OSN MARCH 11, 2021

Fortify Security Team
Mar 11, 2021

Title: Windows 10 Crashes When Printing Due to Microsoft March Updates
Date Published: March 10, 2021


Excerpt: “Yesterday, Microsoft released two security updates, tracked as CVE-2021-1640 and CVE-2021-26878, to fix a privilege elevation vulnerability in the Windows Print Spooler. Microsoft does not include security updates in the Preview cumulative update offered last month, which is likely why users did not experience the same crashes when printing. During the June 2020 Patch Tuesday updates, a bug was also introduced that prevented users from printing. To resolve these printing issues, Microsoft released out-of-band updates for Windows users.”

Title: F5 Urges Customers to Patch Critical Big-Ip Preauth RCE Bug
Date Published: March 10, 2021


Excerpt: “Today, F5 published security advisories on three other RCE vulnerabilities (two high and one medium, with CVSS severity ratings between 6.6 and 8.8), allowing authenticated remote attackers to execute arbitrary system commands. Successful exploitation of critical BIG-IP RCE vulnerabilities could lead to full system compromise, including the interception of controller application traffic and lateral movement to the internal network. The seven vulnerabilities are fixed in the following BIG-IP versions:,, 14.1.4,,, and, according to F5.”

Title: Exchange Servers Under Siege From at Least 10 APT Groups
Date Published: March 10, 2021


Excerpt: “On 2021-02-28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group. This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates. Finally, the day after the release of the patch, we started to see many more threat actors (including Tonto Team and Mikroceen) scanning and compromising Exchange servers en masse. Interestingly, all of them are APT groups interested in espionage, except for one outlier (DLTMiner), which is linked to a known crypto mining campaign.”

Title: Top 10 Cybersecurity Vulnerabilities of 2020
Date Published: March 10, 2021


Excerpt: “One CVE, CVE-2019-19871 (a Citrix server path traversal flaw), was far and away the most exploited vulnerability in 2020, according to X-Force data. Despite the dominance of this relatively new vulnerability, the list of the 10 most exploited vulnerabilities of 2020 was dominated by older security issues, with just two out of the top 10 being discovered in 2020.”

Title: Hackers Publish Data Stolen Through Accellion FTA
Date Published: March 9, 2021


Excerpt: “The messages urged recipients to use the Tor browser to visit a .onion site, and they claimed the website got tens of thousands of hits per day. Among the purported visitors: all kinds of hackers and journalists able to cause even greater damage to a company’s infrastructure and reputation. Interestingly, the site belongs to the CL0P group, which specializes in ransomware, although in the attacks through the Accellion FTA vulnerabilities, the files were not encrypted. The hackers, it seems, took advantage of this convenient platform.”

Title: Malware Operator Employs New Trick to Upload Its Dropper into Google Play
Date Published: March 10,  2021


Excerpt: “Check Point said its researchers in January discovered a new malware dropper hidden inside nine legitimate and known Android utility apps on Google Play store. The poisoned apps included several VPNs, a barcode reader, a music player, and a voice call recorder. “Those apps [were] based on open-source projects,” says Aviran Hazum, Check Point’s manager of mobile research. “The actor [could] just download the code, insert the malicious components, and compile the app.””

Title: US Schools Faced Record Number of Security Incidents in 2020
Date Published: March 10,  2021


Excerpt: “Meanwhile, half of the decision makers reported an increase in remote working, with 66% of those that did so witnessing an increase in phishing and ransomware attacks. This operational shift also exposed concerns around the impact of people on cyber resilience: of the 39% that reported an increase in insider threats, 51% believed that an increase in remote working was the cause.”

Title: New Steganography Attack Targets Azerbaijan
Date Published: March 10, 2021


Excerpt: “We recently observed a malicious Word file that uses this technique to drop a Remote Administration Trojan (RAT) that was new to us. Based on the decoy document, we assess that this attack is targeting the government and military of Azerbaijan. Since April 2020 attackers have been taking advantage of the tensions between Azerbaijan and Armenia to target Azerbaijanis. Researchers found several actors that have exploited this conflict via phishing lures to drop AgentTesla and PoetRat. While AgentTesla has been distributed globally through different spam campaigns, PoetRat has been used specifically to target Azerbaijanis.”

Title: NIM-Based Malware Loader Spreads VIA Spear-Phishing Emails
Date Published: March 10, 2021


Excerpt: “The malware loader is unique in that it is written in the Nim programming language. The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group. Because of this, researchers say malware developers may be using Nim to avoid detection by defense teams who may not be familiar with the language.”

Title: New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
Date Published: March 10, 2021


Excerpt: “We have discovered an undocumented backdoor targeting Linux systems, masqueraded as polkit daemon. We named it RedXOR for its network data encoding scheme based on XOR. Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors. The samples, which have low detection rates in VirusTotal, were uploaded from Indonesia and Taiwan, countries known to be targeted by Chinese threat actors. The samples are compiled with a legacy GCC compiler on an old release of Red Hat Enterprise Linux, hinting that RedXOR is used in targeted attacks against legacy Linux systems.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...