botnets. The three main source codebases that have spawned numerous pieces of botnet malware are Mirai, Kaiten, and Qbot and users need to protect their routers and other connected devices from these malwares.
IT Vulnerabilities
Microsoft patch Tuesday for July includes CVE-2020-1350, a remote code execution vulnerability in the Windows DNS server with CVSS score of 10. Dubbed SIGRed, this vulnerability affects all Windows Server versions 2003 through 2019 and if exploited, could be used to compromise a company’s entire IT infrastructure. The vulnerability was classified as “wormable” which means it has the potential to spread between vulnerable computers without user interaction.
Breaches & Credential Leaks
A malicious actor called “cryptan” put up for sale unauthorized access to a mining company in a dark web forum. The actor claims to have obtained unauthorized access to the network through VPN.
Advanced Reading Suggestions of the Week
Cybereason team investigated the emergence of a new “Bazar” loader and backdoor that first emerged in April 2020 and has evolved continuously since. Bazar can be used to deploy additional malware, ransomware, and ultimately steal sensitive data from organizations. It appears to have strong ties to Trickbot campaigns and is delivered by the same infection chain. “Bazar” infections are targeting healthcare, manufacturing, logistics, and some more sectors across the US and Europe.
IBM's X-Force got hold of nearly five hours worth of video recordings of the Iranian state-sponsored group - APT35 that provide a rare insight into the "behind-the-scenes" of their methods.
New PhishingKitTracker repository holds a collection of Phishing Kits used by criminals to steal user information.
Ran Finkelstein
Threat Intelligence Researcher
For more information contact us at [email protected].