Posts

Showing posts from June, 2021

Black Hills InfoSec - Talkin’ About Infosec News – 6/28/2021

Originally Aired on June 28, 2021 Articles discussed in this episode: 00:00 – PreShow Banter™ — Way West Recap06:38 – Story 1 : https://ift.tt/363xru3 – Story 2 : https://ift.tt/3jqnz5w – Story 3 : https://ift.tt/2TezxEJ – Story 4 : https://ift.tt/3AhrxDh – Story 5 : https://ift.tt/3jqnIG6 – Story 6 : https://ift.tt/3Aipb7a – Story 7 : https://ift.tt/3hmQ6WT – […] The post Talkin’ About Infosec News – 6/28/2021 appeared first on Black Hills Information Security . from Black Hills Information Security https://www.blackhillsinfosec.com/talkin-about-infosec-news-6-28-2021/

Dark Reading - SentinelOne Starts Trading on NYSE, Raises $1.2B in IPO

IPO is the highest valued in cybersecurity history, according to reports. from Dark Reading: https://www.darkreading.com/endpoint/sentinelone-starts-trading-on-nyse-raises-$12b-in-ipo/d/d-id/1341452?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

US-CERT - PrintNightmare, Critical Windows Print Spooler Vulnerability

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

Dark Reading - MyBook Investigation Reveals Attackers Exploited Legacy, 0-Day Vulnerabilities

A previously unknown flaw in Western Digital's older network-attached storage systems allowed unauthenticated commands to trigger a factory reset, formatting the hard drives, says the company after its preliminary investigation. from Dark Reading: https://www.darkreading.com/attacks-breaches/mybook-investigation-reveals-attackers-exploited-legacy-zero-day-vulnerabilities/d/d-id/1341440?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dark Reading - SMB Worm Targeting EternalBlue Vuln Spreads to US

"Indexsinas" is the latest threat designed to exploit Windows servers that remain vulnerable to an NSA-developed exploit Microsoft patched more than four years ago. from Dark Reading: https://www.darkreading.com/endpoint/smb-worm-targeting-eternalblue-vuln-spreads-to-us/d/d-id/1341445?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dark Reading - MyBook Investigation Reveals Attackers Exploited Legacy, 0-Day Vulnerabilities

A previously unknown flaw in Western Digital's older network-attached storage systems allowed unauthenticated commands to trigger a factory reset, formatting the hard drives, says the company after its preliminary investigation. from Dark Reading: https://www.darkreading.com/attacks-breaches/mybook-investigation-reveals-attackers-exploited-legacy-0-day-vulnerabilities/d/d-id/1341440?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Krebs - We Infiltrated a Counterfeit Check Ring! Now What?

Image
Imagine waking up each morning knowing the identities of thousands of people who are about to be mugged for thousands of dollars each. You know exactly when and where each of those muggings will take place, and you’ve shared this information in advance with the authorities each day for a year with no outward indication that they are doing anything about it. How frustrated would you be? A counterfeit check image [redacted] that was intended for a person helping this fraud gang print and mail phony checks tied to a raft of email-based scams. One fraud-fighting group is intercepting hundreds to thousands of these per day. Such is the curse of the fraud fighter known online by the handles “ Brianna Ware ” and “ BWare ” for short, a longtime member of a global group of volunteers who’ve infiltrated a cybercrime gang that disseminates counterfeit checks tied to a dizzying number of online scams. For the past year, BWare has maintained contact with an insider from the criminal group that

KnowBe4 - Almost All LinkedIn User’s Data Has Been Scraped and is Up for Sale on the Dark Web

Image
700 Million LinkedIn user’s personal details were posted for sale earlier this month, putting 92% of their userbase at risk of social engineering and spear phishing attacks. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/almost-all-linkedin-users-data-has-been-scraped-and-is-up-for-sale-on-the-dark-web

KnowBe4 - Spear Phishing Impersonation Attacks Take on New Tactics to Become More Convincing and Effective

