OSN May 6, 2021

Fortify Security Team
May 6, 2021

Title: China’s PLA Unit 61419 Purchasing Foreign Antivirus Products, Likely for Exploitation
Date Published: May 5, 2021


Excerpt: “Given the pattern of Chinese state-sponsored exploitation of the global software supply chain described above, as well as China’s exclusion of foreign antivirus software as an option for government organizations, the brands and products indicated in Table 1 should be monitored for future exploitation. Focus should be placed on adversarial simulations, penetration testing, patching known vulnerabilities, and monitoring for anomalous traffic related to these antivirus products.”

Title: Ryuk Ransomware Finds Foothold in Bio Research Institute Through Student Who Wouldn’t Pay for Software
Date Published: May 6, 2021


Excerpt: “The student was on the hunt for a free version of a data visualization software tool which would have cost them hundreds of dollars per year if licensed. After posting on a forum asking for a free alternative, the student eventually elected to find a cracked version instead. However, instead of launching the software they wanted, the executable loaded a Trojan which was able to harvest the student’s access credentials to the biomolecular institute’s network.”

Title: Operation TunnelSnake: Formerly Unknown Rootkit Used to Secretly Control Networks of Regional Organizations
Date Published: May 6, 2021


Excerpt: “The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by our product, giving us visibility into the group’s operation.”

Title: Qualys: 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server
Date Published: May 5, 2021


Excerpt: “The Qualys Research Team has discovered multiple critical vulnerabilities in the Exim mail server, some of which can be chained together to obtain full remote unauthenticated code execution and gain root privileges. Qualys recommends security teams to apply patches for these vulnerabilities as soon as possible. Exim is a popular mail transfer agent (MTA) available for major Unix-like operating systems and comes pre-installed on Linux distributions such as Debian. According to a recent survey, an estimated 60% of internet servers run on Exim. A Shodan search reveals nearly 4 million Exim servers are exposed to the internet.”

Title: New Crypto-Stealer ‘Panda’ Spread via Discord
Date Published: May 5, 2021


Excerpt: “A threat actor called NCP, also known as su1c1de, has actually cracked Collector Stealer. The cracked stealer and Panda Stealer behave similarly, but they don’t share the same command-and-control (C2) URLs, build tags or execution folders. But both exfiltrate information like cookies, login data and web data from a compromised computer, storing them in an SQLite3 database. The cracked Collector Stealer is freely available online, meaning that it’s easy to get it, tweak it and let it rip. Researchers found 14 victims listed on the logs for one of those servers. They also found an IP address that they think the threat actor was using.”

Title: Security Probe of Qualcomm MSM Data Services
Date Published: May 6, 2021


Excerpt: “MI is present on approximately 30% of all mobile phones in the world but little is known about its role as a possible attack vector. If a researcher wants to implement a modem debugger to explore the latest 5G code, the easiest way to do that is to exploit MSM data services through QMI. In our attempt to do so, we reverse-engineered QuRT and built a feedback fuzzer for QDSP6 processor architecture to probe MSM data services for bugs.”

Title: Cisco Critical Vulnerabilities Enable Remote Attackers To Execute Commands
Date Published: May 6, 2021


Excerpt: “Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX and SD-WAN vManage could have allowed an unauthenticated, remote attacker to execute arbitrary code, escalate privileges, trigger DoS conditions, or access confidential data, the company notes. The company has released a security update to fix high and medium severity vulnerabilities, saying that authenticated local attackers may take advantage of these flaws to obtain elevated privileges or unauthorized access to an attack-vulnerable program.”

Title: DOD Expands Vulnerability Disclosure Program, Giving Hackers More Approved Targets
Date Published: May 5, 2021


Excerpt: “The program, “Hack the Pentagon,” is expanding the number of DOD targets that ethical hackers can go after to try to ferret out vulnerabilities.. The program, which launched in 2016, previously allowed cybersecurity professionals to test DOD systems when it involved public-facing websites and applications. Now interested hackers may go after all publicly-accessible DOD information systems, including publicly-accessible networks, Internet of Things devices and industrial control systems.”

Title: Malware Group Leaks Millions of Stolen Authentication Cookies
Date Published: May 6, 2021


Excerpt: “Racoon is fairly typical Malware-as-a-Service where for $75-$200 per month you get access to the toolkit to generate malware payloads and a backend website to administer your campaign from. “It is designed to steal login credentials, credit card information, cryptocurrency wallets, and browser information. People often don’t realize, but things like the password store on Chrome are encrypted using the Windows API. This means that if the malware is running in the user context, it can decrypt all the logins saved in the Chrome DB and steal them”.”

Title: Cyber-Attack on Belgian Parliament
Date Published: May 5, 2021


Excerpt: “A coordinated cyber-attack has been carried out against Belgium’s parliament, scientific institutions, police services, and universities. Internet service provider Belnet, which serves the country’s government agencies, fell victim to what it described as a “large-scale attack” on Tuesday. At around 11:00am CEST, the company was hit by a distributed denial of service (DDoS) attack that overloaded its servers, preventing the availability of online services. Websites with .be domains were impacted.”

Recent Posts

June 30, 2022

Title: Google Blocked Dozens of Domains Used by Hack-For-Hire Groups Date Published: June 30, 2022 https://www.bleepingcomputer.com/news/security/google-blocked-dozens-of-domains-used-by-hack-for-hire-groups/ Excerpt: “Google's Threat Analysis Group (TAG) has blocked...

June 28, 2022

Title: Over 900,000 Kubernetes Instances Found Exposed Online Date Published: June 28, 2022 https://www.bleepingcomputer.com/news/security/over-900-000-kubernetes-instances-found-exposed-online/ Excerpt: “Over 900,000 misconfigured Kubernetes clusters were found...

June 27, 2022

Title: CafePress Fined $500,000 for Breach Affecting 23 Million Users Date Published: June 24, 2022 https://www.bleepingcomputer.com/news/security/cafepress-fined-500-000-for-breach-affecting-23-million-users/ Excerpt: “The U.S. Federal Trade Commission (FTC) has...

June 24, 2022

Title: Scalper Bots out of Control in Israel, Selling State Appointments Date Published: June 23, 2022 https://www.bleepingcomputer.com/news/security/scalper-bots-out-of-control-in-israel-selling-state-appointments/ Excerpt: “Out-of-control scalper bots have created...

June 23, 2022

Title: New MetaMask Phishing Campaign uses KYC Lures to Steal Passphrases Date Published: June 23, 2022 https://www.bleepingcomputer.com/news/security/new-metamask-phishing-campaign-uses-kyc-lures-to-steal-passphrases/ Excerpt: “A new phishing campaign is targeting...

June 22, 2022

Title: Microsoft Reveals Cause Behind this Week’s Microsoft 365 Outage Date Published: June 22, 2022 https://www.bleepingcomputer.com/news/microsoft/microsoft-reveals-cause-behind-this-week-s-microsoft-365-outage/ Excerpt: “Microsoft has revealed that this week's...

June 21, 2022

Title: Microsoft 365 Outage Affects Microsoft Teams and Exchange Online Date Published: June 21, 2022 https://www.bleepingcomputer.com/news/microsoft/microsoft-365-outage-affects-microsoft-teams-and-exchange-online/ Excerpt: “An ongoing outage affects multiple...