OSN May 7, 2021

Fortify Security Team
May 7, 2021

Title: VMware Addresses Critical RCE in vRealize Business for Cloud
Date Published: May 7, 2021


Excerpt: ““VMware vRealize Business for Cloud contains a remote code execution vulnerability due to an unauthorized end point.” reads the advisory published by the virtualization giant. “A malicious actor with network access may exploit this issue causing unauthorized remote code execution on vRealize Business for Cloud Virtual Appliance.” The vulnerability has been rated as critical and received a CVSSv3 base score of 9.8, it could be easily exploited by attackers without any privileges”.”

Title: New TsuNAME Flaw Could Let Attackers Take Down Authoritative DNS Servers
Date Published: May 7, 2021


Excerpt: “TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers. To mitigate the impact of TsuNAME in the wild, an open-source tool called CycleHunter that allows for authoritative DNS server operators to detect cyclic dependencies.”

Title: Popular Routers Found Vulnerable to Hacker Attacks
Date Published: May 7, 2021


Excerpt: “A router that has an easy-to-guess and/or default password could grant malicious actors a way into your home network and the devices connected to it. You should always replace your router’s default username and password with a strong and unique password or passphrase. Meanwhile, routers that have out-of-date firmware often contain easily exploitable vulnerabilities. If your router doesn’t receive firmware updates to plug such security flaws, you are best off arranging an upgrade of your device with your ISP or buy an aftermarket device.”

Title: Connecting the Bots – Hancitor Fuels Cuba Ransomware Operations
Date Published: May 7, 2021


Excerpt: “From execution perspective, just like many other ransomware operators, they used jump psexec and jump psexec_psh, and relied heavily on SMB Beacons, commonly using generic pipe names. In some cases, they also used less common techniques, such as WMI and WinRM to execute the Beacon stagers on remote hosts. As Cobalt Strike has credential dumping capabilities, the threat actors leverage mimikatz’s sekurlsa::logonpasswords. At the same time, in some cases they use a separate binary to run mimikatz on some hosts. This tool is also used for enabling lateral movement capability with obtained hashes and mimikatz’s sekurlsa::pth.”

Title: Possible Attacks on the TCP/IP Protocol Stack and Countermeasures
Date Published: May 7, 2021


Excerpt: “Network communication on the Internet follows a layered approach, where each layer adds to the activity of the previous layer according to the TCP/IP implementation paradigm. The TCP/IP protocol stack has only 4 layers compared to the standard ISO/OSI protocol (Application, Presentation, Session, Transport, Network, Data link, Physical), namely the Application, TCP, IP and Network Access layers.”

Title: Connected Places: New NCSC Security Principles for ‘Smart Cities’
Date Published: May 3, 2021


Excerpt: “It wasn’t a teenager accidentally taking control of nuclear command and control, or a magic box that can decrypt anything stolen and used by shady Bond villains intent on taking over the world. It was an attack against a city’s centralized traffic management system in the 1969 film ‘The Italian Job’. As part of an elaborate heist, a dodgy computer professor (played by Benny Hill) switches magnetic storage tapes for the Turin traffic control to create a gridlock.”

Title: Peloton’s Leaky API Spilled Riders’ Private Data
Date Published: May 5, 2021


Excerpt: “Pen Test Partners security researcher Jan Masters had discovered that a bug allowed anyone to scrape users’ private account data right off Peloton’s servers, regardless of their profiles being set to private. As Masters said in a post about the glitch, the leaky API was allowing any user, along with any random internet passersby, to make an unauthenticated request for account data to the API without the API making sure that they had any right to the data. The API enables the bikes to upload data to Peloton’s servers.”

Title: What is Ghimob Malware?
Date Published: May 7, 2021


Excerpt: “Once embedded in a phone, Ghimob uses the data it collects to keep an eye out for 153 mobile apps belonging to banks, fintechs and cryptocurrency exchanges based in Brazil, Germany, Portugal, Peru, Paraguay, Angola and Mozambique. When it finds one of those apps running on an infected device, it begins to spy on the app.”

Title: New Spectre Flaws in Intel and AMD CPUs Affect Billions of Computers
Date Published: May 6, 2021


Excerpt: “A Spectre attack tricks the processor into executing instructions along the wrong path,” the researchers said. “Even though the processor recovers and correctly completes its task, hackers can access confidential data while the processor is heading the wrong way. The new attack method exploits what’s called a micro-operations (aka micro-ops or μops) cache, an on-chip component that decomposes machine instructions into simpler commands and speeds up computing, as a side-channel to divulge secret information. Micro-op caches have been built into Intel-based machines manufactured since 2011.”

Title: New Techniques Emerge for Abusing Windows Services to Gain System Control
Date Published: May 6, 2021


Excerpt: “For organizations, the biggest problem dealing with these attacks is that they abuse services that hold impersonation privileges and exist by design in Windows operating systems. The services are enabled, available by default, and play an essential part in the implementation of Web servers, database servers, mail servers, and other services. Juicy Potato is an exploit that allows an attacker with low-level service privileges on a Windows system to gain system level access on it. The exploit takes advantage of an impersonation privilege setting in Windows called “SeImpersonatePrivilege.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...