Image
As part of Business Email Compromise attacks, spear phishing now plays a material role, with impersonation sitting firmly at the core of their social engineering tactics… in more ways than one. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/spear-phishing-impersonation-attacks-take-on-new-tactics-to-become-more-convincing-and-effective

Dark Reading - Impersonation Becomes Top Phishing Technique

A new report finds IT, healthcare, and manufacturing are the industries most targeted by phishing emails. from Dark Reading: https://www.darkreading.com/attacks-breaches/impersonation-becomes-top-phishing-technique/d/d-id/1341443?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Threat Post - Indexsinas SMB Worm Campaign Infests Whole Enterprises

The self-propagating malware's attack chain is complex, using former NSA cyberweapons, and ultimately drops cryptominers on targeted machines. from Threatpost https://threatpost.com/indexsinas-smb-worm-enterprises/167455/

Dark Reading - Attackers Already Unleashing Malware for Apple macOS M1 Chip

Apple security expert Patrick Wardle found that some macOS malware written for the new M1 processor can bypass anti-malware tools. from Dark Reading: https://www.darkreading.com/endpoint/attackers-already-unleashing-malware-for-apple-macos-m1-chip/d/d-id/1341442?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Recorded Future - How “HackMachine” Enables Fraud and Cyber Intrusions

Editor’s Note : The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.  Background Businesses and organizations use content management systems (CMS) and web hosting control panels to simplify the management of websites and deliver improved functionality for site visitors. CMS control panels allow content managers to manage the site at the web application level, such as adding a shopping cart extension for e-commerce functionality. Web hosting control panels are interfaces that allow administrators to manage their web servers and hosted services. In essence, access to a site’s CMS control panel allows cybercriminals to inject digital skimmers, potentially access payment card data from previous stored transactions, and access CMS user account information, whereas access to web hosting control panels enables cybercriminals to perform the aforementioned activity and potentially conduct more intrusive activi

Dark Reading - Intl. Law Enforcement Operation Takes Down DoubleVPN

The VPN service allegedly provided a means for cybercriminals to target their victims, Europol officials report. from Dark Reading: https://www.darkreading.com/endpoint/intl-law-enforcement-operation-takes-down-doublevpn/d/d-id/1341439?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

US-CERT - CISA’s CSET Tool Sets Sights on Ransomware Threat

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/cisas-cset-tool-sets-sights-ransomware-threat

Rapid 7 - CVE-2021-1675 (PrintNightmare) Patch Does Not Remediate Vulnerability

Image
On June 8, 2021, Microsoft released an advisory and patch for CVE-2021-1675 (“PrintNightmare”), a critical vulnerability in the Windows Print Spooler. Although originally classified as a privilege escalation vulnerability, security researchers have demonstrated that the vulnerability allows authenticated users to gain remote code execution with SYSTEM-level privileges. On June 29, 2021, as proof-of-concept exploits for the vulnerability began circulating, security researchers discovered that CVE-2021-1675 is still exploitable on some systems that have been patched. As of this writing, at least 3 different proof-of-concept exploits have been made public . Rapid7 researchers have confirmed that public exploits work against fully patched Windows Server 2019 installations. The vulnerable service is enabled by default on Windows Server, with the exception of Windows Server Core. Therefore, it is expected that in the vast majority of enterprise environments, all domain controllers, even

Dark Reading - 3 Things Every CISO Wishes You Understood

Ensuring the CISO's voice is heard by the board will make security top of mind for the business, its employees, and their customers. from Dark Reading: https://www.darkreading.com/risk-management/3-things-every-ciso-wishes-you-understood/a/d-id/1341379?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dark Reading - 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Without a top-notch team to stop attackers, our favorite modes of transportation could come to a screeching halt. from Dark Reading: https://www.darkreading.com/edge/theedge/7-skills-the-transportation-sector-needs-to-fuel-its-security-teams/b/d-id/1341438?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Threat Post - Why MTTR is Bad for SecOps

