OSN March 30, 2021

Fortify Security Team
Mar 30, 2021

Title: APT10: Sophisticated Multi-Layered Loader Ecipekac Discovered in A41APT Campaign

Date Published: March 30, 2021

https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

Excerpt: “A41APT is a long-running campaign with activities detected from March 2019 to the end of December 2020. Most of the discovered malware families are fileless malware and they have not been seen before. One particular piece of malware from this campaign is called Ecipekac (a.k.a DESLoader, SigLoader, and HEAVYHAND). It is a very sophisticated multi-layer loader module used to deliver payloads such as SodaMaster (a.k.a DelfsCake, dfls, and DARKTOWN), P8RAT (a.k.a GreetCake, and HEAVYPOT) and FYAnti (a.k.a DILLJUICE stage2) which loads QuasarRAT.”

Title: Hundreds of Thousands of Projects Affected by a Flaw in Netmask NPM Package

Date Published: March 30, 2021

https://securityaffairs.co/wordpress/116126/hacking/netmask-npm-package-flaw.html

Excerpt: “Improper input validation of octal strings in widely used netmask npm package v1.1.0 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages.” reads the description of the flaw. “The netmask npm package incorrectly evaluates individual ipv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on netmask to filter or evaluate ipv4 block ranges, both inbound and outbound.”

Title: 30 Docker Images Downloaded 20m Times in Cryptojacking Attacks

Date Published: March 30, 2021

https://securityaffairs.co/wordpress/116111/cyber-crime/docker-cryptojacking-attacks.html

Excerpt: “In most attacks that mine Monero, the attackers used XMRig, just as we saw with Hildegard and Graboid. XMRig is a popular Monero miner and is preferred by attackers because it’s easy to use, efficient and, most importantly, open source. Hence, attackers can modify its code.” continues the report. “For example, most Monero cryptominers forcibly donate some percentage of their mining time to the miner’s developers. One common modification attackers make is to change the donation percentage to 0”.”

Title: Microsoft Exchange Attacks Increase While Wannacry Gets a Restart

https://www.bleepingcomputer.com/news/security/microsoft-exchange-attacks-increase-while-wannacry-gets-a-restart/

Date Published: March 30, 2021

Excerpt: “The reason behind the high numbers is WannaCry being wormable and thousands of systems still vulnerable to EternalBlue that are reachable over the public internet. Check Point observed the same trend starting in December 2020, with attacks continuing to increase well over 12,000 in March 2021. The figures show the importance of patching on time, else organizations remain vulnerable to attack vectors that should be mostly extinct.”

Title: A Highly Sophisticated Ransomware Attack Leaves 36,000 Students Without Email

Date Published: March 29, 2021

https://www.zdnet.com/article/a-highly-sophisticated-ransomware-attack-leaves-36000-students-without-email/

Excerpt: “Harris Federation has revealed that cyber criminals accessed IT systems and encrypted data with an undisclosed form of ransomware. In a statement, Harris Federation said ransomware attack will have a “significant impact” and that as a precaution the email system has been disabled. The school phone services, which also run via the internet, have also been disabled, aside from some “very limited” switchboard services. Students who have been issued devices by the schools can’t currently use them as they’ve been disabled as a precaution.”

Title: MobiKwik Suffers Major Breach — KYC Data of 3.5 Million Users Exposed

Date Published: March 29, 2021

https://thehackernews.com/2021/03/mobikwik-suffers-major-breach-kyc-data.html

Excerpt: “Popular Indian mobile payments service MobiKwik on Monday came under fire after 8.2 terabytes (TB) of data belonging to millions of its users began circulating on the dark web in the aftermath of a major data breach that came to light earlier this month. Even worse, the leak also shows that MobiKwik does not delete the card information from its servers even after a user has removed them, in what’s likely a breach of government regulations.”

Title: China-Linked Redecho APT Took Down Part of Its C2 Domains

https://securityaffairs.co/wordpress/116094/apt/redecho-apt-c2-shutdown.htm

Date Published: March 29,  2021

Excerpt: “The attacks surged while relations between India and China have deteriorated significantly following border clashes in May 2020. Recorded future tracked the APT group as “RedEcho” and pointed out that its operations have a significant overlap with the China-linked APT41/Barium actor.  Experts noticed that at least 3 of the targeted Indian IP addresses were previously hit by APT41 in a November 2020 campaign aimed at Indian Oil and Gas sectors.”

Title: PHP Infiltrated with Backdoor Malware

Date Published: March 29,  2021

https://threatpost.com/php-infiltrated-backdoor-malware/165061/

Excerpt: “In March, for instance, researchers spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrated sensitive information. The packages weaponized a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects. In January meanwhile, three malicious software packages were published to npm, masquerading as legitimate by using brandjacking. Any applications corrupted by the code could steal tokens and other information from Discord users, researchers said.”

Title: Diffie-Hellman Man-in-the-Middle Attack

Date Published: March 29, 2021

https://wiremask.eu/articles/diffie-hellman-man-in-the-middle-attack

Excerpt: “The Diffie-Hellman protocol is a method for two users to generate a shared private secret with which they can then exchange information across a public channel. This protocol is mostly used to secure a variety of network services. A Diffie-Hellman key exchange by itself does not provide authentication of the communicating parties and is thus vulnerable to a man-in-the-middle attack. An attacker may establish two distinct key exchanges between the two parties, allowing it to decrypt, then re-encrypt the messages transmitted between them.”

Title: Fatface Pays Out $2 Million to Conti Ransomware Gang

Date Published: March 28, 2021

https://grahamcluley.com/fatface-pays-out-2-million-to-conti-ransomware-gang/

Excerpt: “However, in negotiations uncovered by Computer Weekly’s French sister publication LeMagIT, FatFace successfully managed to talk the ransom down after explaining revenues had tumbled due to highstreet stores being shut during the Coronavirus lockdown. A representative of the Conti gang told FatFace’s negotiator that the initial breach of the retailer was via a phishing attack on 10 January 2021. The attackers were able to use the initial compromise as a base for gaining admin rights and then spreading laterally through FatFace’s network.”

Recent Posts

OSN November 2, 2021

Title: Possible Cyber Attack Hits ‘Brain’ of N.L. Health-care System, Delaying Thousands of Appointments Date Published: November 1, 2021 cbc.ca/news/canada/newfoundland-labrador/health-services-it-outage-update-nov-1-1.6232426 Excerpt: "A cyberattack appears to be...

OSN November 1, 2021

Title: New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code Date Published: November 1, 2021 https://thehackernews.com/2021/11/new-trojan-source-technique-lets.html Excerpt: "A novel class of vulnerabilities could be leveraged by threat...

OSN October 29, 2021

Title: Footprinting and Reconnaissance using Windows OS Date Published: October 29, 2021 https://medium.com/@the_harvester/footprinting-and-reconnaissance-using-windows-os-36760fb47870 Excerpt: "This blog is in continuation previous blog on footprinting and...

OSN October 28, 2021

Title: Ransomware Gangs Use SEO Poisoning To Infect Visitors Date Published: October 28, 2021 https://www.bleepingcomputer.com/news/security/ransomware-gangs-use-seo-poisoning-to-infect-visitors/ Excerpt: "According to the findings of the Menlo Security team, SEO...

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...