Links

https://www.axios.com/2023/04/10/what-we-know-pentagon-document-leak

https://securityaffairs.com/144866/cyber-crime/ncr-blackcat-alphv-ransomware.html

https://cyberwarzone.com/beware-of-movie365-and-similar-sites-offering-free-movies-online/

https://thehackernews.com/2023/04/vice-society-ransomware-using-stealthy.html

Pentagon Document Leak

• Documents
  • Various social media sites
    • Twitter
    • Telegram
  • Documents leaking at least since January.
    • Discord
    • 4Chan
  • Leaker
    • Jack Teixeira
      • 21 y/o
      • North Dighton, Massachusetts.
      • Massachusetts Air National Guard
    • Arrest
      • in connection to “unauthorized removal, retention and transmission of classified national defense information”
    • Discord Members
      • suspicious of law enforcement and the U.S. intelligence community
      • prone to ranting about “government overreach,”
    • Leak
      • photos of crumpled pieces of paper
        • laid on top of magazines.
          • or surrounded by household objects.
        • leaked documents numbers roughly 100 pages,
        • The documents illustrate U.S. efforts to spy on Ukraine’s government and military leaders.
          • lays out the U.S.’ extensive knowledge of Russian government intelligence.
            • could hurt U.S. spy efforts if Russia figures out where the information is coming from.
          • DLP?

NCR was the victim of BlackCat ransomware gang.

• NCR Corporation
  • software, consulting and technology company providing several professional services and electronic products.
  • manufactures self-service kiosks, point-of-sale terminals, automated teller machines, check processing systems, and barcode scanners.
• Outage
  • Wednesday
  • DFW05 datacenter
  • outage on its Aloha point of sale platform
    • restaurant point-of-sale and management software
  • notified law enforcement and engaged third-party cybersecurity experts.
    • investigate the incident and determine the scope of the attack.
  • restaurants impacted are still able to serve their customers
    • impacted a specific functionality.
  • BlackCat/ALPHV
    • AKA UNC4466
    • Since November 2021
    • added NCR to the list of victims on its Tor data leak site
    • Dominic Alivieri, CyberSecurity researcher published a chat message related to the negotiation between NCR and the ransomware gang.
    • removed the name of NCR from its leak site
      • probably because of an ongoing negotiation.

Free Movie Sites are a bad idea

• Movies 365
  • promise access to the latest movies
• How they work
  • designed to lure users
  • make money by hosting forms and advertisements
    • possible malware
  • collecting personal information from users
    • survey or enter their email address or phone number
    • sold to third-party advertisers
  • Don’t just don’t

Vice Society Ransomware Using Stealthy PowerShell Exfiltration

• Vice Society
  • Microsoft Tracks as DEV-0832
  • extortion-focused
  • May 2021
• New Tool
  • bespoke PowerShell
    • avoids detection
      • living off the land binaries and scripts
        • no need to bring in external tools
      • automate exfil
    • ps1
      • identifying mounted drives
      • recursively searching through each of the root directories
      • focus on files over 10 KB
      • file extensions and in directories that meet its include list
      • Excludes
        • system files, backups, and folders pointing to web browsers
        • security solutions from Symantec, ESET, and Sophos
      • Utilizes multi-processing and queuing
        • ensures it does not consume too many system resources