OSN June 25, 2021

Fortify Security Team
Jun 25, 2021
Title: Crackonosh: A New Malware Distributed in Cracked Software

Date Published: June 24, 2021


Excerpt: “In this posting we analyze Crackonosh. We look first at how Crackonosh is installed. In our analysis we found that it drops three key files winrmsrv.exe, winscomrssrv.dll and winlogui.exe which we analyze below. We also include information on the steps it takes to disable Windows Defender and Windows Update as well as anti-detection and anti-forensics actions. We include information on how to remove Crackonosh. Finally, we include indicators of compromise for Crackonosh.”

Title: Disconnect WD My Book Live Nas From the Internet Immediately
Date Published: June 24, 2021


Excerpt: “Many Western Digital My Book users are complaining that their devices have been reset to factory defaults. Worse, all of the information on them suddenly disappeared. Whether the cause of the incident was a technical failure or an attack is not yet clear, but we recommend all owners disconnect their My Book Live and My Book Live Duo drives from the Internet, at least until more details from the vendor are available.”

Title: Facebook Pays $6.5 Million to End Fee Fight in Breach Case
Date Published: June 24, 2021


Excerpt: “Facebook Inc. will pay $6.5 million to class counsel in a lawsuit that alleged the company’s negligence allowed hackers to obtain user information via software bugs, ending a dispute over attorneys’ fees. The parties reached an agreement prior to a hearing scheduled for Thursday, they told Judge William Alsup. The amount is described in a stipulation as “a material reduction from the total attorneys’ fees and litigation costs Plaintiff initially sought”.”

Title: Cloud Database Exposes 800M+ WordPress Users’ Records
Date Published: June 25, 2021


Excerpt: “Security researcher Jeremiah Fowler explained that the trove was left online with no password protection by US hosting provider DreamHost. The 814 million records he found were traced back to the firm’s managed WordPress hosting business DreamPress and appeared to date back to 2018. In the 86GB database, there was purportedly admin and user information, including WordPress login location URLs, first and last names, email addresses, usernames, roles, host IP addresses, timestamps, and configuration and security information.”

Title: FIN7 Supervisor Gets 7-Year Jail Term for Stealing Millions of Credit Cards
Date Published: June 25, 2021


Excerpt: “A Ukrainian national and a mid-level supervisor of the hacking group known as FIN7 has been sentenced to seven years in prison for his role as a “pen tester” and perpetuating a criminal scheme that enabled the gang to compromise millions of customers debit and credit cards. Andrii Kolpakov, 33, was arrested in Spain on June 28, 2018, and subsequently extradited to the U.S. the following year on June 1, 2019. In June 2020, Kolpakov pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.”

Title: Clop Gang Partners Laundered $500 Million in Ransomware Payments
Date Published: June 24, 2021


Excerpt: “The cybercrime ring that was apprehended last week in connection with Clop (aka Cl0p) ransomware attacks against dozens of companies in the last few months helped launder money totaling $500 million for several malicious actors through a plethora of illegal activities. “The group — also known as FANCYCAT — has been running multiple criminal activities: distributing cyber attacks; operating a high-risk exchanger; and laundering money from dark web operations and high-profile cyber attacks such as Cl0p and Petya ransomware,” popular cryptocurrency exchange Binance said Thursday.”

Title: Malicious Spam Campaigns Delivering Banking Trojans
Date Published: June 24, 2021


Excerpt: “The first campaign we called ‘DotDat’. It distributed ZIP attachments that claimed to be some sort of cancelled operation or compensation claims with the names in the following format [document type (optional)]-[some digits]-[date in MMDDYYYY format]. We assume the dates correspond with the campaign spikes. The ZIP archives contained a malicious MS Excel file with the same name. The Excel file downloads a malicious payload via a macro (see details below) from a URL with the following format [host]/[digits].[digits].dat and executes it. The URL is generated during execution using the Excel function NOW(). The payload is either the IcedID downloader (Trojan.Win32.Ligooc) or QBot packed with a polymorph packer.”

Title: 30 Million Dell Devices Affected by Biosconnect Code Execution Bugs
Date Published: June 25, 2021


Excerpt: “According to Eclypsium researchers, one bug leads to an insecure TLS connection from BIOS to Dell, whereas three are overflow vulnerabilities, classified as CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574, respectively. The first issue occurs when BIOSConnect connects to Dell’s back-end HTTP server. It accepts any valid wildcard certificate, letting an attacker deliver attacker-controlled content to the victim device under Dell’s guise.”

Title: Data Breach Confirmed at Workforce West Virginia
Date Published: June 23, 2021


Excerpt: “According to Workforce WV, they learned on April 13, 2021, an “unauthorized individual” had accessed the job seekers database. The organization says they immediately took the system offline, took steps to make sure the network was secure and began an investigation. The investigation also included hiring a computer forensic firm to help determine what had happened and what information may have been accessed.”

Title: CVE-2020-3580: Proof of Concept Published for Cisco ASA Flaw Patched in October
Date Published: June 24, 2021


Excerpt: “All four vulnerabilities exist because Cisco ASA and FTD software web services do not sufficiently validate user-supplied inputs. To exploit any of these vulnerabilities, an attacker would need to convince “a user of the interface” to click on a specially crafted link. Successful exploitation would allow the attacker to execute arbitrary code within the interface and access sensitive, browser-based information.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...