OSN FEBRUARY 5, 2021

by | Feb 5, 2021 | Open Source News

Title: Hacking Group Also Used an IE Zero-Day Against Security Researchers
Date Published: February 4, 2021

https://www.bleepingcomputer.com/news/security/hacking-group-also-used-an-ie-zero-day-against-security-researchers/

Excerpt: “To perform their attacks, the threat actors created elaborate online ‘security researcher’ personas that would then use social media to contact well-known security researchers to collaborate on vulnerability and exploit development. Today, South Korean cybersecurity firm ENKI reported that Lazarus targeted security researchers on their team with MHTML files in this social engineering campaign. While they state that the attacks failed, they analyzed the payloads downloaded by the MHT file and discovered it contained an exploit for an Internet Explorer zero-day vulnerability.”

Title: Number of ICS Vulnerabilities Disclosed in 2020 up Significantly
Date Published: February 5, 2021

https://www.helpnetsecurity.com/2021/02/05/number-of-ics-vulnerabilities/

Excerpt: “The critical manufacturing, energy, water and wastewater, and commercial facilities sectors—all designated as critical infrastructure sectors—were by far the most impacted by vulnerabilities disclosed during 2H 2020 and shows increases from the previous two years across the board. “Nation-state actors are clearly looking at many aspects of the network perimeter to exploit, and cybercriminals are also focusing specifically on ICS processes, which emphasizes the need for security technologies such as network-based detection and secure remote access in industrial environments”.”

Title: Woman Pleads Guilty for Using Gov’t PC to Steal Photos of ‘Snitches’ in Iowa
Date Published: February 5,  2021

https://www.zdnet.com/article/iowa-woman-pleads-guilty-for-stealing-data-from-govt-pcs-publishing-photos-on-facebook-snitch-group/

Excerpt: “Taff worked in the civil division, and so should have been nowhere near records related to criminal cases. However, in 2018, 33-year-year Manna asked Taff, as her acquaintance, to access information relating to “certain defendants in a criminal investigation and prosecution being handled by the US Attorney’s Office,” according to the DoJ. Taff agreed to Manna’s request and in mid-May, the 37-year-old used her government PC to access criminal investigation files on the district’s shared storage drive.”

Title: XSS vulnerability in FortiWeb
Date Published: February 5, 2021

https://www.fortiguard.com/psirt/FG-IR-20-122

Excerpt: “An improper neutralization of input during web page generation in FortiWeb GUI interface may allow an unauthenticated, remote attacker to perform a reflected cross site scripting attack (XSS) by injecting malicious payload in different vulnerable API end-points. Please upgrade to FortiWeb versions 6.3.8 or above. Please upgrade to FortiWeb versions 6.2.4 or above.”

Title: Chrome Zero-Day Browser Bug Found – Patch Now!
Date Published: February 5,  2021

https://nakedsecurity.sophos.com/2021/02/05/chrome-zero-day-browser-bug-found-patch-now/

Excerpt: “By simply luring you to a web page that contains a suitably booby-trapped exploit file, the crooks can trick your browser into downloading, processing, and choking on, their exploit. This sort of attack, which you will sometimes hear referred to as a drive-by because it can be triggered merely by viewing a malicious web page, bypasses any of the telltale “are you sure” warnings or popups that would otherwise alert you to malicious activity.”

Title: Critical Cisco Flaws Open VPN Routers Up to RCE Attacks
Date Published: February 4,  2021

https://threatpost.com/cisco-flaws-vpn-routers-rce/163662/

Excerpt: “Cisco on Wednesday pushed out a flurry of patches addressing high-severity vulnerabilities beyond its VPN small-business routers. Two Cisco product families are affected by these flaws. One affected product is Cisco’s small business RV series routers – specifically, the RV016, RV042, RV042G, RV082, RV320, and RV325 models. Cisco warned of issues in these routers (tied to 30 CVEs) that could allow authenticated, remote attackers to execute arbitrary code or cause them to restart unexpectedly. The flaws, which stem from an improper validation of user-supplied input into the routers’ web-based interface, could be exploited by an attacker by sending crafted HTTP requests to affected devices.”

Title: Hackers Steal Stormshield Firewall Source Code in Data Breach
Date Published: February 4,  2021

https://www.bleepingcomputer.com/news/security/hackers-steal-stormshield-firewall-source-code-in-data-breach/

Excerpt: “To be safe, StormShield anticipates changing the code signing certificate used to ensure the integrity of the SNS (Stormshield Network Security) firmware releases and updates. Recently, the Stormshield teams detected a security incident that resulted in an unauthorized access to a technical portal used, in particular, by our customers and partners for the management of their support tickets on our products. StormShield discovered that threat actors accessed some of the source code for their SNS (Stormshield Network Security) source code during the attack after further investigation. Their investigations do not indicate that the source code has been modified.”

Title: Web Application Attacks Grow Reliant on Automated Tools
Date Published: February 4,  2021

https://www.darkreading.com/application-security/web-application-attacks-grow-reliant-on-automated-tools/d/d-id/1340071

Excerpt: “An attacker may try to send a large number of parameters in the URL to see how an application behaves, he explains. The app may throw an error and display a page where the attacker can learn it uses a SQL database. Knowing this, they could try a SQL injection attack and see if the app doesn’t sanitize something properly, which could help them gain access to the database. These lesser-skilled attackers slowly learn how the threats work; as they persist, they start to become more specialized and go in one of two directions.”

Title: Watch Out as New Matryosh DDoS Botnet Hits Android Devices
Date Published: February 4,  2021

https://www.hackread.com/matryosh-ddos-botnet-hits-android-devices/

Excerpt: “Matryosh is a unique botnet as it uses the Tor network for hiding its command-and-control servers. Moreover, it uses a multi-layered process to obtain the server address. This is why it is named Matryosh, which is inspired by traditional matryoshka Russian dolls. Researchers suspect that this botnet could be the work of the same group that created the Moobot botnet in 2019 and LeetHozer botnet in 2020. Several clues reveal similarities between these three botnets. For instance, they are essentially created and used to launch DDoS attacks.”

Title: Microsoft Office 365 Attacks Sparked from Google Firebase
Date Published: February 4,  2021

https://threatpost.com/microsoft-office-365-attacks-google-firebase/163666/

Excerpt: “Researchers at Armorblox uncovered invoice-themed emails sent to at least 20,000 mailboxes that purport to share information about an electronic funds transfer (EFT) payment. The emails carry a fairly vanilla subject line, “TRANSFER OF PAYMENT NOTICE FOR INVOICE,” and contain a link to download an “invoice” from the cloud. Clicking that link begins a series of redirects that eventually takes targets to a page with Microsoft Office branding that’s hosted on Google Firebase. That page is of course a phishing page, bent on harvesting Microsoft log-in information, secondary email addresses and phone numbers.”