OSN MARCH 11, 2021

Fortify Security Team
Mar 11, 2021

Title: Windows 10 Crashes When Printing Due to Microsoft March Updates
Date Published: March 10, 2021

https://www.bleepingcomputer.com/news/microsoft/windows-10-crashes-when-printing-due-to-microsoft-march-updates/

Excerpt: “Yesterday, Microsoft released two security updates, tracked as CVE-2021-1640 and CVE-2021-26878, to fix a privilege elevation vulnerability in the Windows Print Spooler. Microsoft does not include security updates in the Preview cumulative update offered last month, which is likely why users did not experience the same crashes when printing. During the June 2020 Patch Tuesday updates, a bug was also introduced that prevented users from printing. To resolve these printing issues, Microsoft released out-of-band updates for Windows users.”

Title: F5 Urges Customers to Patch Critical Big-Ip Preauth RCE Bug
Date Published: March 10, 2021

https://www.bleepingcomputer.com/news/security/f5-urges-customers-to-patch-critical-big-ip-pre-auth-rce-bug/

Excerpt: “Today, F5 published security advisories on three other RCE vulnerabilities (two high and one medium, with CVSS severity ratings between 6.6 and 8.8), allowing authenticated remote attackers to execute arbitrary system commands. Successful exploitation of critical BIG-IP RCE vulnerabilities could lead to full system compromise, including the interception of controller application traffic and lateral movement to the internal network. The seven vulnerabilities are fixed in the following BIG-IP versions: 16.0.1.1, 15.1.2.1, 14.1.4, 13.1.3.6, 12.1.5.3, and 11.6.5.3, according to F5.”

Title: Exchange Servers Under Siege From at Least 10 APT Groups
Date Published: March 10, 2021

https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/

Excerpt: “On 2021-02-28, we noticed that the vulnerabilities were used by other threat actors, starting with Tick and quickly joined by LuckyMouse, Calypso and the Winnti Group. This suggests that multiple threat actors gained access to the details of the vulnerabilities before the release of the patch, which means we can discard the possibility that they built an exploit by reverse engineering Microsoft updates. Finally, the day after the release of the patch, we started to see many more threat actors (including Tonto Team and Mikroceen) scanning and compromising Exchange servers en masse. Interestingly, all of them are APT groups interested in espionage, except for one outlier (DLTMiner), which is linked to a known crypto mining campaign.”

Title: Top 10 Cybersecurity Vulnerabilities of 2020
Date Published: March 10, 2021

https://securityintelligence.com/posts/top-10-cybersecurity-vulnerabilities-2020/

Excerpt: “One CVE, CVE-2019-19871 (a Citrix server path traversal flaw), was far and away the most exploited vulnerability in 2020, according to X-Force data. Despite the dominance of this relatively new vulnerability, the list of the 10 most exploited vulnerabilities of 2020 was dominated by older security issues, with just two out of the top 10 being discovered in 2020.”

Title: Hackers Publish Data Stolen Through Accellion FTA
Date Published: March 9, 2021

https://www.kaspersky.com/blog/accellion-fta-data-leaks/38980/

Excerpt: “The messages urged recipients to use the Tor browser to visit a .onion site, and they claimed the website got tens of thousands of hits per day. Among the purported visitors: all kinds of hackers and journalists able to cause even greater damage to a company’s infrastructure and reputation. Interestingly, the site belongs to the CL0P group, which specializes in ransomware, although in the attacks through the Accellion FTA vulnerabilities, the files were not encrypted. The hackers, it seems, took advantage of this convenient platform.”

Title: Malware Operator Employs New Trick to Upload Its Dropper into Google Play
Date Published: March 10,  2021

https://www.darkreading.com/application-security/malware-operator-employs-new-trick-to-upload-its-dropper-into-google-play-/d/d-id/1340372

Excerpt: “Check Point said its researchers in January discovered a new malware dropper hidden inside nine legitimate and known Android utility apps on Google Play store. The poisoned apps included several VPNs, a barcode reader, a music player, and a voice call recorder. “Those apps [were] based on open-source projects,” says Aviran Hazum, Check Point’s manager of mobile research. “The actor [could] just download the code, insert the malicious components, and compile the app.””

