Title: APT10: Sophisticated Multi-Layered Loader Ecipekac Discovered in A41APT Campaign
Date Published: March 30, 2021
Excerpt: “A41APT is a long-running campaign with activities detected from March 2019 to the end of December 2020. Most of the discovered malware families are fileless malware and they have not been seen before. One particular piece of malware from this campaign is called Ecipekac (a.k.a DESLoader, SigLoader, and HEAVYHAND). It is a very sophisticated multi-layer loader module used to deliver payloads such as SodaMaster (a.k.a DelfsCake, dfls, and DARKTOWN), P8RAT (a.k.a GreetCake, and HEAVYPOT) and FYAnti (a.k.a DILLJUICE stage2) which loads QuasarRAT.”
Title: Hundreds of Thousands of Projects Affected by a Flaw in Netmask NPM Package
Date Published: March 30, 2021
https://securityaffairs.co/wordpress/116126/hacking/netmask-npm-package-flaw.html
Excerpt: “Improper input validation of octal strings in widely used netmask npm package v1.1.0 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages.” reads the description of the flaw. “The netmask npm package incorrectly evaluates individual ipv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on netmask to filter or evaluate ipv4 block ranges, both inbound and outbound.”
Title: 30 Docker Images Downloaded 20m Times in Cryptojacking Attacks
Date Published: March 30, 2021
https://securityaffairs.co/wordpress/116111/cyber-crime/docker-cryptojacking-attacks.html
Excerpt: “In most attacks that mine Monero, the attackers used XMRig, just as we saw with Hildegard and Graboid. XMRig is a popular Monero miner and is preferred by attackers because it’s easy to use, efficient and, most importantly, open source. Hence, attackers can modify its code.” continues the report. “For example, most Monero cryptominers forcibly donate some percentage of their mining time to the miner’s developers. One common modification attackers make is to change the donation percentage to 0”.”
Title: Microsoft Exchange Attacks Increase While Wannacry Gets a Restart
Date Published: March 30, 2021
Excerpt: “The reason behind the high numbers is WannaCry being wormable and thousands of systems still vulnerable to EternalBlue that are reachable over the public internet. Check Point observed the same trend starting in December 2020, with attacks continuing to increase well over 12,000 in March 2021. The figures show the importance of patching on time, else organizations remain vulnerable to attack vectors that should be mostly extinct.”
Title: A Highly Sophisticated Ransomware Attack Leaves 36,000 Students Without Email
Date Published: March 29, 2021
Excerpt: “Harris Federation has revealed that cyber criminals accessed IT systems and encrypted data with an undisclosed form of ransomware. In a statement, Harris Federation said ransomware attack will have a “significant impact” and that as a precaution the email system has been disabled. The school phone services, which also run via the internet, have also been disabled, aside from some “very limited” switchboard services. Students who have been issued devices by the schools can’t currently use them as they’ve been disabled as a precaution.”
Title: MobiKwik Suffers Major Breach — KYC Data of 3.5 Million Users Exposed
Date Published: March 29, 2021
https://thehackernews.com/2021/03/mobikwik-suffers-major-breach-kyc-data.html
Excerpt: “Popular Indian mobile payments service MobiKwik on Monday came under fire after 8.2 terabytes (TB) of data belonging to millions of its users began circulating on the dark web in the aftermath of a major data breach that came to light earlier this month. Even worse, the leak also shows that MobiKwik does not delete the card information from its servers even after a user has removed them, in what’s likely a breach of government regulations.”
Title: China-Linked Redecho APT Took Down Part of Its C2 Domains
https://securityaffairs.co/wordpress/116094/apt/redecho-apt-c2-shutdown.htm
Date Published: March 29, 2021
Excerpt: “The attacks surged while relations between India and China have deteriorated significantly following border clashes in May 2020. Recorded future tracked the APT group as “RedEcho” and pointed out that its operations have a significant overlap with the China-linked APT41/Barium actor. Experts noticed that at least 3 of the targeted Indian IP addresses were previously hit by APT41 in a November 2020 campaign aimed at Indian Oil and Gas sectors.”
Title: PHP Infiltrated with Backdoor Malware
Date Published: March 29, 2021
https://threatpost.com/php-infiltrated-backdoor-malware/165061/
Excerpt: “In March, for instance, researchers spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrated sensitive information. The packages weaponized a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects. In January meanwhile, three malicious software packages were published to npm, masquerading as legitimate by using brandjacking. Any applications corrupted by the code could steal tokens and other information from Discord users, researchers said.”
Title: Diffie-Hellman Man-in-the-Middle Attack
Date Published: March 29, 2021
https://wiremask.eu/articles/diffie-hellman-man-in-the-middle-attack
Excerpt: “The Diffie-Hellman protocol is a method for two users to generate a shared private secret with which they can then exchange information across a public channel. This protocol is mostly used to secure a variety of network services. A Diffie-Hellman key exchange by itself does not provide authentication of the communicating parties and is thus vulnerable to a man-in-the-middle attack. An attacker may establish two distinct key exchanges between the two parties, allowing it to decrypt, then re-encrypt the messages transmitted between them.”
Title: Fatface Pays Out $2 Million to Conti Ransomware Gang
Date Published: March 28, 2021
https://grahamcluley.com/fatface-pays-out-2-million-to-conti-ransomware-gang/
Excerpt: “However, in negotiations uncovered by Computer Weekly’s French sister publication LeMagIT, FatFace successfully managed to talk the ransom down after explaining revenues had tumbled due to highstreet stores being shut during the Coronavirus lockdown. A representative of the Conti gang told FatFace’s negotiator that the initial breach of the retailer was via a phishing attack on 10 January 2021. The attackers were able to use the initial compromise as a base for gaining admin rights and then spreading laterally through FatFace’s network.”