OSN May 3, 2021

Fortify Security Team
May 3, 2021

Title: Python Also Impacted by Critical IP Address Validation Vulnerability
Date Published: May 1, 2021


Excerpt: “The Python standard library ipaddress also suffers from the critical IP address validation vulnerability identical to the flaw that was reported in the “netmask” library earlier this year. Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate [Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI) attacks] on many programs that rely on Python stdlib ipaddress. Ambiguous IPs could easily be slipped in and render the anti-bypass protections futile.”

Title: Mitre ATT&CK v9 Is Out and Includes ATT&CK for Containers
Date Published: May 3, 2021


Excerpt: “The Mitre Corporation has released the ninth version of its ATT&CK knowledge base of adversary tactics and techniques, which now also includes a newly created ATT&CK matrix for containers. Building the ATT&CK for Containers matrix is helpful in understanding the risks associated with containers, including misconfigurations that are often the initial vector for attacks, as well as the specific implementation of attack techniques in the wild. This knowledge informs approaches for detecting threats, and thus helps in providing comprehensive protections, as more and more organizations adopt containers and container orchestration technologies like Kubernetes.”

Title: NSA Offers OT Security Guidance in Wake of SolarWinds Attack
Date Published: May 1, 2021


Excerpt: “In the warning, the NSA notes that a stand-alone, unconnected (“islanded”) OT system is safer from outside threats than one connected to an enterprise IT system with external connectivity. Each connection between an IT system and an isolated OT system increases the attack surface, so administrators should ensure only the most imperative IT-OT connections are allowed and that these are hardened to the greatest extent possible to prevent a possible attack.”

Title: New Variant of Buer Loader Written in Rust
Date Published: May 3, 2021


Excerpt: “Proofpoint analysts observed a series of malicious campaigns that delivered the Buer malware loader. The campaigns generally used DHL-themed phishing emails to distribute malicious Word or Excel documents. While sharing similar email lure themes, the campaigns distributed two distinct variants of the Buer malware: one was written in C while the other was rewritten in the Rust programming language. Proofpoint dubbed this variant RustyBuer. The campaigns also used different lure techniques, with RustyBuer attachments containing more detailed content to better engage the recipient.”

Title: Experian API Exposed Credit Scores of Tens of Millions of Americans
Date Published: May 3, 2021


Excerpt: “The researchers discovered that the Experian API could be used without authentication, he also noticed that by providing a “date of birth” composed of all zeros it is possible to access a person’s credit score. He also developed a command-line tool to automate the lookups, which he named “Bill’s Cool Credit Score Lookup Utility. The APT also returns for each consumer up to four “risk factors,” which are sensitive information about his habits.”

Title: Spam and Phishing In Q1 2021
Date Published: May 3, 2021


Excerpt: “Since the end of last year, we have observed fraudulent emails and fake pages urging users to pay a small sum for certain services. The payment indicated in the fake email was often so tiny that the potential victim could ignore the risks. For example, in one of the emails below, the cybercriminals ask for just 1.99 rubles (US$0.027). The calculation was simple: users would be less averse to paying a small amount than a larger one, which means more potential victims willing to enter card details on the bogus site. To make the emails more convincing, they imitated commonly used services.”

Title: New Chinese Malware Targeted Russia’s Largest Nuclear Submarine Designer
Date Published: May 3, 2021


Excerpt: “The phishing attack, which singled out a general director working at the Rubin Design Bureau, leveraged the infamous “Royal Road” Rich Text Format (RTF) weaponizer to deliver a previously undocumented Windows backdoor dubbed “PortDoor.”. Portdoor has multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration and more,” the researchers said in a write-up on Friday.”

Title: Swiss Cloud Becomes the Latest Web Hosting Provider To Suffer a Ransomware Attack
Date Published: May 1, 2021


Excerpt: “While the incident did not impact the company’s entire server infrastructure—spread among different data centers across Switzerland—the disruption has impacted server availability for more than 6,500 customers. One of the most high-profile customers impacted by Swiss Cloud’s outage is Sage, a company that provides payroll and HR software for German-speaking countries. However, while the company might be optimistic about the timeline of its recovery plan, similar ransomware attacks have also taken place at other cloud and web hosting providers over the past few years. In most cases, recovery efforts lasted weeks, not days.”

Title: Hunting on Sysmon events with Jupyter Notebooks (Part 2 – Process Execution)
Date Published: May 1, 2021


Excerpt: “Before we start hunting on Sysmon or any other log/data source, we need to understand well what is the format of the data and which fields are useful for us as hunters. Not all the fields in a log source are equally valuable for hunting; some are more relevant than others. For example, the PID field from process execution events is most commonly used during specific IT investigations.
On its website, Sysmon provides the following events that are important for understanding process execution in a Windows environment.”

Title: Ransomware Hackers Infect Thousands of Sonicwall VPN Implementations
Date Published: May 1, 2021


Excerpt: “About the hacking group, experts mention that UNC2447 monetizes intrusions by extorting its victims first with the FiveHands ransomware and then pressing through media attention threats and offering victim data for sale on hacking forums. Moreover, UNC2447 has been particularly active in Europe and the United States, showing its advanced capabilities to evade almost any detection mechanism and minimize the ability of researchers to obtain information from forensic analysis.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...