Title: US Schools Faced Record Number of Security Incidents in 2020
Date Published: March 10,  2021

https://www.darkreading.com/threat-intelligence/us-schools-faced-record-number-of-security-incidents-in-2020/d/d-id/1340371

Excerpt: “Meanwhile, half of the decision makers reported an increase in remote working, with 66% of those that did so witnessing an increase in phishing and ransomware attacks. This operational shift also exposed concerns around the impact of people on cyber resilience: of the 39% that reported an increase in insider threats, 51% believed that an increase in remote working was the cause.”

Title: New Steganography Attack Targets Azerbaijan
Date Published: March 10, 2021

https://blog.malwarebytes.com/threat-analysis/2021/03/new-steganography-attack-targets-azerbaijan/

Excerpt: “We recently observed a malicious Word file that uses this technique to drop a Remote Administration Trojan (RAT) that was new to us. Based on the decoy document, we assess that this attack is targeting the government and military of Azerbaijan. Since April 2020 attackers have been taking advantage of the tensions between Azerbaijan and Armenia to target Azerbaijanis. Researchers found several actors that have exploited this conflict via phishing lures to drop AgentTesla and PoetRat. While AgentTesla has been distributed globally through different spam campaigns, PoetRat has been used specifically to target Azerbaijanis.”

Title: NIM-Based Malware Loader Spreads VIA Spear-Phishing Emails
Date Published: March 10, 2021

https://threatpost.com/nim-based-malware-loader-spreads-via-spear-phishing-emails/164643/

Excerpt: “The malware loader is unique in that it is written in the Nim programming language. The use of Nim is uncommon for malware in the threat landscape, except in rare cases, such as a Nim-based downloader recently seen being used by the Zebrocy threat group. Because of this, researchers say malware developers may be using Nim to avoid detection by defense teams who may not be familiar with the language.”

Title: New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
Date Published: March 10, 2021

https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-ation-state-actor/

Excerpt: “We have discovered an undocumented backdoor targeting Linux systems, masqueraded as polkit daemon. We named it RedXOR for its network data encoding scheme based on XOR. Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors. The samples, which have low detection rates in VirusTotal, were uploaded from Indonesia and Taiwan, countries known to be targeted by Chinese threat actors. The samples are compiled with a legacy GCC compiler on an old release of Red Hat Enterprise Linux, hinting that RedXOR is used in targeted attacks against legacy Linux systems.”

Recent Posts

OSN November 2, 2021

Title: Possible Cyber Attack Hits ‘Brain’ of N.L. Health-care System, Delaying Thousands of Appointments Date Published: November 1, 2021 cbc.ca/news/canada/newfoundland-labrador/health-services-it-outage-update-nov-1-1.6232426 Excerpt: "A cyberattack appears to be...

OSN November 1, 2021

Title: New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code Date Published: November 1, 2021 https://thehackernews.com/2021/11/new-trojan-source-technique-lets.html Excerpt: "A novel class of vulnerabilities could be leveraged by threat...

OSN October 29, 2021

Title: Footprinting and Reconnaissance using Windows OS Date Published: October 29, 2021 https://medium.com/@the_harvester/footprinting-and-reconnaissance-using-windows-os-36760fb47870 Excerpt: "This blog is in continuation previous blog on footprinting and...

OSN October 28, 2021

Title: Ransomware Gangs Use SEO Poisoning To Infect Visitors Date Published: October 28, 2021 https://www.bleepingcomputer.com/news/security/ransomware-gangs-use-seo-poisoning-to-infect-visitors/ Excerpt: "According to the findings of the Menlo Security team, SEO...

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...