OSN April 9, 2021

Fortify Security Team
Apr 9, 2021

Title: CISA Releases Post-Compromise Tool Aviary to Review Microsoft 365

Date Published: April 9, 2021


Excerpt: “Sparrow checks and installs the required PowerShell modules on the machine to analyze, then checks the unified audit log in Azure/M365 for certain indicators of compromise (IoC’s), lists Azure AD domains, and checks Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool outputs the data into multiple CSV files that are located in the user’s default home directory in a folder called ‘ExportDir’ (ie: Desktop/ExportDir).”

Title: 600,000 Stolen Credit Cards Leaked Following the Swarm Shop Hack

Date Published: April 9, 2021


Excerpt: “A database that contains nicknames, hashed passwords, contact details, and activity history of Swarmshop admins, sellers, and buyers was leaked exposing more than 600,000 payment card numbers and nearly 70,000 sets of US Social Security numbers and Canadian Social Insurance numbers, according to Group-IB researchers.”

Title: Google Chrome Blocks Port 10080 to Stop NAT Slipstreaming Attacks

Date Published: April 8, 2021


Excerpt: “Google Chrome is now blocking HTTP, HTTPS, and FTP access to TCP port 10080 to prevent the ports from being abused in NAT Slipstreaming 2.0 attacks. Last year, security researcher Samy Kamkar disclosed a new version of the NAT Slipstreaming vulnerability that allows scripts on malicious websites to bypass visitors’ NAT firewall and gain access to any TCP/UDP port on the visitor’s internal network. Using these vulnerabilities, threat actors can perform a wide range of attacks, including modifying router configurations and gaining access to private network services.”

Title: Zero-Day Bug Impacts Problem-Plagued Cisco SOHO Routers

Date Published: April 8, 2021


Excerpt: “Cisco Systems said it will not fix a critical vulnerability found in three of its SOHO router models. The bug, rated 9.8 in severity out of 10, could allow unauthenticated remote users to hijack targeted equipment and gain elevated privileges within effected systems. The three Cisco router models (RV110W, RV130, and RV215W) and one VPN firewall device (RV130W) are of varying age and have reached “end of life” and will not be patched, according to Cisco.”

Title: Zoom Joins Microsoft Teams on List of Enterprise Tools Hacked at Pwn2Own

Date Published: April 8, 2021


Excerpt: “The exploit came barely a day after another researcher at Pwn2Own demonstrated code execution on Microsoft Teams, which, like Zoom, has seen a surge in use since the global COVID-19 pandemic forced an increase in remote work at many organizations. The two exploits — and several others against Microsoft Exchange Server, Windows 10, and other technologies — have served as a further reminder of just how vulnerable some core enterprise software and communication products are to modern attacks.”

Title: Cring Ransomware Used in Attacks on European Industrial Firms

Date Published: April 8, 2021


Excerpt: “Attackers exploited CVE-2018-13379, a vulnerability in Fortigate SSL VPN servers, to gain access to the victim’s networks, researchers report. The unpatched servers were exposed to the Internet. This vulnerability was publicized in 2019 but not all devices were updated. Offers to sell a ready-made list containing IP addresses of Internet-facing vulnerable devices began to appear on Dark Web forums in autumn 2020, according to a report from Kaspersky.”

Title: Researchers Uncover a New Iranian Malware Used In Recent Cyberattacks


Date Published: April 8, 2021

Excerpt: “APT34 (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting financial, government, energy, chemical, and telecommunications industries in the Middle East. The group typically resorts to targeting individuals through the use of booby-trapped job offer documents, delivered directly to the victims via LinkedIn messages. Although the latest campaign bears some of the same hallmarks, the exact mode of delivery remains unclear as yet.”

Title: McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware

Date Published: April 7, 2021


Excerpt: “In our analysis, we observed that the attackers had access to the network before the infection and were able to collect specific information in order to orchestrate the attack and have the greatest impact. The attackers operate using a set of PowerShell scripts that enables them to move laterally. The ransom note mentions that the data was exfiltrated before it was encrypted. In similar attacks we have observed the use of a Cobalt Strike payload, although we have not found clear evidence of a relationship with Cuba ransomware. ”

Title: Moodle Flaw Exposed Users to Account Takeover

Date Published: April 8, 2021


Excerpt: “This attack starts like the previous ones, but this time a much smaller input is being sent to the website. When the administrator visits the forum post, they do not suspect anything wrong is happening. However, they’ve visited the malicious website in the background, where they unwillingly downloaded and ran the script they found on this website. That gave the hacker control over the server, and allowed them to view the credentials Moodle uses to connect to the database, which contains all the data the website stores.”

Title: Belden Says Health Benefits Data Stolen in 2020 Cyberattack

Date Published: April 8, 2021


Excerpt: “The company says they do not believe that stolen data included any information related to health conditions or diagnoses in the accessed data. Belden has started sending notifications to those impacted by this latest disclosure, which contains free identity monitoring for the victims. The nature of Belden’s 2020 cyberattack has never been disclosed but was likely a ransomware attack. During ransomware attacks, threat actors commonly steal unencrypted files before encrypting devices on the network. The attackers then warn the victim that they will publish the stolen data on data leak sites if a ransom is not paid.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...