OSN April 5, 2021

by | Apr 5, 2021 | Open Source News

Title: Duke APT Group’s Latest Tools: Cloud Services and Linux Support
Date Published: April 5, 2021

https://www.f-secure.com/weblog/archives/00002822.html

Excerpt: “Recent weeks have seen the outing of two new additions to the Duke group’s toolset, SeaDuke and CloudDuke. Of these, SeaDuke is a simple trojan made interesting by the fact that it’s written in Python. And even more curiously, SeaDuke, with its built-in support for both Windows and Linux, is the first cross-platform malware we have observed from the Duke group. While SeaDuke is a single – albeit cross-platform – trojan, CloudDuke appears to be an entire toolset of malware components, or “solutions” as the Duke group apparently calls them.”

Title: FBI: APTs Actively Exploiting Fortinet VPN Security Holes
Date Published: April 5, 2021

https://threatpost.com/fbi-apts-actively-exploiting-fortinet-vpn-security-holes/165213/

Excerpt: “The FBI and the Cybersecurity and Infrastructure Security Agency are warning that advanced persistent threat (APT) nation-state actors are actively exploiting known security vulnerabilities in the Fortinet FortiOS cybersecurity operating system, affecting the company’s SSL VPN products. According to an alert issued Friday by the FBI and CISA, cyberattackers are scanning devices on ports 4443, 8443 and 10443, looking for unpatched Fortinet security implementations. Specifically, APTs are exploiting CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.”

Title: VMWare vRealize SSRF  Arbitrary File Write Vulnerability Alert
Date Published: April 5, 2021

https://haxf4rall.com/2021/03/31/vmware-vrealize-ssrf-arbitrary-file-write-vulnerability-alert/

Excerpt: “On March 30, 2021, VMWare had issued a risk notice of VMSA-2021-0004 to alert two vulnerabilities on VMWare vRealize.  The vulnerability number is CVE-2021-21975, CVE-2021-21983. It is worth noting that these two vulnerabilities can cooperate with each other to realize remote code execution without authentication.”

Title: Attackers Disclose Personal Data of Students in Massive Cyberattack
Date Published: April 5, 2021

https://heimdalsecurity.com/blog/attackers-disclose-data-of-students-in-cyberattack/

Excerpt: “In February, FireEye security specialists associated a series of cyberattacks against organizations running Accellion File Transfer Appliance (FTA) servers to the cybercrime group UNC2546, aka FIN11, but despite that, no systems were encrypted nor networks compromised.  They also issued a joint security advisory about ongoing attacks and extortion attempts targeting organizations that use vulnerable Accellion File Transfer Appliance (FTA) versions.”

Title: Malware Attack on Applus Blocked Vehicle Inspections in Some US States
Date Published: April 4, 2021

https://securityaffairs.co/wordpress/116338/malware/malware-attack-on-applus.html

Excerpt: “Applus Technologies is a worldwide leader in the testing, inspection and certification sector, the company was recently hit by a malware cyberattack that impacted vehicle inspections in eight states, including Connecticut, Georgia, Idaho, Illinois, Massachusetts, Utah, and Wisconsin. The attack took place on March 30th, in response to the infection the company was forced to disconnect its IT systems from the Internet to prevent the malware from spreading. The company did not reveal the type of malware that infected its systems, but experts speculate the involvement of a ransomware attack.”

Title: Clop Ransomware Operators Plunder US Universities
Date Published: April 4, 2021

https://securityaffairs.co/wordpress/116325/uncategorized/clop-ransomware-us-universities.html

Excerpt: “Clop ransomware operators have leaked the personal and financial information stolen from Stanford Medicine, University of Maryland Baltimore (UMB), and the University of California. Data was stolen by the ransomware gang by compromising the Accellion File Transfer Appliance (FTA) application used by the universities to share information. Recently multiple universities were hit by CLOP operators, experts speculate all the the attacks are linked to Accellion security breach.”

Title: Capital One Discovered More Customers’ SSN’s Exposed in 2019 Hack
Date Published: April 3, 2021

https://securityaffairs.co/wordpress/116309/data-breach/capital-one-ssns.html

Excerpt: “US bank Capital One notified a number of additional customers that their Social Security numbers were exposed in the data breach that took place in July 2019. A hacker that was going online with the handle “erratic” breached the systems at Capital One and gained access to personal information from 106 million Capital One credit applications.”

Title: Activision Warns of Call of Duty Cheat Tool Used to Deliver RAT
Date Published: April 3, 2021

https://securityaffairs.co/wordpress/116301/malware/activision-call-of-duty-cheat-tool.html

Excerpt: “Activision, the company behind Call of Duty: Warzone and Guitar Hero series, is warning gamers that a threat actor is advertising cheat tools that deliver remote-access trojan (RAT). The company reported that in March of 2020 a threat actor posted on multiple hacking forums advertising a free, “newbie friendly” and effective method for spreading a RAT by tricking victims to disable their protections to install a video game cheat.”

Title: Evolution and Rise of the Avaddon Ransomware-as-a-Service
Date Published: April 3, 2021

https://securityaffairs.co/wordpress/116282/cyber-crime/avaddon-ransomware-evolution.html

Excerpt: “The Avaddon ransomware family first appeared in the threat landscape in February 2020, and its authors started offering it with a Ransomware-as-a-Service (RaaS) model in June, 2020. In August 2020, cybersecurity intelligence firm Kela was the first to report that the Avaddon ransomware operators announced on a Russian-speaking hacker forum their new data leak site.”

Title: Hackers Set Up a Fake Cybersecurity Firm to Target Security Experts
Date Published: March 31, 2021

https://thehackernews.com/2021/03/hackers-set-up-fake-cybersecurity-firm.html

Excerpt: “In an update shared on Wednesday, Google’s Threat Analysis Group said the attackers behind the operation set up a fake security company called SecuriElite and a slew of social media accounts across Twitter and LinkedIn in an attempt to trick unsuspecting researchers into visiting the company’s booby-trapped website “where a browser exploit was waiting to be triggered.”