Kerry Matre, senior director at Mandiant, discusses the appropriate metrics to use to measure SOC and analyst performance, and how MTTR leads to bad behavior. from Threatpost https://threatpost.com/mttr-bad-secops/167440/

Threat Post - Zero-Day Used to Wipe My Book Live Devices

Threat actors may have been duking it out for control of the compromised devices, first using a 2018 RCE, then password-protecting a new vulnerability. from Threatpost https://threatpost.com/zero-day-wipe-my-book-live/167422/

Threat Post - PoC Exploit Circulating for Critical Windows Print Spooler Bug

The "PrintNightmare" bug may not be fully patched, some experts are warning, leaving the door open for widespread remote code execution attacks. from Threatpost https://threatpost.com/poc-exploit-windows-print-spooler-bug/167430/

Rapid 7 - ForgeRock Access Manager/OpenAM Pre-Auth Remote Code Execution Vulnerability (CVE-2021-35464): What You Need To Know

Image
On June 29, 2021, security researcher Michael Stepankin ( @artsploit ) posted details of CVE-2021-35464 , a pre-auth remote code execution (RCE) vulnerability in ForgeRock Access Manager identity and access management software. ForgeRock front-ends web applications and remote access solutions in many enterprises. ForgeRock has issued Security Advisory #202104 to provide information on this vulnerability and will be updating it if and when patches are available. The weakness exists due to unsafe object deserialization via the Jato framework , with a disturbingly diminutive proof of concept that requires a single GET / POST request for code execution: GET /openam/oauth2/..;/ccversion/Version?jato.pageSession=<serialized_object> ForgeRock versions below 7.0 running on Java 8 are vulnerable and the weakness also exists in unpatched versions of the Open Identify Platform’s fork of OpenAM . ForgeRock/OIP installations running on Java 9 or higher are unaffected. As of July 29,

Dark Reading - 9 Hot Trends in Cybersecurity Mergers & Acquisitions

Security experts share their observations of the past year in cybersecurity M&A, highlighting key trends and notable deals. from Dark Reading: https://www.darkreading.com/endpoint/9-hot-trends-in-cybersecurity-mergers-and-acquisitions/d/d-id/1341375?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dark Reading - Is Compliance-Only Security Giving Cybercriminals Your Security Playbook?

Compliance-only security strategies aren't working. CISOs should squarely focus on being secure while achieving compliance. from Dark Reading: https://www.darkreading.com/risk/is-compliance-only-security-giving-cybercriminals-your-security-playbook/a/d-id/1341370?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Threat Post - Feds Told to Better Manage Facial Recognition, Amid Privacy Concerns

A GAO report finds government agencies are using the technology regularly in criminal investigations and to identify travelers, but need stricter management to protect people’s privacy and avoid inaccurate identification from Threatpost https://threatpost.com/feds-manage-facial-recognition-privacy-concerns/167419/

Dark Reading - Google Updates Vulnerability Data Format to Support Automation

The Open Source Vulnerability schema supports automated vulnerability handling in Go, Rust, Python, and Distributed Weakness Filing system, and it could be the favored format for future exporting of data. from Dark Reading: https://www.darkreading.com/vulnerabilities---threats/vulnerability-management/google-updates-vulnerability-data-format-to-support-automation/d/d-id/1341437?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dark Reading - Ransomware Losses Drive Up Cyber-Insurance Costs

Premiums have gone up by 7% on average for small firms and between 10% and 40% for medium and large businesses. from Dark Reading: https://www.darkreading.com/risk/ransomware-losses-drive-up-cyber-insurance-costs/d/d-id/1341436?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Threat Post - Users Clueless About Cybersecurity Risks: Study

The return to offices, coupled with uninformed users (including IT pros) has teed up an unprecedented risk of enterprise attack. from Threatpost https://threatpost.com/users-clueless-cybersecurity-risks-study/167404/

