OSN May 3, 2021

Fortify Security Team
May 3, 2021

Title: Python Also Impacted by Critical IP Address Validation Vulnerability
Date Published: May 1, 2021


Excerpt: “The Python standard library ipaddress also suffers from the critical IP address validation vulnerability identical to the flaw that was reported in the “netmask” library earlier this year. Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate [Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI) attacks] on many programs that rely on Python stdlib ipaddress. Ambiguous IPs could easily be slipped in and render the anti-bypass protections futile.”

Title: Mitre ATT&CK v9 Is Out and Includes ATT&CK for Containers
Date Published: May 3, 2021


Excerpt: “The Mitre Corporation has released the ninth version of its ATT&CK knowledge base of adversary tactics and techniques, which now also includes a newly created ATT&CK matrix for containers. Building the ATT&CK for Containers matrix is helpful in understanding the risks associated with containers, including misconfigurations that are often the initial vector for attacks, as well as the specific implementation of attack techniques in the wild. This knowledge informs approaches for detecting threats, and thus helps in providing comprehensive protections, as more and more organizations adopt containers and container orchestration technologies like Kubernetes.”

Title: NSA Offers OT Security Guidance in Wake of SolarWinds Attack
Date Published: May 1, 2021


Excerpt: “In the warning, the NSA notes that a stand-alone, unconnected (“islanded”) OT system is safer from outside threats than one connected to an enterprise IT system with external connectivity. Each connection between an IT system and an isolated OT system increases the attack surface, so administrators should ensure only the most imperative IT-OT connections are allowed and that these are hardened to the greatest extent possible to prevent a possible attack.”

Title: New Variant of Buer Loader Written in Rust
Date Published: May 3, 2021


Excerpt: “Proofpoint analysts observed a series of malicious campaigns that delivered the Buer malware loader. The campaigns generally used DHL-themed phishing emails to distribute malicious Word or Excel documents. While sharing similar email lure themes, the campaigns distributed two distinct variants of the Buer malware: one was written in C while the other was rewritten in the Rust programming language. Proofpoint dubbed this variant RustyBuer. The campaigns also used different lure techniques, with RustyBuer attachments containing more detailed content to better engage the recipient.”

Title: Experian API Exposed Credit Scores of Tens of Millions of Americans
Date Published: May 3, 2021


Excerpt: “The researchers discovered that the Experian API could be used without authentication, he also noticed that by providing a “date of birth” composed of all zeros it is possible to access a person’s credit score. He also developed a command-line tool to automate the lookups, which he named “Bill’s Cool Credit Score Lookup Utility. The APT also returns for each consumer up to four “risk factors,” which are sensitive information about his habits.”

Title: Spam and Phishing In Q1 2021
Date Published: May 3, 2021


Excerpt: “Since the end of last year, we have observed fraudulent emails and fake pages urging users to pay a small sum for certain services. The payment indicated in the fake email was often so tiny that the potential victim could ignore the risks. For example, in one of the emails below, the cybercriminals ask for just 1.99 rubles (US$0.027). The calculation was simple: users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site. To make the emails more convincing, they imitated commonly used services.”

Title: New Chinese Malware Targeted Russia’s Largest Nuclear Submarine Designer
Date Published: May 3, 2021


Excerpt: “The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous “Royal Road” Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed “PortDoor.”. Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,” the researchers said in a write-up on Friday.”

Title: Swiss Cloud Becomes the Latest Web Hosting Provider To Suffer a Ransomware Attack
Date Published: May 1, 2021


Excerpt: “While the incident did not impact the company’s entire server infrastructure—spread among different data centers across Switzerland—the disruption has impacted server availability for more than 6,500 customers. One of the most high-profile customers impacted by Swiss Cloud’s outage is Sage, a company that provides payroll and HR software for German-speaking countries. However, while the company might be optimistic about the timeline of its recovery plan, similar ransomware attacks have also taken place at other cloud and web hosting providers over the past few years. In most cases, recovery efforts lasted weeks, not days.”

Title: Hunting on Sysmon events with Jupyter Notebooks (Part 2 – Process Execution)
Date Published: May 1, 2021


Excerpt: “Before we start hunting on Sysmon or any other log/data source, we need to understand well what is the format of the data and which fields are useful for us as hunters. Not all the fields in a log source are equally valuable for hunting; some are more relevant than others. For example, the PID field from process execution events is most commonly used during specific IT investigations.
On its website, Sysmon provides the following events that are important for understanding process execution in a Windows environment.”

Title: Ransomware Hackers Infect Thousands of Sonicwall VPN Implementations
Date Published: May 1, 2021


Excerpt: “About the hacking group, experts mention that UNC2447 monetizes intrusions by extorting its victims first with the FiveHands ransomware and then pressing through media attention threats and offering victim data for sale on hacking forums. Moreover, UNC2447 has been particularly active in Europe and the United States, showing its advanced capabilities to evade almost any detection mechanism and minimize the ability of researchers to obtain information from forensic analysis.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...