OSN March 30, 2021

Fortify Security Team
Mar 30, 2021

Title: APT10: Sophisticated Multi-Layered Loader Ecipekac Discovered in A41APT Campaign

Date Published: March 30, 2021

https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

Excerpt: “A41APT is a long-running campaign with activities detected from March 2019 to the end of December 2020. Most of the discovered malware families are fileless malware and they have not been seen before. One particular piece of malware from this campaign is called Ecipekac (a.k.a DESLoader, SigLoader, and HEAVYHAND). It is a very sophisticated multi-layer loader module used to deliver payloads such as SodaMaster (a.k.a DelfsCake, dfls, and DARKTOWN), P8RAT (a.k.a GreetCake, and HEAVYPOT) and FYAnti (a.k.a DILLJUICE stage2) which loads QuasarRAT.”

Title: Hundreds of Thousands of Projects Affected by a Flaw in Netmask NPM Package

Date Published: March 30, 2021

https://securityaffairs.co/wordpress/116126/hacking/netmask-npm-package-flaw.html

Excerpt: “Improper input validation of octal strings in widely used netmask npm package v1.1.0 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages.” reads the description of the flaw. “The netmask npm package incorrectly evaluates individual ipv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on netmask to filter or evaluate ipv4 block ranges, both inbound and outbound.”

Title: 30 Docker Images Downloaded 20m Times in Cryptojacking Attacks

Date Published: March 30, 2021

https://securityaffairs.co/wordpress/116111/cyber-crime/docker-cryptojacking-attacks.html

Excerpt: “In most attacks that mine Monero, the attackers used XMRig, just as we saw with Hildegard and Graboid. XMRig is a popular Monero miner and is preferred by attackers because it’s easy to use, efficient and, most importantly, open source. Hence, attackers can modify its code.” continues the report. “For example, most Monero cryptominers forcibly donate some percentage of their mining time to the miner’s developers. One common modification attackers make is to change the donation percentage to 0”.”

Title: Microsoft Exchange Attacks Increase While Wannacry Gets a Restart

https://www.bleepingcomputer.com/news/security/microsoft-exchange-attacks-increase-while-wannacry-gets-a-restart/

Date Published: March 30, 2021

Excerpt: “The reason behind the high numbers is WannaCry being wormable and thousands of systems still vulnerable to EternalBlue that are reachable over the public internet. Check Point observed the same trend starting in December 2020, with attacks continuing to increase well over 12,000 in March 2021. The figures show the importance of patching on time, else organizations remain vulnerable to attack vectors that should be mostly extinct.”

Title: A Highly Sophisticated Ransomware Attack Leaves 36,000 Students Without Email

Date Published: March 29, 2021

https://www.zdnet.com/article/a-highly-sophisticated-ransomware-attack-leaves-36000-students-without-email/

Excerpt: “Harris Federation has revealed that cyber criminals accessed IT systems and encrypted data with an undisclosed form of ransomware. In a statement, Harris Federation said ransomware attack will have a “significant impact” and that as a precaution the email system has been disabled. The school phone services, which also run via the internet, have also been disabled, aside from some “very limited” switchboard services. Students who have been issued devices by the schools can’t currently use them as they’ve been disabled as a precaution.”

Title: MobiKwik Suffers Major Breach — KYC Data of 3.5 Million Users Exposed

Date Published: March 29, 2021

https://thehackernews.com/2021/03/mobikwik-suffers-major-breach-kyc-data.html

Excerpt: “Popular Indian mobile payments service MobiKwik on Monday came under fire after 8.2 terabytes (TB) of data belonging to millions of its users began circulating on the dark web in the aftermath of a major data breach that came to light earlier this month. Even worse, the leak also shows that MobiKwik does not delete the card information from its servers even after a user has removed them, in what’s likely a breach of government regulations.”

Title: China-Linked Redecho APT Took Down Part of Its C2 Domains

https://securityaffairs.co/wordpress/116094/apt/redecho-apt-c2-shutdown.htm

Date Published: March 29,  2021

Excerpt: “The attacks surged while relations between India and China have deteriorated significantly following border clashes in May 2020. Recorded future tracked the APT group as “RedEcho” and pointed out that its operations have a significant overlap with the China-linked APT41/Barium actor.  Experts noticed that at least 3 of the targeted Indian IP addresses were previously hit by APT41 in a November 2020 campaign aimed at Indian Oil and Gas sectors.”

Title: PHP Infiltrated with Backdoor Malware

Date Published: March 29,  2021

https://threatpost.com/php-infiltrated-backdoor-malware/165061/

Excerpt: “In March, for instance, researchers spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow (among others) inside the npm public code repository — all of which exfiltrated sensitive information. The packages weaponized a proof-of-concept (PoC) code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects. In January meanwhile, three malicious software packages were published to npm, masquerading as legitimate by using brandjacking. Any applications corrupted by the code could steal tokens and other information from Discord users, researchers said.”

Title: Diffie-Hellman Man-in-the-Middle Attack

Date Published: March 29, 2021

https://wiremask.eu/articles/diffie-hellman-man-in-the-middle-attack

Excerpt: “The Diffie-Hellman protocol is a method for two users to generate a shared private secret with which they can then exchange information across a public channel. This protocol is mostly used to secure a variety of network services. A Diffie-Hellman key exchange by itself does not provide authentication of the communicating parties and is thus vulnerable to a man-in-the-middle attack. An attacker may establish two distinct key exchanges between the two parties, allowing it to decrypt, then re-encrypt the messages transmitted between them.”

Title: Fatface Pays Out $2 Million to Conti Ransomware Gang

Date Published: March 28, 2021

https://grahamcluley.com/fatface-pays-out-2-million-to-conti-ransomware-gang/

Excerpt: “However, in negotiations uncovered by Computer Weekly’s French sister publication LeMagIT, FatFace successfully managed to talk the ransom down after explaining revenues had tumbled due to highstreet stores being shut during the Coronavirus lockdown. A representative of the Conti gang told FatFace’s negotiator that the initial breach of the retailer was via a phishing attack on 10 January 2021. The attackers were able to use the initial compromise as a base for gaining admin rights and then spreading laterally through FatFace’s network.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...