Dark Reading - CISA Publishes Catalog of Poor Security Practices

Organizations often focus on promoting best practices, CISA says, but stopping poor security practices is equally important. from Dark Reading: https://www.darkreading.com/risk/cisa-publishes-catalog-of-poor-security-practices/d/d-id/1341435?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Rapid 7 - #Rapid7Life Belfast: Why I Joined

Image
Starting a new job at a new company can be daunting, particularly during a global pandemic. With interviews via Zoom, onboarding gone remote, first days at home instead of in a brand new office, and so many other shifts since the onset of the pandemic, switching jobs and companies is probably not something most would even consider. While this may seem to be the case for many, we’ve welcomed many new employees to our team around the globe since March 2020! Interested in learning why these individuals chose to make a job change during these uncertain times and how Rapid7 made the decision a no-brainer? Read on to find out from a few of our Belfast-based Software Engineers! Thomas Franklin, Software Engineer II, Joined Rapid7 September 2020 Lauren Quinn, Software Engineer II, Joined Rapid7 November 2020 Danielle Topping, Senior Software Engineer, Joined Rapid7 September 2020 Niall O’Hagan, Lead Software Engineer, Joined Rapid7 January 2021 Q: Where did you hear about Ra

Dark Reading - Survey Data Reveals Gap in Americans' Security Awareness

Survey data reveals many people have never heard of major cyberattacks, including the attack targeting Colonial Pipeline. from Dark Reading: https://www.darkreading.com/attacks-breaches/survey-data-reveals-gap-in-americans-security-awareness/d/d-id/1341434?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

KnowBe4 - Yet Another Disk Image File Format Spotted in the Wild Used to Deliver Malware

Image
Disguised as an invoice, cybercriminals use a Windows-supported disk image to obfuscate malware from email gateways and security scanners. The question is how viable will it be? from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/yet-another-disk-image-file-format-spotted-in-the-wild-used-to-deliver-malware

KnowBe4 - 35% of All Security Incidents are Business Email Compromise Phishing Attacks

Image
With the bad guys looking for the fastest means to get from attack to a big payout, BEC tactics are shifting tactics to adjust to organizations being better prepared. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/35-of-all-security-incidents-are-business-email-compromise-phishing-attacks

Dark Reading - Technology's Complexity and Opacity Threaten Critical Infrastructure Security

Addressing the complexity of modern distributed software development is one of the most important things we can do to decrease supply chain risk. from Dark Reading: https://www.darkreading.com/endpoint/technologys-complexity-and-opacity-threaten-critical-infrastructure-security/a/d-id/1341368?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Threat Post - Microsoft Translation Bugs Open Edge Browser to Trivial UXSS Attacks

The bug in Edge's auto-translate could have let remote attackers pull off RCE on any foreign-language website just by sending a message with an XSS payload. from Threatpost https://threatpost.com/microsoft-edge-browser-uxss-attacks/167389/

US-CERT - CISA Begins Cataloging Bad Practices that Increase Cyber Risk

from CISA All NCAS Products https://us-cert.cisa.gov/ncas/current-activity/2021/06/29/cisa-begins-cataloging-bad-practices-increase-cyber-risk

KnowBe4 - [Eye Opener] The Biggest Bitcoin Heist Ever: A Whopping 3.6 Billion Dollars!

