OSN April 28, 2021

Fortify Security Team
Apr 28, 2021

Title: Cyberspies Target Military Organizations with New Nebulae Backdoor
Date Published:  April 28, 2021


Excerpt:  “A Chinese-speaking threat actor has deployed a new backdoor in multiple cyber-espionage operations spanning roughly two years and targeting military organizations from Southeast Asia.  For at least a decade, the hacking group known as Naikon has actively spied on organizations in countries around the South China Sea, including the Philippines, Malaysia, Indonesia, Singapore, and Thailand, for at least a decade, since 2010.  Naikon is likely a state-sponsored threat actor tied to China, mostly known for focusing its efforts on high-profile orgs, including government entities and military orgs.”

Title: FBI Shares 4 Million Email Addresses Used by Emotet with Have I Been Pwned
Date Published:  April 27, 2021


Excerpt:  “Millions of email addresses collected by Emotet botnet for malware distribution campaigns have been shared by the Federal Bureau of Investigation (FBI) as part of the agency’s effort to clean infected computers.  Individuals and domain owners can now learn if Emotet impacted their accounts by searching the database with email addresses stolen by the malware.  Apart from computer systems, Emotet also compromised a large number of email addresses and used them for its operations. The FBI now wants to give the owners of these email addresses a quick way to check if they’ve been affected by Emotet.”

Title: Only 8% of Businesses That Paid a Ransom Got All of Their Data Back
Date Published:  April 28, 2021


Excerpt:  “The average total cost of recovery from a ransomware attack has more than doubled in a year, increasing from $761,106 in 2020 to $1.85 million in 2021, a Sophos survey reveals. The average ransom paid is $170,404.  The global findings also show that only 8% of organizations manage to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.  The survey polled 5,400 IT decision makers in mid-sized organizations in 30 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East, and Africa.”

Title: Cloud Misconfiguration, A Major Risk for Cloud Security
Date Published:  April 28, 2021


Excerpt:  “Fugue’s new State of Cloud Security 2020 report reveals that misconfigured cloud-based databases continue to pose a severe security risk to organizations.  Cloud misconfiguration remains the top cause of data breaches in the cloud, and the ongoing COVID-19 pandemic is is exacerbating the situation. Almost any organization believes that the transition to cloud infrastructure has created new security vulnerabilities, 84% are concerned they’ve been compromised and don’t know it, while 28% have already been already hacked and are aware of the attack.  Unfortunately, even if the awareness of the security risk has increased, companies are not able to avoid exposing their cloud servers online due to a misconfiguration or a security breach.”

Title: UK Rail Network Merseyrail Hit by Ransomware Gang
Date Published:  April 28, 2021


Excerpt:  “UK rail network Merseyrail, which operates rail services across Merseyside, announced it was a victim of a cyber attack. A ransomware gang has also compromised the email system of the organization to inform employees and journalists about the attack.  The same email was sent to several UK newspapers, and to the Merseyrail employees, likely to make pressure on the organization to pay the ransom. It seems that the Lockbit Ransomware gang managed to compromise the Director’s @merseyrail.org Office 365 email account to inform the employees of the incident that was downplayed by the internal staff. The message includes a link to an image showing an employee’s personal information as proof of the attack.”

Title: Google Addresses a High Severity Flaw in V8 Engine in Chrome
Date Published:  April 28, 2021


Excerpt:  “Google has released security updates for Chrome 90 that address a new high severity vulnerability, tracked as CVE-2021-21227, that resides in the V8 JavaScript engine used by the web browser.  The CVE-2021-21227 vulnerability is an insufficient data validation issue that could be exploited by remote attackers to achieve code execution within the target’s browser.  The vulnerability was reported to Google by Gengming Liu from the Chinese cybersecurity firm Singular Security Lab who also received a $15,000 award for this vulnerability.  The vulnerability could not be exploited by attackers to escape the Chrome sandbox, but chaining it with a sandbox escape exploit could allow the execution of malicious code on the underlying OS.  The CVE-2021-21227 flaw is linked to the CVE-2020-16040 and CVE-2020-15965 vulnerabilities that were addressed by Google in 2020. Chrome in December and September 2020, respectively.”

Title: Linux Kernel Vulnerability Exposes Stack Memory, Causes Data Leaks
Date Published:  April 28, 2021


Excerpt:  “An information disclosure vulnerability in the Linux kernel can be exploited to leak data and act as a springboard for further compromise.  Disclosed by Cisco Talos researchers on Tuesday, the bug is described as an information disclosure vulnerability “that could allow an attacker to view Kernel stack memory.”  The kernel is a key component of the open source Linux operating system. The vulnerability, tracked as CVE-2020-28588, was found in the proc/pid/syscall functionality of 32-bit ARM devices running the OS.”

Title: How Hackers Use Cloud Services to Make Cybercrime More Profitable
Date Published:  April 28, 2021


Excerpt:  “Cloud services can optimize resources, save time, increase automation, and take some of the security responsibility off of an organization’s plate.  Considering its extensive value proposition, it’s no surprise that today’s advanced cyber-criminals are also using cloud technology to improve and scale their own operations.  Stolen credentials lead to compromised businesses, and the cloud is making that process more effective than ever.  The traditional flow of cybercrime via credential theft involves compromising victims and deploying info-stealing malware to harvest account data. Due to password reuse, any compromised personal account can put a number of enterprises at risk, including employers.”

Title: The Risk of Collaboration Apps
Date Published:  April 28, 2021


Excerpt:  “Thanks to the growing availability of vaccines and the efficiency of the immunization roll out in multiple countries, the world is starting to see a light at the end of the COVID-19 tunnel. However, cyber-criminals continue to capitalize on the pandemic, constantly modifying their tactics to adapt to the new distributed workplace.  At the beginning of the COVID-19 crisis, it was clear that the rapid adoption of cloud and collaboration platforms gave new opportunities to malicious actors. Cyber-criminals immediately started to exploit cloud storage to distribute malware and phishing pages, and collaboration platforms for themed phishing campaigns.  One year on and this trend continues unabated, fueled by the growing adoption of cloud services and the increasing use of personal applications on corporate-managed devices. The findings in the Netskope February 2021 Cloud and Threat Report clearly back up this trend.”

Title: Attacks Targeting ADFS Token Signing Certificates Could Become Next Big Threat
Date Published:  April 28, 2021


Excerpt:  “Conventional access control and detection mechanisms alone are no longer sufficient to protect enterprise Active Directory Federation Services (ADFS) environments against targeted attacks.  With organizations increasingly adopting cloud services, threat actors have begun focusing on ADFS as an avenue to gain and maintain long-term access on Microsoft 365 and other cloud-based services environments, according to a new FireEye Mandiant report, out Tuesday.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...