OSN May 7, 2021

Fortify Security Team
May 7, 2021

Title: VMware Addresses Critical RCE in vRealize Business for Cloud
Date Published: May 7, 2021


Excerpt: ““VMware vRealize Business for Cloud contains a remote code execution vulnerability due to an unauthorized end point.” reads the advisory published by the virtualization giant. “A malicious actor with network access may exploit this issue causing unauthorized remote code execution on vRealize Business for Cloud Virtual Appliance.” The vulnerability has been rated as critical and received a CVSSv3 base score of 9.8, it could be easily exploited by attackers without any privileges”.”

Title: New TsuNAME Flaw Could Let Attackers Take Down Authoritative DNS Servers
Date Published: May 7, 2021


Excerpt: “TsuNAME occurs when domain names are misconfigured with cyclic dependent DNS records, and when vulnerable resolvers access these misconfigurations, they begin looping and send DNS queries rapidly to authoritative servers and other resolvers. To mitigate the impact of TsuNAME in the wild, an open-source tool called CycleHunter that allows for authoritative DNS server operators to detect cyclic dependencies.”

Title: Popular Routers Found Vulnerable to Hacker Attacks
Date Published: May 7, 2021


Excerpt: “A router that has an easy-to-guess and/or default password could grant malicious actors a way into your home network and the devices connected to it. You should always replace your router’s default username and password with a strong and unique password or passphrase. Meanwhile, routers that have out-of-date firmware often contain easily exploitable vulnerabilities. If your router doesn’t receive firmware updates to plug such security flaws, you are best off arranging an upgrade of your device with your ISP or buy an aftermarket device.”

Title: Connecting the Bots – Hancitor Fuels Cuba Ransomware Operations
Date Published: May 7, 2021


Excerpt: “From execution perspective, just like many other ransomware operators, they used jump psexec and jump psexec_psh, and relied heavily on SMB Beacons, commonly using generic pipe names. In some cases, they also used less common techniques, such as WMI and WinRM to execute the Beacon stagers on remote hosts. As Cobalt Strike has credential dumping capabilities, the threat actors leverage mimikatz’s sekurlsa::logonpasswords. At the same time, in some cases they use a separate binary to run mimikatz on some hosts. This tool is also used for enabling lateral movement capability with obtained hashes and mimikatz’s sekurlsa::pth.”

Title: Possible Attacks on the TCP/IP Protocol Stack and Countermeasures
Date Published: May 7, 2021


Excerpt: “Network communication on the Internet follows a layered approach, where each layer adds to the activity of the previous layer according to the TCP/IP implementation paradigm. The TCP/IP protocol stack has only 4 layers compared to the standard ISO/OSI protocol (Application, Presentation, Session, Transport, Network, Data link, Physical), namely the Application, TCP, IP and Network Access layers.”

Title: Connected Places: New NCSC Security Principles for ‘Smart Cities’
Date Published: May 3, 2021


Excerpt: “It wasn’t a teenager accidentally taking control of nuclear command and control, or a magic box that can decrypt anything stolen and used by shady Bond villains intent on taking over the world. It was an attack against a city’s centralized traffic management system in the 1969 film ‘The Italian Job’. As part of an elaborate heist, a dodgy computer professor (played by Benny Hill) switches magnetic storage tapes for the Turin traffic control to create a gridlock.”

Title: Peloton’s Leaky API Spilled Riders’ Private Data
Date Published: May 5, 2021


Excerpt: “Pen Test Partners security researcher Jan Masters had discovered that a bug allowed anyone to scrape users’ private account data right off Peloton’s servers, regardless of their profiles being set to private. As Masters said in a post about the glitch, the leaky API was allowing any user, along with any random internet passersby, to make an unauthenticated request for account data to the API without the API making sure that they had any right to the data. The API enables the bikes to upload data to Peloton’s servers.”

Title: What is Ghimob Malware?
Date Published: May 7, 2021


Excerpt: “Once embedded in a phone, Ghimob uses the data it collects to keep an eye out for 153 mobile apps belonging to banks, fintechs and cryptocurrency exchanges based in Brazil, Germany, Portugal, Peru, Paraguay, Angola and Mozambique. When it finds one of those apps running on an infected device, it begins to spy on the app.”

Title: New Spectre Flaws in Intel and AMD CPUs Affect Billions of Computers
Date Published: May 6, 2021


Excerpt: “A Spectre attack tricks the processor into executing instructions along the wrong path,” the researchers said. “Even though the processor recovers and correctly completes its task, hackers can access confidential data while the processor is heading the wrong way. The new attack method exploits what’s called a micro-operations (aka micro-ops or μops) cache, an on-chip component that decomposes machine instructions into simpler commands and speeds up computing, as a side-channel to divulge secret information. Micro-op caches have been built into Intel-based machines manufactured since 2011.”

Title: New Techniques Emerge for Abusing Windows Services to Gain System Control
Date Published: May 6, 2021


Excerpt: “For organizations, the biggest problem dealing with these attacks is that they abuse services that hold impersonation privileges and exist by design in Windows operating systems. The services are enabled, available by default, and play an essential part in the implementation of Web servers, database servers, mail servers, and other services. Juicy Potato is an exploit that allows an attacker with low-level service privileges on a Windows system to gain system level access on it. The exploit takes advantage of an impersonation privilege setting in Windows called “SeImpersonatePrivilege.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...