Image
I'm not sure why this is not all over the press. Bloomberg picked up on this though. A pair of South African brothers have vanished, along with Bitcoin worth $3.6 billion from their cryptocurrency investment platform. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/eye-opener-the-biggest-bitcoin-heist-ever-a-whopping-3.6-billion-dollars

Schneier - Risks of Evidentiary Software

Over at Lawfare, Susan Landau has an excellent essay on the risks posed by software used to collect evidence (a Breathalyzer is probably the most obvious example). Bugs and vulnerabilities can lead to inaccurate evidence, but the proprietary nature of software makes it hard for defendants to examine it. The software engineers proposed a three-part test. First, the court should have access to the “Known Error Log,” which should be part of any professionally developed software project. Next the court should consider whether the evidence being presented could be materially affected by a software error. Ladkin and his co-authors noted that a chain of emails back and forth are unlikely to have such an error, but the time that a software tool logs when an application was used could easily be incorrect. Finally, the reliability experts recommended seeing whether the code adheres to an industry standard used in an non-computerized version of the task (e.g., bookkeepers always record every

Dark Reading - 3 Ways Cybercriminals Are Undermining MFA

Using multifactor authentication is an excellent security step, but like everything else, it is not foolproof and will never be 100% effective. from Dark Reading: https://www.darkreading.com/endpoint/3-ways-cybercriminals-are-undermining-mfa/a/d-id/1341341?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

KnowBe4 - CyberheistNews Vol 11 #25 [Heads Up] Attackers Abuse Your Google Docs With a New Phishing Angle

Image
from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cyberheistnews-vol-11-25-heads-up-attackers-abuse-your-google-docs-with-a-new-phishing-angle

KnowBe4 - New Phishing Attack Adds a Call Center Step to Get You to Download Malware

Image
Unlike traditional phishing emails that simply attach or link to a malicious file, a new scam from cybercriminal group BazaCall makes victims call in and be instructed to download the malware. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/new-phishing-attack-adds-a-call-center-step-to-get-you-to-download-malware

KnowBe4 - Cybersecurity and Business Priorities Don’t Appear to Be Aligning – and That’s Bad for Your Security Stance

Image
Despite organizational leadership believing cyber security initiatives can support business goals, the way businesses approach cybersecurity seems to prove otherwise. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/cybersecurity-and-business-priorities-dont-appear-to-be-aligning-and-thats-bad-for-your-security-stance

KnowBe4 - An Unusual Attachment is Most Likely a Phishing Campaign

Image
A phishing campaign is using Windows Imaging Format (WIM) files to deliver malware, according to researchers at Trustwave. WIM files aren’t commonly thought of as potentially malicious, so they’re more likely to bypass security filters. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/an-unusual-attachment-is-most-likely-a-phishing-campaign

TrustedSec - BITS Persistence for Script Kiddies

Image
Introduction Using and abusing the BITS service is a lot of fun. I can’t believe Windows just gives away this hacker tool for free. But wait, wait, are you telling me that there’s more? Does it come with a free blender? What else can this service do for me? In the last installment, we covered the Background Intelligent Transfer Service (BITS) and how you can use this service and its corresponding utility, bitsadmin [1] , to Live Off the Land [2] . Go back and review BITS for Script Kiddies ( https://www.trustedsec.com/blog/bits-for-script-kiddies/ ) if you want more details, but in essence, BITS is a service provided by the Windows operating system to transfer files. It allows the user to download and upload files, and it is used by the operating system for downloading Windows updates. This service can be used with the command line utility, PowerShell cmdlets, or a COM interface [3] . Previously, we looked at how to Live Off the Land using BITS instead of uploading (and possibly c

Threat Post - Details of RCE Bug in Adobe Experience Manager Revealed

Disclosure of a bug in Adobe’s content-management solution - used by Mastercard, LinkedIn and PlayStation – were released. from Threatpost https://threatpost.com/rce-bug-in-adobe-revealed/167382/

Threat Post - Cobalt Strike Usage Explodes Among Cybercrooks

The legit security tool has shown up 161 percent more, year-over-year, in cyberattacks, having “gone fully mainstream in the crimeware world.” from Threatpost https://threatpost.com/cobalt-strike-cybercrooks/167368/

Threat Post - Data for 700M LinkedIn Users Posted for Sale in Cyber-Underground

After 500 million LinkedIn enthusiasts were affected in a data-scraping incident in April, it's happened again - with big security ramifications. from Threatpost https://threatpost.com/data-700m-linkedin-users-cyber-underground/167362/

