OSN March 3, 2021

by | Mar 3, 2021 | Open Source News

Title: Microsoft Accuses China Over Email Cyber-Attacks
Date Published: March 3, 2021

https://www.bbc.com/news/business-56261516

Excerpt: “Microsoft’s Threat Intelligence Centre attributed the attacks with “high confidence” to Hafnium, a group assessed to be state-sponsored and operating out of China. It based its conclusion on “observed victimology, tactics and procedures”. Microsoft said Hafnium targets infectious disease researchers, law firms, higher education institutions and defence contractors.”

Title: URSnif Trojan Has Targeted Over 100 Italian Banks
Date Published: March 3, 2021

https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/#ftag=RSSbaffb68

Excerpt: “The cybersecurity firm said on Tuesday that at least 100 banks have been targeted, based on information gathered by the researchers. In one case alone, an unnamed payment processor had over 1,700 sets of credentials stolen. Avast found usernames, passwords, credit card, banking, and payment information that appears to have been harvested by the malware.”

Title: Hackers Now Hiding Obliquerat Payload in Images to Evade Detection
Date Published: March 3,  2021

https://thehackernews.com/2021/03/hackers-now-hiding-obliquerat-payload.html

Excerpt: “New research released by Cisco Talos reveals a new malware campaign targeting organizations in South Asia that utilize malicious Microsoft Office documents forged with macros to spread a RAT that goes by the name of ObliqueRAT. First documented in February 2020, the malware has been linked to a threat actor tracked as Transparent Tribe (aka Operation C-Major, Mythic Leopard, or APT36), a highly prolific group allegedly of Pakistani origin known for its attacks against human rights activists in the country as well as military and government personnel in India.”

Title: Telemarketing Biz Exposes 114,000 in Cloud Config Error
Date Published: March 3, 2021

https://www.zdnet.com/article/obliquerat-trojan-now-hides-in-images-on-compromised-websites/

Excerpt: “According to its website, the firm counts lending marketplace Lendingtree, Liberty Mutual Insurance and smart security vendor Vivint among its customers. Rotem found 114,000 files left publicly accessible in the leaky bucket. Most of these were audio recordings of phone conversations between CallX clients and their customers, which were being tracked by the firm’s marketing software. An additional 2000 transcripts of text chats were also viewable.”

Title: Google Patches Actively Exploited Chrome Browser Zero-Day Vulnerability
Date Published: March 3, 2021

https://www.zdnet.com/article/google-patches-actively-exploited-chrome-browser-zero-day-vulnerability

Excerpt: “The vulnerability, tracked as CVE-2021-21166, was reported by Alison Huffman from the Microsoft Browser Vulnerability Research team on February 11 and is described as an “object lifecycle issue in audio.” Google has labeled the vulnerability as a “high” severity security flaw and has fixed the issue in the latest Chrome release. Alongside CVE-2021-21166, Huffman also recently reported another high-severity bug, CVE-2021-21165, another object lifestyle issue in audio problem, and CVE-2021-21163, an insufficient data validation issue in Reader Mode.”

Title: Data Breach: Millions of Phone Numbers, Recordings, and Call Logs Compromised in Ringostat Data Leak
Date Published: March 3,  2021

https://securityaffairs.co/wordpress/115224/data-breach/ringostat-data-breach-phone-numbers.htm

Excerpt: “WizCase security team has found a major breach in phone-tracking service Ringostat ’s database. This leak left vulnerable phone numbers, call recordings, call logs, and more to potential attack. The leaked data numbers in the millions and was accessible to anyone who possessed the link. There was no need for a password or login credentials to access the information, and the data was not encrypted. The leak has since been secured.”

Title: Update Immediately: Microsoft Rushes Out Patches for Exchange Server Zero-Day Attacks
Date Published: March 3,  2021

https://www.zdnet.com/article/update-immediately-microsoft-rushes-out-patches-for-exchange-server-zero-day-attacks/#ftag=RSSbaffb68

Excerpt: “The attackers used the bugs in on-premise Exchange servers to access email accounts of users. The four bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Washington DC-based security firm Volexity said in its analysis that the vulnerability CVE-2021-26855 was being used to steal the full contents of several user mailboxes. The bug didn’t require authentication and could be exploited remotely.”

Title: Ryuk Ransomware Develops Worm-Like Capabilities, France Warns
Date Published: March 3, 2021

https://www.cyberscoop.com/ryuk-ransomware-develops-worm-like-capabilities-anssi-france/

Excerpt: “With such worm-like self-replicating capabilities, Ryuk, one of the most prolific strains of ransomware in the world, can spread from machine to machine without any human interaction. The development presents only another challenge for security-minded researchers and law enforcement authorities already trying to grapple with the scourge of ransomware attacks pummeling international networks.”

Title: Cyber Analysts Find Links Between SunCrypt and QNAPCrypt Ransomware
Date Published: March 3, 2021

https://heimdalsecurity.com/blog/links-between-suncrypt-and-qnapcrypt-ransomware-found/

Excerpt: “First identified in July 2019, the QNAPCrypt has since been tracked by a Russian cybercriminal group called FullOfDeep. Meanwhile, in October 2019, SunCrypt appeared as the first Windows-based ransomware tool before being ported to the C / C ++ version in mid-2020. Besides stealing victims’ data and threatening disclosure before encrypting files, this group also launches distributed denial of service (DDoS) attacks, which force the victim to pay the ransom.”

Title: Now-Fixed Linux Kernel Vulnerabilities Enabled Local Privilege Escalation (Cve-2021-26708)
Date Published: March 3, 2021

https://www.helpnetsecurity.com/2021/03/03/cve-2021-26708/

Excerpt: “These vulnerabilities result from race conditions that were implicitly added with virtual socket multi-transport support. They appeared in Linux kernel version 5.5 in November 2019. The vulnerable kernel drivers (CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS) are shipped as kernel modules in all major GNU/Linux distributions. The vulnerable modules are automatically loaded when an AF_VSOCK socket is created. This ability is available to unprivileged users.”