OSN FEBRUARY 3, 2021

by | Feb 3, 2021 | Open Source News

Title: Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions

Date Published: February 3, 2021

https://thehackernews.com/2021/02/over-dozen-chrome-extensions-caught.html

Excerpt: “All the backdoored browser add-ons have been taken down by Google and Microsoft as of December 18, 2020, to prevent more users from downloading them from the official stores. Collectively called “CacheFlow” by Avast, the 28 extensions in question — including Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock — made use of a sneaky trick to mask its true purpose: Leverage Cache-Control HTTP header as a covert channel to retrieve commands from an attacker-controlled server.”

Title: Hacking Organizations One Document at a Time With Metadata

Date Published: February 3, 2021

https://medium.com/bugbountywriteup/hacking-organizations-one-document-at-a-time-with-metadata-1af2eb10f254

Excerpt: “Metadata is a go-to source for this information and is easily overlooked during a company’s publishing process. Once posted on their website, or another public forum, it is possible to download the file and extract critical information using utilities such as Phil Harvey’s ExifTool. This is a platform-independent application written in Perl that can be used to read, write, and edit meta information in a variety of file types.”

Title: 3 New Severe Security Vulnerabilities Found In SolarWinds Software

Date Published: February 3,  2021

https://thehackernews.com/2021/02/3-new-severe-security-vulnerabilities.html

Excerpt: “The two sets of vulnerabilities in Orion and Serv-U FTP were disclosed to SolarWinds on December 30, 2020, and January 4, 2021, respectively, following which the company resolved the issues on January 22 and January 25. It’s highly recommended that users install the latest versions of Orion Platform and Serv-U FTP (15.2.2 Hotfix 1) to mitigate the risks associated with the flaws. Trustwave said it intends to release a proof-of-concept (PoC) code next week on February 9.”

Title: Microsoft Defender ATP Is Detecting Yesterday’s Chrome Update as a Backdoor

https://www.zdnet.com/article/microsoft-defender-atp-is-detecting-yesterdays-chrome-update-as-a-backdoor/#ftag=RSSbaffb68

Date Published: February 3, 2021

Excerpt: “As per the screenshot above, but also based on reports shared on Twitter by other dismayed system administrators, Defender ATP is currently detecting multiple files part of the Chrome v88.0.4324.146 update package as containing a generic backdoor trojan named “PHP/Funvalget.A.” The alerts have caused quite a stir in enterprise environments in light of recent multiple software supply chain attacks that have hit companies across the world over the past few months. System administrators are currently awaiting a formal statement from Microsoft to confirm that the detection is a “false possitive” and not an actual threat.”

Title: Hackers Stole Personnel Records of Software Developer Wind River

Date Published: February 3,  2021

https://securityaffairs.co/wordpress/114151/data-breach/wind-river-data-breach.html

Excerpt: “The company claims its technology is found in more than 2 billion products, it develops run-time software, middleware, development and simulation platforms. The security breach took place on or around September 29, 2020, attackers accessed the personal information of its employees. “Our outside experts recently determined that some of your personal information would have been available within one or more files that were downloaded from our network on or about September 29, 2020,” reads the data breach notification letter sent by the company to its employees”.”

Title: Excel Spreadsheets Push SystemBC Malware

Date Published: February 2,  2021

https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/

Excerpt: “On Monday 2021-02-01, a fellow researcher posted an Excel spreadsheet to the Hatching Triage sandbox.  This Excel spreadsheet has a malicious macro, and it uses an updated GlobalSign template that I hadn’t noticed before (link for the sample). This Excel spreadsheet pushed what might be SystemBC malware when I tested it in my lab environment on Monday 2021-02-01.  My lab host was part of an Active Directory (AD) environment, and I also saw Cobalt Strike as follow-up activity from this infection.”

Title: Recent Root-Giving Sudo Bug Also Impacts MacOS

Date Published:  February 3, 2021

https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/#ftag=RSSbaffb68

Excerpt: “Hickey said he tested the CVE-2021-3156 vulnerability and found that with a few modifications, the security bug could be used to grant attackers access to macOS root accounts as well. “To trigger it, you just have to overwrite argv[0] or create a symlink, which therefore exposes the OS to the same local root vulnerability that has plagued Linux users the last week or so,” Hickey told ZDNet today, prior to sharing a video of the bug in question”.”

Title: Threat Actors Capitalize on COVID-19 Vaccine News to Run Campaigns, AWS Abused to Host Malicious PDFs

Date Published: February 2, 2021

https://www.anomali.com/blog/threat-actors-capitalize-on-covid-19-vaccine-news-to-run-campaigns-aws-abused-to-host-malicious-pdfs

Excerpt: “The majority of this research centers on analysis of known threat actors and indicators of compromise (IOCs). There are several samples that we believe are newly discovered by our researchers (we haven’t seen them discussed elsewhere). Among these are several malicious PDFs hosted on Amazon Web Services (AWS) and other hosting websites. We discuss this campaign below in the chapter named “2.c. Alternative channel: Online PDF Search Engine Optimization (SEO)”, detailing samples with titles “Adenovirus vector pdf” and “Illinois coronavirus october 15”.”

Title: TrickBot Continues Resurgence with Port-Scanning Module

Date Published: February 2, 2021

https://threatpost.com/trickbot-port-scanning-module/163615/

Excerpt: “The TrickBot trojan is continuing its bounce-back from an autumn takedown, recently adding a network-scanning module that uses the Masscan open-source tool to look for open ports. Masscan is a mass TCP/IP port scanner, which can scan the entire internet in under five minutes according to its authors, transmitting 10 million packets per second of data from a single machine. The TrickBot module that uses it, dubbed “masrv,” is likely used for network reconnaissance, according to researchers at Kryptos Logic.”

Title: Microsoft Defender Now Detects MacOS System, App Vulnerabilities

Date Published:  February 2, 2021

https://www.bleepingcomputer.com/news/security/microsoft-defender-now-detects-macos-system-app-vulnerabilities/

Excerpt: “”This capability expansion enables organizations to discover, prioritize, and remediate both software and operating system vulnerabilities on devices running macOS,” Microsoft Senior Product Manager Tomer Reisner said. “After onboarding your macOS devices to Microsoft Defender for Endpoint, you’ll get the latest security recommendations, review recently discovered vulnerabilities in installed applications, and issue remediation tasks, just like you can with Windows devices”.”