Dark Reading - Microsoft Refining Third-Party Driver Vetting Processes After Signing Malicious Rootkit

Rogue driver was distributed within gaming community in China, company says. from Dark Reading: https://www.darkreading.com/endpoint/microsoft-refining-third-party-driver-vetting-processes-after-signing-malicious-rootkit/d/d-id/1341420?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dark Reading - Attacks Erase Western Digital Network-Attached Storage Drives

The company suspects a remote code execution vulnerability affecting My Book Live and My Book Live Duo devices and recommends that business and individual users turn off the drives to protect their data. from Dark Reading: https://www.darkreading.com/attacks-breaches/attacks-erase-western-digital-network-attached-storage-drives/d/d-id/1341419?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Threat Post - 5G Security Vulnerabilities Fluster Mobile Operators

A survey from GSMA and Trend Micro shows a concerning lack of security capabilities for private 5G networks (think factories, smart cities, industrial IoT, utilities and more). from Threatpost https://threatpost.com/mobile-operators-5g-security-vulnerabilities/167354/

Threat Post - NVIDIA Patches High-Severity GeForce Spoof-Attack Bug

A vulnerability in NVIDIA’s GeForce Experience software opens the door to remote data access, manipulation and deletion. from Threatpost https://threatpost.com/nvidia-high-severity-geforce-spoof-bug/167345/

Dark Reading - New House Bill Aims to Drive Americans' Security Awareness

The legislation requires the National Telecommunications and Information Administration to establish a cybersecurity literacy campaign. from Dark Reading: https://www.darkreading.com/attacks-breaches/new-house-bill-aims-to-drive-americans-security-awareness/d/d-id/1341418?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dark Reading - Microsoft Tracks Attack Campaign Against Customer Support Agents

The company attributes the attack to Nobelium, the same group it linked to the SolarWinds campaign earlier this year. from Dark Reading: https://www.darkreading.com/endpoint/microsoft-tracks-attack-campaign-against-customer-support-agents/d/d-id/1341416?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Threat Post - Russian Attackers Breach Microsoft Customer Service Accounts

American IT companies and government have been targeted by the Nobelium state-sponsored group.   from Threatpost https://threatpost.com/russian-attackers-breach-microsoft/167340/

Dark Reading - An Interesting Approach to Cyber Insurance

What if insurers were to offer companies an incentive -- say, a discount -- for better protecting themselves? from Dark Reading: https://www.darkreading.com/edge/theedge/an-interesting-approach-to-cyber-insurance/b/d-id/1341413?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dark Reading - The Danger of Action Bias: Is It Always Better to Act Quickly?

Experts discuss the meaning of action bias and how it presents a threat to IT security leaders, practitioners, and users. from Dark Reading: https://www.darkreading.com/careers-and-people/the-danger-of-action-bias-is-it-always-better-to-act-quickly/d/d-id/1341415?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Recorded Future - Additional Entities Targeted by DarkSide Affiliate, TAG-21; Links to WellMess and Sliver Infrastructure

Image
Executive Summary In mid-May 2021, Insikt Group reported that a further 11 organizations were likely targeted by the same DarkSide affiliate that had compromised Colonial Pipeline. Substantial network communications matching a Recorded Future heuristic behavioral signature were observed on April 27 from 9 of these organizations to a Cobalt Strike command and control (C2) server (176.123.2[.]216) that was used in the operation to target Colonial Pipeline. Insikt Group tracks this ransomware-as-a-service (RaaS) affiliate and its activities internally as TAG-21. In the two weeks after these organizations were first targeted, 5 of those 9 organizations were also communicating with suspected WellMess and Sliver C2s. Recorded Future Network Traffic Analysis (NTA) confirmed that over 35 entities across multiple verticals and geographies, including Fortune 500 companies, were communicating with the same suspected C2 infrastructure, indicating potential compromise. Almost all of the targete