OSN FEBRUARY 11, 2021

by | Feb 11, 2021 | Open Source News

Title: 12-Year-Old Windows Defender Bug Gives Hackers Admin Rights

Date Published: February 11, 2021

https://www.bleepingcomputer.com/news/security/12-year-old-windows-defender-bug-gives-hackers-admin-rights/

Excerpt: “CVE-2021-24092 impacts Defender versions going back as far as 2009, and it affects client and server releases starting with Windows 7 and up. Threat actors with basic user privileges can exploit it locally, as part of low complexity attacks that don’t require user interaction. The vulnerability also impacts other Microsoft security products including but not limited to Microsoft Endpoint Protection, Microsoft Security Essentials, and Microsoft System Center Endpoint Protection.”

Title: Vulnerabilities in Widely Used TCP/IP Stacks Open IoT, OT Devices to Attack

Date Published: February 11, 2021

https://www.helpnetsecurity.com/2021/02/11/vulnerabilities-tcp-ip-iot/

Please also see: Weak ISN Generation in Embedded TCP/IP Stacks
https://www.forescout.com/company/resources/numberjack-weak-isn-generation-in-embedded-tcpip-stacks/

Excerpt: “The researchers probed 11 TCP/IP stacks, seven of which are open-source (uIP, FNET, picoTCP, Nut/Net, lwIP, cycloneTCP and uC/TCP-IP), and the rest include Microchip’s MPLAB Net, Texas Instruments’ NDKTCPIP, ARM’s Nanostack and Siemens’ Nucleus NET. They discovered that lwIP and Nanostack were not vulnerable, but the rest were, and that the vulnerabilities allow attackers to predict the ISN of existing TCP connections or new ones. The CVEs and the specific descriptions of each vulnerability can be found here.”

Title: Lookout Discovers Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict

Date Published: February 11,  2021

https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict

Excerpt: “While primarily known for desktop malware, the Confucius group was previously reported to have started leveraging mobile malware in 2017, with the Android surveillanceware ChatSpy. Targets of these tools include personnel linked to Pakistan’s military, nuclear authorities, and Indian election officials in Kashmir. Hornbill and SunBird have sophisticated capabilities to exfiltrate SMS, encrypted messaging app content, and geolocation, among other types of sensitive information.”

Title: 10 SIM Swappers Arrested for Stealing $100M in Crypto from Celebrities

https://thehackernews.com/2021/02/10-sim-swappers-arrested-for-stealing.html

Date Published: February 11, 2021

Please also see: Brits Arrested for Sim Swapping Attacks on US Celeb Android 
https://www.nationalcrimeagency.gov.uk/news/brits-arrested-for-sim-swapping-attacks-on-us-celebs

Excerpt: “The eight suspects, aged 18 to 26, are said to be part of a larger ring, two members of which were nabbed previously in Malta and Belgium. The latest arrests were made in England and Scotland. The sweep comes almost a year after Europol led an operation to dismantle two SIM swap criminal groups that stole €3.5 million ($3.9 million) by orchestrating a wave of more than 100 attacks targeting victims in Austria, emptying their bank accounts through their phone numbers.”

Title: Agent Tesla Hidden in a Historical Anti-Malware Tool

Date Published: February 11,  2021

https://isc.sans.edu/forums/diary/Agent+Tesla+hidden+in+a+historical+antimalware+tool/27088/

Excerpt: “The e-mail carrying the ISO attachment was a run-of-the-mill-looking malspam, informing the recipient about a new delivery from DHL. It had a spoofed sender address “[email protected][.]com”, which – although looking at least somewhat believable – certainly didn’t have the impact of making the message appear trustworthy, which is what the authors of the e-mail were most likely hoping for. On the contrary, it must have resulted in very few of the messages actually making it past any security analysis on e-mail gateways. The reason is that DHL has a valid SPF record set up for dhl.com, so any SPF check (i.e. something that most of the worlds e-mail servers perform automatically these days) would lead to a “soft fail” result, which would consequently most likely lead to the message being quarantined (if not deleted outright).”

Title: Singtel Hit by Third-Party Vendor’s Security Breach, Customer Data May Be Leaked

https://www.zdnet.com/article/singtel-hit-by-third-party-vendors-security-breach-customer-data-may-be-leaked/

Date Published: February 11  2021

Please also see: About Accellion FTA Security Incident
https://www.singtel.com/personal/support/about-accellion-security-incident

Excerpt: “It noted that due to the “complexity of the investigations”, its impact assessment would take some time. It said it would contact those that might have had their data illegally downloaded. Accellion on February 1 said its FTA system was a 20-year-old large-file transfer software nearing the end of its lifecycle. It had been the target of a “sophisticated cyberattack”, which was first made known on December 23 when Accellion informed all its customers of an attack involving the file-sharing system.”

Title: Microsoft Now Forces Secure Rpc to Block Windows Zerologon Attacks

Date Published: February 10,  2021

https://www.bleepingcomputer.com/news/security/microsoft-now-forces-secure-rpc-to-block-windows-zerologon-attacks/

Excerpt: “Microsoft has enabled enforcement mode for updates addressing the Windows Zerologon vulnerability on all devices that installed this month’s Patch Tuesday security updates. Zerologon is a critical Netlogon Windows Server process security flaw (tracked as CVE-2020-1472) that allows attackers to elevate privileges to domain administrators and take control over the domain following successful exploitation.”

Title: Multivector Attacks Demand Security Controls at the Messaging Level

Date Published: February 10,  2021

https://www.darkreading.com/vulnerabilities—threats/multivector-attacks-demand-security-controls-at-the-messaging-level/a/d-id/1340034

Excerpt: “In recent days, the cybersecurity community has been abuzz with discussion of the latest announcement from Google’s Threat Analysis Group. Google says it has spent the past few months tracking a new campaign orchestrated by “a government-backed entity based in North Korea,” thought to be the threat actor known as the Lazarus Group. The campaign targeted a number of security researchers. There are special lessons to be learned from this campaign. The researchers were attacked in a complex, multivector fashion.”

Title: Attackers Exploit Critical Adobe Flaw to Target Windows Users

Date Published: February 9,  2021

https://threatpost.com/critical-adobe-windows-flaw/163789/

Excerpt: “Adobe is warning of a critical vulnerability that has been exploited in the wild to target Adobe Reader users on Windows. The vulnerability (CVE-2021-21017) has been exploited in “limited attacks,” according to Adobe’s Tuesday advisory, part of its regularly scheduled February updates. The flaw in question is a critical-severity heap-based buffer overflow flaw. This type of buffer-overflow error occurs when the region of a process’ memory used to store dynamic variables (the heap) can be overwhelmed. If a buffer-overflow occurs, it typically causes the affected program to behave incorrectly. With this flaw in particular, it can be exploited to execute arbitrary code on affected systems.”

Title: BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech

Date Published: February 9,  2021

https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/

Excerpt: “Highly malleable, highly sophisticated and over 10,000 bytes of machine code. This is what Unit 42 researchers were met with during code analysis of this “bear” of a file. The code behavior and features strongly correlate with that of the WaterBear malware family, which has been active since as early as 2009. Analysis by Trend Micro and TeamT5 unveiled WaterBear as a multifaceted, stage-two implant, capable of file transfer, shell access, screen capture and much more. The malware is associated with the cyber espionage group BlackTech, which many in the broader threat research community have assessed to have ties to the Chinese government, and is believed to be responsible for recent attacks against several East Asian government organizations.”