OSN May 27, 2021

Fortify Security Team
May 27, 2021

Title: Microsoft Warns of the StrRAT Malware Campaign Targeting Windows Systems
Date Published: May 27, 2021


Excerpt: “The files can be opened as usual If the extension is removed. The malware authors are attackers who use spam mails with enticing subjects such as outgoing payments, new order, and confirmation of payments to lure the recipients into opening malicious Portable Document Format that claims to be payments. Still, in reality, they connect to a rogue domain to download the strRAT malware. The malware permits the installation of RDPWrap, an open source tool that enhance remote desktop Host support on windows.”

Title: Chinese Phishing Attack Targets High-Profile Uyghurs
Date Published: May 27, 2021


Excerpt: “These attacks clearly utilize the theme of the UNHRC to trick its targets into downloading malicious malware. We believe that these cyber-attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community. The attacks are designed to fingerprint infected devices, including all of its running programs. From what we can tell, these attacks are ongoing, and new infrastructure is being created for what looks like future attacks.

Title: TSA Cyber Requirements Would Fine Pipeline Operators for Lax Security Practices
Date Published: May 27, 2021


Excerpt: “The new directive also requires pipeline operators to designate an executive to be available at all hours of the day to coordinate with DHS officials in the event of a cybersecurity incident, the officials said. The regulations also give pipeline operators 30 days to assess whether their security practices meet federal guidance and to identify weak points that need addressing.”

Title: Nearly 50,000 IPS Compromised in Kubernetes Clusters by TeamTNT
Date Published: May 26, 2021


Excerpt: “We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May.” reads the analysis published by Trend Micro. “Most of the compromised nodes were from China and the US identified in the ISP (Internet Service Provider) list, which had Chinese and US-based providers as the highest hits, including some CSPs (Cloud Service Providers).”

Title: Google Discovers New Rowhammer Attack Technique
Date Published: May 26, 2021


Excerpt: “Rowhammer, first reported in 2014, is a vulnerability through which repeated access to one address can allow an attacker to compromise data stored at other addresses. When one DRAM row is accessed repeatedly (the “aggressor”), “bit flips” were found in the adjacent two rows (the “victims”). As “hammered” cells changed value, it caused data to change in adjacent rows.”

Title: Microsoft Releases First Windows 10 Package Manager Stable Version
Date Published: May 26, 2021


Excerpt: “Microsoft has released the first stable version of the native Winget Windows 10 package manager that helps you manage applications directly from the command line. Just as other package managers available on other platforms, Winget allows you to automate app management by enabling you to install, configure, upgrade, and remove Windows applications. Microsoft first announced the first preview version of its Windows 10 package manager at Microsoft Build 2020 and has developed it as an open-source project on GitHub since then.”

Title: Russian Admin of Cybercrime Marketplace Deer.Io Jailed in U.S.
Date Published: May 26, 2021


Excerpt: “According to the FBI, Deer.io was operating since 2013. It hosted more than 24,000 online stores and offered its services on a subscription basis throughout its operating time. The site’s subscription was approx. $12 per month. The DoJ revealed that it catered to 3,000 active stores, and sales exceeded $17 million. According to the FBI’s complaint, Deer.io claimed that it hosted legitimate businesses and users didn’t need any special access privileges. However, as per the bureau’s investigation, most of its sales were made by cybercriminals.”

Title: Know Your Enemy: Exploiting the Dell BIOS Driver Vulnerability to Defend Against It
Date Published: May 26, 2021


Excerpt: “Looking at the recently published vulnerability in Dell’s firmware update driver (CVE-2021-21551) reported by CrowdStrike’s Yarden Shafir and Satoshi Tanda, it’s worth understanding that adversaries have more than one way of weaponizing it to achieve the same result: obtaining full control of the victim’s machine. For example, while CVE-2021-21551 can be exploited to overwrite a process’s token and directly elevate its privileges, this is a relatively well-known technique that most endpoint detection and response (EDR) tools should detect.”

Title: Cybercriminals have abused API Keys to Steal Millions in Crypto
Date Published: May 27, 2021


Excerpt: “For security reasons, cryptocurrency exchanges disable the withdrawal permission by default. With that said, most of the ads posted on cybercriminal forums claim that their owners were able to withdraw up to 80% of their victims’ cryptocurrency balance, which they would then split with the owner of the stolen API keys. The API keys include two important elements: the public key and the private key, commonly referred to as the public key and the secret key. The secret key is used by third-party apps to sign operation requests and tells the cryptocurrency exchange that the app is authorized to access a trader’s account and carry out the operations supported by the API key.”

Title: Data Wiper Malware Disguised As Ransomware Targets Israeli Entities
Date Published: May 26, 2021


Excerpt: “Besides using ProtonVPN for anonymization, the Agrius attack cycle leverages 1-day vulnerabilities in web-based applications, including CVE-2018-13379, to gain an initial foothold and subsequently deliver ASPXSpy web shells to maintain remote access to compromised systems and run arbitrary commands. If anything, the research adds to evidence that state-sponsored actors with ties to the Iranian government are increasingly looking at ransomware operations as a subterfuge technique to mimic other financially motivated cybercriminal ransomware groups.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...