OSN May 3, 2021

Fortify Security Team
May 3, 2021

Title: Python Also Impacted by Critical IP Address Validation Vulnerability
Date Published: May 1, 2021


Excerpt: “The Python standard library ipaddress also suffers from the critical IP address validation vulnerability identical to the flaw that was reported in the “netmask” library earlier this year. Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate [Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI) attacks] on many programs that rely on Python stdlib ipaddress. Ambiguous IPs could easily be slipped in and render the anti-bypass protections futile.”

Title: Mitre ATT&CK v9 Is Out and Includes ATT&CK for Containers
Date Published: May 3, 2021


Excerpt: “The Mitre Corporation has released the ninth version of its ATT&CK knowledge base of adversary tactics and techniques, which now also includes a newly created ATT&CK matrix for containers. Building the ATT&CK for Containers matrix is helpful in understanding the risks associated with containers, including misconfigurations that are often the initial vector for attacks, as well as the specific implementation of attack techniques in the wild. This knowledge informs approaches for detecting threats, and thus helps in providing comprehensive protections, as more and more organizations adopt containers and container orchestration technologies like Kubernetes.”

Title: NSA Offers OT Security Guidance in Wake of SolarWinds Attack
Date Published: May 1, 2021


Excerpt: “In the warning, the NSA notes that a stand-alone, unconnected (“islanded”) OT system is safer from outside threats than one connected to an enterprise IT system with external connectivity. Each connection between an IT system and an isolated OT system increases the attack surface, so administrators should ensure only the most imperative IT-OT connections are allowed and that these are hardened to the greatest extent possible to prevent a possible attack.”

Title: New Variant of Buer Loader Written in Rust
Date Published: May 3, 2021


Excerpt: “Proofpoint analysts observed a series of malicious campaigns that delivered the Buer malware loader. The campaigns generally used DHL-themed phishing emails to distribute malicious Word or Excel documents. While sharing similar email lure themes, the campaigns distributed two distinct variants of the Buer malware: one was written in C while the other was rewritten in the Rust programming language. Proofpoint dubbed this variant RustyBuer. The campaigns also used different lure techniques, with RustyBuer attachments containing more detailed content to better engage the recipient.”

Title: Experian API Exposed Credit Scores of Tens of Millions of Americans
Date Published: May 3, 2021


Excerpt: “The researchers discovered that the Experian API could be used without authentication, he also noticed that by providing a “date of birth” composed of all zeros it is possible to access a person’s credit score. He also developed a command-line tool to automate the lookups, which he named “Bill’s Cool Credit Score Lookup Utility. The APT also returns for each consumer up to four “risk factors,” which are sensitive information about his habits.”

Title: Spam and Phishing In Q1 2021
Date Published: May 3, 2021


Excerpt: “Since the end of last year, we have observed fraudulent emails and fake pages urging users to pay a small sum for certain services. The payment indicated in the fake email was often so tiny that the potential victim could ignore the risks. For example, in one of the emails below, the cybercriminals ask for just 1.99 rubles (US$0.027). The calculation was simple: users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site. To make the emails more convincing, they imitated commonly used services.”

Title: New Chinese Malware Targeted Russia’s Largest Nuclear Submarine Designer
Date Published: May 3, 2021


Excerpt: “The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous “Royal Road” Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed “PortDoor.”. Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,” the researchers said in a write-up on Friday.”

Title: Swiss Cloud Becomes the Latest Web Hosting Provider To Suffer a Ransomware Attack
Date Published: May 1, 2021


Excerpt: “While the incident did not impact the company’s entire server infrastructure—spread among different data centers across Switzerland—the disruption has impacted server availability for more than 6,500 customers. One of the most high-profile customers impacted by Swiss Cloud’s outage is Sage, a company that provides payroll and HR software for German-speaking countries. However, while the company might be optimistic about the timeline of its recovery plan, similar ransomware attacks have also taken place at other cloud and web hosting providers over the past few years. In most cases, recovery efforts lasted weeks, not days.”

Title: Hunting on Sysmon events with Jupyter Notebooks (Part 2 – Process Execution)
Date Published: May 1, 2021


Excerpt: “Before we start hunting on Sysmon or any other log/data source, we need to understand well what is the format of the data and which fields are useful for us as hunters. Not all the fields in a log source are equally valuable for hunting; some are more relevant than others. For example, the PID field from process execution events is most commonly used during specific IT investigations.
On its website, Sysmon provides the following events that are important for understanding process execution in a Windows environment.”

Title: Ransomware Hackers Infect Thousands of Sonicwall VPN Implementations
Date Published: May 1, 2021


Excerpt: “About the hacking group, experts mention that UNC2447 monetizes intrusions by extorting its victims first with the FiveHands ransomware and then pressing through media attention threats and offering victim data for sale on hacking forums. Moreover, UNC2447 has been particularly active in Europe and the United States, showing its advanced capabilities to evade almost any detection mechanism and minimize the ability of researchers to obtain information from forensic analysis.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...