OSN May 17, 2021

Fortify Security Team
May 17, 2021

Title: AHK RAT Loader Used in Unique Delivery Campaigns
Date Published: May 17, 2021


Excerpt: “The RAT delivery campaign starts from an AutoHotKey (AHK) compiled script. This is a standalone executable that contains the following: the AHK interpreter, the AHK script, and any files it has incorporated via the FileInstall command. In this campaign, the attackers incorporate malicious scripts/executables alongside a legitimate application to disguise their intentions. We observed various RATs distributed via a simple AHK compiled script. We also identified several attack chains linked to this campaign, all of which start with an AHK executable that leads to the different VBScripts that eventually load the RAT.”

Title: Toshiba Unit Hacked by Darkside, Conglomerate to Undergo Strategic Review
Date Published: May 17, 2021


Excerpt: “Employees accessing company computer systems from home during pandemic lockdowns have made firms more vulnerable to cyber attacks, he added. Screenshots of DarkSide’s post provided by the cybersecurity firm said more than 740 gigabytes of information was compromised and included passports and other personal information. Reuters could not access DarkSide’s public-facing website on Friday. Security researchers said DarkSide’s multiple websites had stopped being accessible.”

Title: DarkSide Ransomware Group Faces XSS Ban, Servers Seized
Date Published: May 14, 2021


Excerpt: “According to the administrator of XSS, the decision is partially based on ideological differences between the forum and ransomware operators. Furthermore, the media attention from high-profile incidents has resulted in a “critical mass of nonsense, hype, and noise.” The XSS statement offers some reasons for its decision, particularly that ransomware collectives and their accompanying attacks are generating “too much PR” and heightening the geopolitical and law enforcement risks to a “hazard[ous] level.”

Title: Insurer Axa Hit by Ransomware After Dropping Support for Ransom Payments
Date Published: May 16, 2021


Excerpt: “The Avaddon ransomware gang first announced in January 2021 that they will launch DDoS attacks to take down victims’ sites or networks until they reach out and begin negotiating to pay the ransom. BleepingComputer first reported about this new trend in October 2020, when ransomware groups began using DDoS attacks against their victims as an additional leverage point. Avaddon’s announcement of the attack on AXA’s systems comes roughly a week after AXA had stated that their cyber-insurance policies written in France would no longer include reimbursement for ransomware extortion payouts.”

Title: Two Flaws Could Allow Bypassing AMD Sev Protection System
Date Published: May 17, 2021


Excerpt: “The first flaw, tracked as CVE-2020-12967, is caused by the lack of nested page table protection in the AMD SEV/SEV-ES feature which could potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor. The second vulnerability, tracked as CVE-2021-26311, resides in the AMD SEV/SEV-ES feature. Memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.”

Title: Vulnerability in Popular Browsers Could Be Used to Track, Profile Users Online
Date Published: May 17, 2021


Excerpt: “The information gathered from these requests can be used to create a permanent unique identifier that can link browsing identities together. The scheme flood vulnerability allows for targeted advertisement and user profiling without user consent. The list of installed applications on your device can reveal a lot about your occupation, habits, and age. For example, if a Python IDE or a PostgreSQL server is installed on your computer, you are very likely to be a backend developer.”

Title: Literature Lover Targeting Colombia With Limerat
Date Published: May 17, 2021


Excerpt: “In the middle of the current brouhaha in Colombia, besides the intense hacktivism activity, some actors might be trying to take their move. Several campaigns aimed at Colombia have been detected, but today we will talk about one with a couple interesting details in their kill chain. This actor is starting the infection via email with very generic topics such as subpoenas or bank payments, with a crafted html view where the icon pretending to be an attachment is in fact an image with a link to download a compressed file from OneDrive.”

Title: Ireland’s Health Services Hit With $20 Million Ransomware Demand
Date Published: May 15, 2021


Excerpt: “The HSE Is Refusing To Pay a $20 Million Ransom Demand To the Conti Ransomware Gang. The IT outage led to a massive disruption in the country’s healthcare, therefore causing limited access to diagnostics and medical records as well as transcription errors due to handwritten notes, and slow response times to healthcare visits. Yesterday, a cybersecurity researcher shared a screenshot of a chat between Conti and Ireland’s HSE with BleepingComputer. In the screenshot, the Conti gang claims to have had access to the HSE network for two weeks. During this time, they claim to have stolen 700 GB of unencrypted files from the HSE, including patient info and employee info, contracts, financial statements, payroll, and more.”

Title: ‘Cryptographic Attestation of Personhood’ Could End Captchas Forever
Date Published: May 17, 2021


Excerpt: “Cloudflare says that universal 2-factor authentication on certain websites would be a better system. It’s still cumbersome, but it’s better than hunting for hidden motorcycles in pictures of traffic. “The short version is that your device has an embedded secure module containing a unique secret sealed by your manufacturer. The security module is capable of proving it owns such a secret without revealing it. Cloudflare asks you for proof and checks that your manufacturer is legitimate.”

Title: Herff Jones Credit Card Breach Impacts College Students Across the U.S.
Date Published: May 16, 2021


Excerpt: “The complaints continued through this week, alerting others to check their card statements for illegal charges. The issue is affecting students across the U.S. at universities in Indiana (Purdue, IU), Boston, Maryland (Towson University), Houston (UH, UHD), Illinois, Delaware, Michigan, Wisconsin, Pennsylvania (Lehigh, Misericordia), New York (Cornell), Arizona, North Carolina (Wake Forest), Florida (State University), California (Sonoma State). Apart from delivery delays, the students complained of fraudulent charges varying from a tens of U.D. dollars to thousands. While most reports mention losses between $80 and $1,200, one student stated that a friend of theirs was charged $4,000.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...