OSN May 27, 2021

Fortify Security Team
May 27, 2021

Title: Microsoft Warns of the StrRAT Malware Campaign Targeting Windows Systems
Date Published: May 27, 2021


Excerpt: “The files can be opened as usual If the extension is removed. The malware authors are attackers who use spam mails with enticing subjects such as outgoing payments, new order, and confirmation of payments to lure the recipients into opening malicious Portable Document Format that claims to be payments. Still, in reality, they connect to a rogue domain to download the strRAT malware. The malware permits the installation of RDPWrap, an open source tool that enhance remote desktop Host support on windows.”

Title: Chinese Phishing Attack Targets High-Profile Uyghurs
Date Published: May 27, 2021


Excerpt: “These attacks clearly utilize the theme of the UNHRC to trick its targets into downloading malicious malware. We believe that these cyber-attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community. The attacks are designed to fingerprint infected devices, including all of its running programs. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what looks like future attacks.

Title: TSA Cyber Requirements Would Fine Pipeline Operators for Lax Security Practices
Date Published: May 27, 2021


Excerpt: “The new directive also requires pipeline operators to designate an executive to be available at all hours of the day to coordinate with DHS officials in the event of a cybersecurity incident, the officials said. The regulations also give pipeline operators 30 days to assess whether their security practices meet federal guidance and to identify weak points that need addressing.”

Title: Nearly 50,000 IPS Compromised in Kubernetes Clusters by TeamTNT
Date Published: May 26, 2021


Excerpt: “We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May.” reads the analysis published by Trend Micro. “Most of the compromised nodes were from China and the US identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers).”

Title: Google Discovers New Rowhammer Attack Technique
Date Published: May 26, 2021


Excerpt: “Rowhammer, first reported in 2014, is a vulnerability through which repeated access to one address can allow an attacker to compromise data stored at other addresses. When one DRAM row is accessed repeatedly (the “aggressor”), “bit flips” were found in the adjacent two rows (the “victims”). As “hammered” cells changed value, it caused data to change in adjacent rows.”

Title: Microsoft Releases First Windows 10 Package Manager Stable Version
Date Published: May 26, 2021


Excerpt: “Microsoft has released the first stable version of the native Winget Windows 10 package manager that helps you manage applications directly from the command line. Just as other package managers available on other platforms, Winget allows you to automate app management by enabling you to install, configure, upgrade, and remove Windows applications. Microsoft first announced the first preview version of its Windows 10 package manager at Microsoft Build 2020 and has developed it as an open-source project on GitHub since then.”

Title: Russian Admin of Cybercrime Marketplace Deer.Io Jailed in U.S.
Date Published: May 26, 2021


Excerpt: “According to the FBI, Deer.io was operating since 2013. It hosted more than 24,000 online stores and offered its services on a subscription basis throughout its operating time. The site’s subscription was approx. $12 per month. The DoJ revealed that it catered to 3,000 active stores, and sales exceeded $17 million. According to the FBI’s complaint, Deer.io claimed that it hosted legitimate businesses and users didn’t need any special access privileges. However, as per the bureau’s investigation, most of its sales were made by cybercriminals.”

Title: Know Your Enemy: Exploiting the Dell BIOS Driver Vulnerability to Defend Against It
Date Published: May 26, 2021


Excerpt: “Looking at the recently published vulnerability in Dell’s firmware update driver (CVE-2021-21551) reported by CrowdStrike’s Yarden Shafir and Satoshi Tanda, it’s worth understanding that adversaries have more than one way of weaponizing it to achieve the same result: obtaining full control of the victim’s machine. For example, while CVE-2021-21551 can be exploited to overwrite a process’s token and directly elevate its privileges, this is a relatively well-known technique that most endpoint detection and response (EDR) tools should detect.”

Title: Cybercriminals have abused API Keys to Steal Millions in Crypto
Date Published: May 27, 2021


Excerpt: “For security reasons, cryptocurrency exchanges disable the withdrawal permission by default. With that said, most of the ads posted on cybercriminal forums claim that their owners were able to withdraw up to 80% of their victims’ cryptocurrency balance, which they would then split with the owner of the stolen API keys. The API keys include two important elements: the public key and the private key, commonly referred to as the public key and the secret key. The secret key is used by third-party apps to sign operation requests and tells the cryptocurrency exchange that the app is authorized to access a trader’s account and carry out the operations supported by the API key.”

Title: Data Wiper Malware Disguised As Ransomware Targets Israeli Entities
Date Published: May 26, 2021


Excerpt: “Besides using ProtonVPN for anonymization, the Agrius attack cycle leverages 1-day vulnerabilities in web-based applications, including CVE-2018-13379, to gain an initial foothold and subsequently deliver ASPXSpy web shells to maintain remote access to compromised systems and run arbitrary commands. If anything, the research adds to evidence that state-sponsored actors with ties to the Iranian government are increasingly looking at ransomware operations as a subterfuge technique to mimic other financially motivated cybercriminal ransomware groups.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...