OSN April 9, 2021

Fortify Security Team
Apr 9, 2021

Title: CISA Releases Post-Compromise Tool Aviary to Review Microsoft 365

Date Published: April 9, 2021


Excerpt: “Sparrow checks and installs the required PowerShell modules on the machine to analyze, then checks the unified audit log in Azure/M365 for certain indicators of compromise (IoC’s), lists Azure AD domains, and checks Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool outputs the data into multiple CSV files that are located in the user’s default home directory in a folder called ‘ExportDir’ (ie: Desktop/ExportDir).”

Title: 600,000 Stolen Credit Cards Leaked Following the Swarm Shop Hack

Date Published: April 9, 2021


Excerpt: “A database that contains nicknames, hashed passwords, contact details, and activity history of Swarmshop admins, sellers, and buyers was leaked exposing more than 600,000 payment card numbers and nearly 70,000 sets of US Social Security numbers and Canadian Social Insurance numbers, according to Group-IB researchers.”

Title: Google Chrome Blocks Port 10080 to Stop NAT Slipstreaming Attacks

Date Published: April 8, 2021


Excerpt: “Google Chrome is now blocking HTTP, HTTPS, and FTP access to TCP port 10080 to prevent the ports from being abused in NAT Slipstreaming 2.0 attacks. Last year, security researcher Samy Kamkar disclosed a new version of the NAT Slipstreaming vulnerability that allows scripts on malicious websites to bypass visitors’ NAT firewall and gain access to any TCP/UDP port on the visitor’s internal network. Using these vulnerabilities, threat actors can perform a wide range of attacks, including modifying router configurations and gaining access to private network services.”

Title: Zero-Day Bug Impacts Problem-Plagued Cisco SOHO Routers

Date Published: April 8, 2021


Excerpt: “Cisco Systems said it will not fix a critical vulnerability found in three of its SOHO router models. The bug, rated 9.8 in severity out of 10, could allow unauthenticated remote users to hijack targeted equipment and gain elevated privileges within effected systems. The three Cisco router models (RV110W, RV130, and RV215W) and one VPN firewall device (RV130W) are of varying age and have reached “end of life” and will not be patched, according to Cisco.”

Title: Zoom Joins Microsoft Teams on List of Enterprise Tools Hacked at Pwn2Own

Date Published: April 8, 2021


Excerpt: “The exploit came barely a day after another researcher at Pwn2Own demonstrated code execution on Microsoft Teams, which, like Zoom, has seen a surge in use since the global COVID-19 pandemic forced an increase in remote work at many organizations. The two exploits — and several others against Microsoft Exchange Server, Windows 10, and other technologies — have served as a further reminder of just how vulnerable some core enterprise software and communication products are to modern attacks.”

Title: Cring Ransomware Used in Attacks on European Industrial Firms

Date Published: April 8, 2021


Excerpt: “Attackers exploited CVE-2018-13379, a vulnerability in Fortigate SSL VPN servers, to gain access to the victim’s networks, researchers report. The unpatched servers were exposed to the Internet. This vulnerability was publicized in 2019 but not all devices were updated. Offers to sell a ready-made list containing IP addresses of Internet-facing vulnerable devices began to appear on Dark Web forums in autumn 2020, according to a report from Kaspersky.”

Title: Researchers Uncover a New Iranian Malware Used In Recent Cyberattacks


Date Published: April 8, 2021

Excerpt: “APT34 (aka OilRig) is known for its reconnaissance campaigns aligned with the strategic interests of Iran, primarily hitting financial, government, energy, chemical, and telecommunications industries in the Middle East. The group typically resorts to targeting individuals through the use of booby-trapped job offer documents, delivered directly to the victims via LinkedIn messages. Although the latest campaign bears some of the same hallmarks, the exact mode of delivery remains unclear as yet.”

Title: McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware

Date Published: April 7, 2021


Excerpt: “In our analysis, we observed that the attackers had access to the network before the infection and were able to collect specific information in order to orchestrate the attack and have the greatest impact. The attackers operate using a set of PowerShell scripts that enables them to move laterally. The ransom note mentions that the data was exfiltrated before it was encrypted. In similar attacks we have observed the use of a Cobalt Strike payload, although we have not found clear evidence of a relationship with Cuba ransomware. ”

Title: Moodle Flaw Exposed Users to Account Takeover

Date Published: April 8, 2021


Excerpt: “This attack starts like the previous ones, but this time a much smaller input is being sent to the website. When the administrator visits the forum post, they do not suspect anything wrong is happening. However, they’ve visited the malicious website in the background, where they unwillingly downloaded and ran the script they found on this website. That gave the hacker control over the server, and allowed them to view the credentials Moodle uses to connect to the database, which contains all the data the website stores.”

Title: Belden Says Health Benefits Data Stolen in 2020 Cyberattack

Date Published: April 8, 2021


Excerpt: “The company says they do not believe that stolen data included any information related to health conditions or diagnoses in the accessed data. Belden has started sending notifications to those impacted by this latest disclosure, which contains free identity monitoring for the victims. The nature of Belden’s 2020 cyberattack has never been disclosed but was likely a ransomware attack. During ransomware attacks, threat actors commonly steal unencrypted files before encrypting devices on the network. The attackers then warn the victim that they will publish the stolen data on data leak sites if a ransom is not paid.”

Recent Posts

January 14, 2022

Title: Android users can now disable 2G to block Stingray attacks Date Published: January 13, 2022 https://www.bleepingcomputer.com/news/security/android-users-can-now-disable-2g-to-block-stingray-attacks/ Excerpt: "Google has finally rolled out an option on Android...

November 23, 2021

Title: Over 4000 UK Retailers Compromised by Magecart Attacks Date Published: November 23, 2021 https://www.infosecurity-magazine.com/news/4000-uk-retailers-compromised/ Excerpt: “UK government security experts have been forced to notify over 4000 domestic online...

November 2, 2021

Title: Possible Cyber Attack Hits ‘Brain’ of N.L. Health-care System, Delaying Thousands of Appointments Date Published: November 1, 2021 cbc.ca/news/canada/newfoundland-labrador/health-services-it-outage-update-nov-1-1.6232426 Excerpt: "A cyberattack appears to be...

OSN November 1, 2021

Title: New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code Date Published: November 1, 2021 https://thehackernews.com/2021/11/new-trojan-source-technique-lets.html Excerpt: "A novel class of vulnerabilities could be leveraged by threat...

OSN October 29, 2021

Title: Footprinting and Reconnaissance using Windows OS Date Published: October 29, 2021 https://medium.com/@the_harvester/footprinting-and-reconnaissance-using-windows-os-36760fb47870 Excerpt: "This blog is in continuation previous blog on footprinting and...

OSN October 28, 2021

Title: Ransomware Gangs Use SEO Poisoning To Infect Visitors Date Published: October 28, 2021 https://www.bleepingcomputer.com/news/security/ransomware-gangs-use-seo-poisoning-to-infect-visitors/ Excerpt: "According to the findings of the Menlo Security team, SEO...

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...