Weekly Cyber Threat Report, June 21-June 25

From the good news:

This week, we’ve learned about Binance’s involvement in Clop arrests, new US security bills, EU’s new security unit, and more.

• Binance cryptocurrency exchange helped law enforcement to arrests Clop ransomware group members by helping the police to identify, and ultimately detain a few gang members in Ukraine. The international operation has been conducted jointly with law enforcement of Ukraine, the United States, and South Korea. The Cyberpolice Department of the National Police of Ukraine says Clop caused financial damages amounting to $500 million.
• The European Commission to propose a plan to establish a joint cyber unit that would allow national governments to seek assistance from other countries in the event of a major cyberattack. Its aim is to help countries pool cybersecurity resources and expertise from neighboring governments and jointly fight cybercrime.
• U.S. lawmakers have introduced four bills in Congress aimed at addressing various cybersecurity issues. The bills foresee increasing the penalties for hackers, giving prosecutors new powers to shut down botnets, funding for school districts to improve their cybersecurity, new procedures for businesses and government agencies to safeguard Americans’ personal data, and a requirement for critical infrastructure operators to report a cyberattack to CISA.

From the bad news:

This week has brought reports about data breaches at NATO, REvil’s ransomware v.2, a Linux version of the Darkside ransomware, new malware families and vulnerabilities, and other important stories you can’t miss.

• Workforce West Virginia announced Tuesday an unauthorized individual accessed the Mid Atlantic Career Consortium Employment Services database, or “MACC” website. To their knowledge, files were not downloaded, extracted, or manipulated.
• Wiz.io researchers discovered a new type of DNS vulnerabilities in AWS DNS-as-a-service offerings like Route53 that expose sensitive information on corporate and government customers. By registering a phony AWS name server with the same name as an existing AWS name server, they could get sensitive information like external and internal IP addresses, computer names for finance, human resources, production servers, and organization names.
• Avast researchers found cryptocurrency mining malware, Crackonosh, that abuses Windows Safe mode to infect computers. It’s distributed through the cracked software, or “warez,” on various torrent sites and forums. It has likely generated millions of dollars for its operators over the past few years.
• Eclypsium researchers have discovered a set of vulnerabilities in the BIOSConnect feature that can be exploited to perform code execution attacks on Dell computers. Bugs are found in 128 Dell laptops, tablets, and desktop models, including Secure Boot and Secured-core enabled PCs, owned by millions of users.
• Researchers from a German University discovered a security flaw in the IMAP email protocol used by most email servers that could allow hackers to secretly read and modify messages. The bug, which was first reported in 2020, is found in the email server software Dovecot. The vulnerability they have identified allows an attacker to perform a meddle-in-the-middle (MITM) attack.
• IBM Trusteer researchers warned about an actor that uses two malware families – Ursnif and Cerberus – to intercept OTP codes, bypass 2FA, and plant banking Trojans. The threat actor is targeting a wide variety of banking users in Italy, but only if their balance is over €3,000.
• Many owners of Western Digital’s My Book NAS devices reported Friday that all their files were gone. It appears this issue affected users in over 40 countries. Users also lost access to their WD accounts. Western Digital believes that the attacks were carried out by individuals who had gained access to the victims’ accounts, possibly due to week or default passwords.
• According to a new study commissioned by Ermetic, 98% of 200 surveyed companies have experienced at least one data breach in the past 18 months, an increase of 15% from last year (76%). The top-cited threats to cloud infrastructure were the lack of visibility and adequate identity and network access management.
• NATO’s Service-Oriented Architecture and Identity Access Management (SOA & IdM) platform has been hacked in a supply-chain attack after hackers breached a software developer company Everis. The hackers stole sensitive data from the platform and tried to blackmail Everis.
• Secureworks said an actor they track as Gold Northfield has modified REvil’s ransomware for their own purposes claimed to already have had a dozen successful infections. The spotted ransomware strain called LV is similar to REvil’s ransomware code and still has references to its command-and-control infrastructure.
• Elastic Security researchers reported a new malware evasion technique called “Process Ghosting,” which could allow an attacker to secretly run malicious code on a Windows machine. A researcher presented a proof-of-concept and explained that “it is possible to create a file, mark it for deletion, map it to an image section, close the file handle to complete the deletion, then create a process from the now-fileless section.”
• A researcher found that a critical stack-based Buffer Overflow bug (CVE-2020-5135) in the SonicWall network disclosed last year, which was initially thought to have been patched by the company, is still an issue. “SonicWall is not aware of this vulnerability being exploited in the wild,” the company said.
• Trend Micro found a new strain of ransomware called DarkRadiation that targets Linux and Docker containers and communicates with its C2 server using messaging service Telegram.
• AT&T Alien Labs has published an analysis of the Linux version of the Darkside ransomware. They say Linux servers are regarded as more secure and reliable, however, if not maintained, attackers can breach them with a single infection.
• The Clop ransomware operation have begun listing new victims on their data leak site despite recent arrests in Ukraine. Intel 471 experts say, this is because the police arrested low-importance individuals involved in the money laundering operations.
• The city of Tulsa attack in early May was conducted by Conti Ransomware gang. The city has issued a warning about leaked by hackers police citations containing personal data of city residents.