OSN MARCH 12, 2021

by | Mar 14, 2021 | Open Source News

Title: OVH Data Center Fire Likely Caused by Faulty UPS Power Supply
Date Published: March 12, 2021

https://www.bleepingcomputer.com/news/security/ovh-data-center-fire-likely-caused-by-faulty-ups-power-supply/

Excerpt: “While the company may not yet have complete answers as to what exactly caused the fire bringing down its data centers, the founder touched upon an Uninterruptible Power Supply (UPS) unit that had been serviced that morning. In the video, Klaba explains that when the firefighters had arrived on the premises, the images taken with thermal cameras showed two UPS units burning, namely UPS7 and UPS8. The sighting is relevant as UPS7 had been serviced by a maintenance person in the morning. Klaba said that the UPS supplier had come in the same morning and changed many pieces within UPS7, and restarted the unit.”

Title: Rise in Remote Work Leads to Increase in IT Security Gaps
Date Published: March 12, 2021

https://www.helpnetsecurity.com/2021/03/12/remote-work-it-security-gaps/

Excerpt: “Organizations of all types need to prioritize finding ways to secure end-points for their employees’ devices, whether they are on laptops, edge servers or anything between, especially in the remote, zero trust environment we are living in. For IT teams this doesn’t have to mean prohibitive costs or compromising performance,” said Arun Subbarao, VP of engineering and technology at Lynx Software.”

Title: Netflix Introduces Measures to Prevent Password Sharing
Date Published: March 12, 2021

https://www.infosecurity-magazine.com/news/netflix-measures-prevent-password/

Excerpt: “We ran some research that found that over a quarter of people surveyed had willingly given away their passwords to someone else. This may not sound worrying when you know the other party with whom you are sharing the password, but what if they pass it on to someone without thinking? “However, it is unrealistic to expect that people are going to stop sharing their accounts completely, so my advice would be to regularly change your passwords in order to flush out anyone who has gained access over the last year who shouldn’t have. Creating complex passwords, combined with a password manager, will reduce your risk of compromise”.”

Title: Microsoft Exchange Servers Face APT Attack Tsunami
Date Published: March 12, 2021

https://threatpost.com/microsoft-exchange-servers-apt-attack/164695/

Excerpt: “Microsoft said in early March that it had spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Four flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a webshell for further exploitation within the environment.”

Title: Malspam Campaign Uses Icon Files to Delivers Nanocore Rat
Date Published: March 12, 2021

https://securityaffairs.co/wordpress/115520/malware/nanocore-rat-malspam-icon-files.html

Excerpt: “The analysis of the EXE files employed in the campaign revealed that the threat actors attempted to install the NanoCore RAT version 1.2.2.0 on the victims’ systems. Nanocore RAT is a “general purpose” malware with specific client factories available to everyone and easily accessible. The RAT implements information stealer and keylogger capabilities, it also allows to deliver of additional payloads on the victim’s system. The Nanocore RAT creates copies of itself in the AppData folder and is able to inject its malicious code at RegSvcs.exe process.”

Title: Internet Disruption in Russia Coincided With the Introduction of Restrictions
Date Published: March 12,  2021

https://securityaffairs.co/wordpress/115511/security/russia-internet-disruption.html

Excerpt: “On Wednesday 10 March 2021, researchers from Network data from the NetBlocks Internet Observatory observed the disruption of internet service provided by the Russian operator Rostelecom. The partial disruption of the service coincided with the announcement of new restrictions by the telecoms watchdog Roskomnadzor. Multiple operators were impacted by the activity, most impacted were mobile networks.”

Title: Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds
Date Published: March 12,  2021

https://www.infosecurity-magazine.com/news/darkside-20-ransomware-fastest/

Excerpt: “They claim that the Windows version of Darkside 2.0 encrypts files faster than any other ransomware-as-a-service (RaaS) and is twice as speedy as the previous iteration. This will mean victims have even less time to pull the plug if they find their network has been infected. Darkside 2.0 now also features multithreading in both Windows and Linux versions. The Linux version of the ransomware is now able to target VMware ESXi vulnerabilities, meaning it can hijack virtual machines and encrypt their virtual hard drives.”

Title: What Are BEC Attacks?
Date Published: March 10, 2021

https://heimdalsecurity.com/blog/what-are-bec-attacks/

Excerpt: “Also known as the “man-in-the-email” attack, BEC scams start with a large amount of research, with the attacker going through publicly available information about the company, like websites, press releases, or social media published content. After finding the names and official titles of the company executives, the attacker will try to obtain access to the email addresses of the influential people in the company. To remain undetected he or she might use inbox rules or change the reply-to address so that when the scam is executed, the victim will not be alerted.”

Title: Ransomware Now Attacks Microsoft Exchange Servers With Proxylogon Exploits
Date Published: March 11, 2021

https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/

Excerpt: “Threat actors are now installing a new ransomware called ‘DEAR CRY’ after hacking into Microsoft Exchange servers using the recently disclosed ProxyLogon vulnerabilities. Since Microsoft revealed earlier this month that threat actors were compromising Microsoft Exchange servers using new zero-day ProxyLogon vulnerabilities, a significant concern has been when threat actors would use it to deploy ransomware. Unfortunately, tonight our fears became a reality, and threat actors are using the vulnerabilities to install the DearCry ransomware.”

Title: New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor
Date Published: March 10, 2021

https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-ation-state-actor/

Excerpt: “We have discovered an undocumented backdoor targeting Linux systems, masqueraded as polkit daemon. We named it RedXOR for its network data encoding scheme based on XOR. Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors. The samples, which have low detection rates in VirusTotal, were uploaded from Indonesia and Taiwan, countries known to be targeted by Chinese threat actors. The samples are compiled with a legacy GCC compiler on an old release of Red Hat Enterprise Linux, hinting that RedXOR is used in targeted attacks against legacy Linux systems.”