OSN May 6, 2021

by | May 6, 2021 | Open Source News

Title: China’s PLA Unit 61419 Purchasing Foreign Antivirus Products, Likely for Exploitation
Date Published: May 5, 2021

https://www.recordedfuture.com/china-pla-unit-purchasing-antivirus-exploitation/

Excerpt: “Given the pattern of Chinese state-sponsored exploitation of the global software supply chain described above, as well as China’s exclusion of foreign antivirus software as an option for government organizations, the brands and products indicated in Table 1 should be monitored for future exploitation. Focus should be placed on adversarial simulations, penetration testing, patching known vulnerabilities, and monitoring for anomalous traffic related to these antivirus products.”

Title: Ryuk Ransomware Finds Foothold in Bio Research Institute Through Student Who Wouldn’t Pay for Software
Date Published: May 6, 2021

https://www.zdnet.com/article/ryuk-ransomware-finds-foothold-in-bio-research-institute-through-a-student-who-wouldnt-pay-for-software/

Excerpt: “The student was on the hunt for a free version of a data visualization software tool which would have cost them hundreds of dollars per year if licensed. After posting on a forum asking for a free alternative, the student eventually elected to find a cracked version instead. However, instead of launching the software they wanted, the executable loaded a Trojan which was able to harvest the student’s access credentials to the biomolecular institute’s network.”

Title: Operation TunnelSnake: Formerly Unknown Rootkit Used to Secretly Control Networks of Regional Organizations
Date Published: May 6, 2021

https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/

Excerpt: “The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by our product, giving us visibility into the group’s operation.”

Title: Qualys: 21Nails: Multiple Critical Vulnerabilities in Exim Mail Server
Date Published: May 5, 2021

https://blog.qualys.com/vulnerabilities-research/2021/05/04/21nails-multiple-vulnerabilities-in-exim-mail-server

Excerpt: “The Qualys Research Team has discovered multiple critical vulnerabilities in the Exim mail server, some of which can be chained together to obtain full remote unauthenticated code execution and gain root privileges. Qualys recommends security teams to apply patches for these vulnerabilities as soon as possible. Exim is a popular mail transfer agent (MTA) available for major Unix-like operating systems and comes pre-installed on Linux distributions such as Debian. According to a recent survey, an estimated 60% of internet servers run on Exim. A Shodan search reveals nearly 4 million Exim servers are exposed to the internet.”

Title: New Crypto-Stealer ‘Panda’ Spread via Discord
Date Published: May 5, 2021

https://threatpost.com/panda-stealer-crypto-wallets-discord/165898/

Excerpt: “A threat actor called NCP, also known as su1c1de, has actually cracked Collector Stealer. The cracked stealer and Panda Stealer behave similarly, but they don’t share the same command-and-control (C2) URLs, build tags or execution folders. But both exfiltrate information like cookies, login data and web data from a compromised computer, storing them in an SQLite3 database. The cracked Collector Stealer is freely available online, meaning that it’s easy to get it, tweak it and let it rip. Researchers found 14 victims listed on the logs for one of those servers. They also found an IP address that they think the threat actor was using.”

Title: Security Probe of Qualcomm MSM Data Services
Date Published: May 6, 2021

https://research.checkpoint.com/2021/security-probe-of-qualcomm-msm/

Excerpt: “MI is present on approximately 30% of all mobile phones in the world but little is known about its role as a possible attack vector. If a researcher wants to implement a modem debugger to explore the latest 5G code, the easiest way to do that is to exploit MSM data services through QMI. In our attempt to do so, we reverse-engineered QuRT and built a feedback fuzzer for QDSP6 processor architecture to probe MSM data services for bugs.”

Title: Cisco Critical Vulnerabilities Enable Remote Attackers To Execute Commands
Date Published: May 6, 2021

https://heimdalsecurity.com/blog/cisco-vulnerabilities-allow-remote-attackers-to-execute-commands/

Excerpt: “Multiple vulnerabilities in the web-based management interface of Cisco HyperFlex HX and SD-WAN vManage could have allowed an unauthenticated, remote attacker to execute arbitrary code, escalate privileges, trigger DoS conditions, or access confidential data, the company notes. The company has released a security update to fix high and medium severity vulnerabilities, saying that authenticated local attackers may take advantage of these flaws to obtain elevated privileges or unauthorized access to an attack-vulnerable program.”

Title: DOD Expands Vulnerability Disclosure Program, Giving Hackers More Approved Targets
Date Published: May 5, 2021

https://www.cyberscoop.com/dod-expands-vulnerability-disclosure-program-hack-the-pentagon/

Excerpt: “The program, “Hack the Pentagon,” is expanding the number of DOD targets that ethical hackers can go after to try to ferret out vulnerabilities.. The program, which launched in 2016, previously allowed cybersecurity professionals to test DOD systems when it involved public-facing websites and applications. Now interested hackers may go after all publicly-accessible DOD information systems, including publicly-accessible networks, Internet of Things devices and industrial control systems.”

Title: Malware Group Leaks Millions of Stolen Authentication Cookies
Date Published: May 6, 2021

https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/

Excerpt: “Racoon is fairly typical Malware-as-a-Service where for $75-$200 per month you get access to the toolkit to generate malware payloads and a backend website to administer your campaign from. “It is designed to steal login credentials, credit card information, cryptocurrency wallets, and browser information. People often don’t realize, but things like the password store on Chrome are encrypted using the Windows API. This means that if the malware is running in the user context, it can decrypt all the logins saved in the Chrome DB and steal them”.”

Title: Cyber-Attack on Belgian Parliament
Date Published: May 5, 2021

https://www.infosecurity-magazine.com/news/cyber-attack-on-belgian-parliament/

Excerpt: “A coordinated cyber-attack has been carried out against Belgium’s parliament, scientific institutions, police services, and universities. Internet service provider Belnet, which serves the country’s government agencies, fell victim to what it described as a “large-scale attack” on Tuesday. At around 11:00am CEST, the company was hit by a distributed denial of service (DDoS) attack that overloaded its servers, preventing the availability of online services. Websites with .be domains were impacted.”