OSN May 6, 2021

Fortify Security Team
May 6, 2021

Title: China’s PLA Unit 61419 Purchasing Foreign Antivirus Products, Likely for Exploitation
Date Published: May 5, 2021


Excerpt: “Given the pattern of Chinese state-sponsored exploitation of the global software supply chain described above, as well as China’s exclusion of foreign antivirus software as an option for government organizations, the brands and products indicated in Table 1 should be monitored for future exploitation. Focus should be placed on adversarial simulations, penetration testing, patching known vulnerabilities, and monitoring for anomalous traffic related to these antivirus products.”

Title: Ryuk Ransomware Finds Foothold in Bio Research Institute Through Student Who Wouldn’t Pay for Software
Date Published: May 6, 2021


Excerpt: “The student was on the hunt for a free version of a data visualization software tool which would have cost them hundreds of dollars per year if licensed. After posting on a forum asking for a free alternative, the student eventually elected to find a cracked version instead. However, instead of launching the software they wanted, the executable loaded a Trojan which was able to harvest the student’s access credentials to the biomolecular institute’s network.”

Title: Operation TunnelSnake: Formerly Unknown Rootkit Used to Secretly Control Networks of Regional Organizations
Date Published: May 6, 2021


Excerpt: “The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by our product, giving us visibility into the group’s operation.”

Title: Qualys: 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server
Date Published: May 5, 2021


Excerpt: “The Qualys Research Team has discovered multiple critical vulnerabilities in the Exim mail server, some of which can be chained together to obtain full remote unauthenticated code execution and gain root privileges. Qualys recommends security teams to apply patches for these vulnerabilities as soon as possible. Exim is a popular mail transfer agent (MTA) available for major Unix-like operating systems and comes pre-installed on Linux distributions such as Debian. According to a recent survey, an estimated 60% of internet servers run on Exim. A Shodan search reveals nearly 4 million Exim servers are exposed to the internet.”

Title: New Crypto-Stealer ‘Panda’ Spread via Discord
Date Published: May 5, 2021


Excerpt: “A threat actor called NCP, also known as su1c1de, has actually cracked Collector Stealer. The cracked stealer and Panda Stealer behave similarly, but they don’t share the same command-and-control (C2) URLs, build tags or execution folders. But both exfiltrate information like cookies, login data and web data from a compromised computer, storing them in an SQLite3 database. The cracked Collector Stealer is freely available online, meaning that it’s easy to get it, tweak it and let it rip. Researchers found 14 victims listed on the logs for one of those servers. They also found an IP address that they think the threat actor was using.”

Title: Security Probe of Qualcomm MSM Data Services
Date Published: May 6, 2021


Excerpt: “MI is present on approximately 30% of all mobile phones in the world but little is known about its role as a possible attack vector. If a researcher wants to implement a modem debugger to explore the latest 5G code, the easiest way to do that is to exploit MSM data services through QMI. In our attempt to do so, we reverse-engineered QuRT and built a feedback fuzzer for QDSP6 processor architecture to probe MSM data services for bugs.”

Title: Cisco Critical Vulnerabilities Enable Remote Attackers To Execute Commands
Date Published: May 6, 2021


Excerpt: “Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX and SD-WAN vManage could have allowed an unauthenticated, remote attacker to execute arbitrary code, escalate privileges, trigger DoS conditions, or access confidential data, the company notes. The company has released a security update to fix high and medium severity vulnerabilities, saying that authenticated local attackers may take advantage of these flaws to obtain elevated privileges or unauthorized access to an attack-vulnerable program.”

Title: DOD Expands Vulnerability Disclosure Program, Giving Hackers More Approved Targets
Date Published: May 5, 2021


Excerpt: “The program, “Hack the Pentagon,” is expanding the number of DOD targets that ethical hackers can go after to try to ferret out vulnerabilities.. The program, which launched in 2016, previously allowed cybersecurity professionals to test DOD systems when it involved public-facing websites and applications. Now interested hackers may go after all publicly-accessible DOD information systems, including publicly-accessible networks, Internet of Things devices and industrial control systems.”

Title: Malware Group Leaks Millions of Stolen Authentication Cookies
Date Published: May 6, 2021


Excerpt: “Racoon is fairly typical Malware-as-a-Service where for $75-$200 per month you get access to the toolkit to generate malware payloads and a backend website to administer your campaign from. “It is designed to steal login credentials, credit card information, cryptocurrency wallets, and browser information. People often don’t realize, but things like the password store on Chrome are encrypted using the Windows API. This means that if the malware is running in the user context, it can decrypt all the logins saved in the Chrome DB and steal them”.”

Title: Cyber-Attack on Belgian Parliament
Date Published: May 5, 2021


Excerpt: “A coordinated cyber-attack has been carried out against Belgium’s parliament, scientific institutions, police services, and universities. Internet service provider Belnet, which serves the country’s government agencies, fell victim to what it described as a “large-scale attack” on Tuesday. At around 11:00am CEST, the company was hit by a distributed denial of service (DDoS) attack that overloaded its servers, preventing the availability of online services. Websites with .be domains were impacted.”

Recent Posts

January 20, 2022

Title: New MoonBounce UEFI Malware Used by APT41 in Targeted Attacks Date Published: January 20, 2022 https://www.bleepingcomputer.com/news/security/new-moonbounce-uefi-malware-used-by-apt41-in-targeted-attacks/ Excerpt: "Security analysts have discovered and linked...

January 19, 2022

Title: Office 365 Phishing Attack Impersonates the US Department of Labor Date Published: January 19, 2022 https://www.bleepingcomputer.com/news/security/office-365-phishing-attack-impersonates-the-us-department-of-labor/ Excerpt: "A new phishing campaign...

January 18, 2022

Title: Europol Shuts Down VPN Service Used by Ransomware Groups Date Published: January 18, 2022 https://www.bleepingcomputer.com/news/security/europol-shuts-down-vpn-service-used-by-ransomware-groups/ Excerpt: "Law enforcement authorities from 10 countries took down...

January 14, 2022

Title: Android users can now disable 2G to block Stingray attacks Date Published: January 13, 2022 https://www.bleepingcomputer.com/news/security/android-users-can-now-disable-2g-to-block-stingray-attacks/ Excerpt: "Google has finally rolled out an option on Android...

November 23, 2021

Title: Over 4000 UK Retailers Compromised by Magecart Attacks Date Published: November 23, 2021 https://www.infosecurity-magazine.com/news/4000-uk-retailers-compromised/ Excerpt: “UK government security experts have been forced to notify over 4000 domestic online...

November 2, 2021

Title: Possible Cyber Attack Hits ‘Brain’ of N.L. Health-care System, Delaying Thousands of Appointments Date Published: November 1, 2021 cbc.ca/news/canada/newfoundland-labrador/health-services-it-outage-update-nov-1-1.6232426 Excerpt: "A cyberattack appears to be...

OSN November 1, 2021

Title: New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code Date Published: November 1, 2021 https://thehackernews.com/2021/11/new-trojan-source-technique-lets.html Excerpt: "A novel class of vulnerabilities could be leveraged by threat...