OSN June 25, 2021

Fortify Security Team
Jun 25, 2021
Title: Crackonosh: A New Malware Distributed in Cracked Software

Date Published: June 24, 2021

https://decoded.avast.io/danielbenes/crackonosh-a-new-malware-distributed-in-cracked-software/

Excerpt: “In this posting we analyze Crackonosh. We look first at how Crackonosh is installed. In our analysis we found that it drops three key files winrmsrv.exe, winscomrssrv.dll and winlogui.exe which we analyze below. We also include information on the steps it takes to disable Windows Defender and Windows Update as well as anti-detection and anti-forensics actions. We include information on how to remove Crackonosh. Finally, we include indicators of compromise for Crackonosh.”

Title: Disconnect WD My Book Live Nas From the Internet Immediately
Date Published: June 24, 2021

https://www.kaspersky.com/blog/wd-my-book-remote-wipe/40392/

Excerpt: “Many Western Digital My Book users are complaining that their devices have been reset to factory defaults. Worse, all of the information on them suddenly disappeared. Whether the cause of the incident was a technical failure or an attack is not yet clear, but we recommend all owners disconnect their My Book Live and My Book Live Duo drives from the Internet, at least until more details from the vendor are available.”

Title: Facebook Pays $6.5 Million to End Fee Fight in Breach Case
Date Published: June 24, 2021

https://news.bloomberglaw.com/business-and-practice/facebook-pays-6-5-million-to-end-fee-fight-in-data-breach-case

Excerpt: “Facebook Inc. will pay $6.5 million to class counsel in a lawsuit that alleged the company’s negligence allowed hackers to obtain user information via software bugs, ending a dispute over attorneys’ fees. The parties reached an agreement prior to a hearing scheduled for Thursday, they told Judge William Alsup. The amount is described in a stipulation as “a material reduction from the total attorneys’ fees and litigation costs Plaintiff initially sought”.”

Title: Cloud Database Exposes 800M+ WordPress Users’ Records
Date Published: June 25, 2021

https://www.infosecurity-magazine.com/news/cloud-database-exposes-800m/

Excerpt: “Security researcher Jeremiah Fowler explained that the trove was left online with no password protection by US hosting provider DreamHost. The 814 million records he found were traced back to the firm’s managed WordPress hosting business DreamPress and appeared to date back to 2018. In the 86GB database, there was purportedly admin and user information, including WordPress login location URLs, first and last names, email addresses, usernames, roles, host IP addresses, timestamps, and configuration and security information.”

Title: FIN7 Supervisor Gets 7-Year Jail Term for Stealing Millions of Credit Cards
Date Published: June 25, 2021

https://thehackernews.com/2021/06/fin7-supervisor-gets-7-year-jail-term.html

Excerpt: “A Ukrainian national and a mid-level supervisor of the hacking group known as FIN7 has been sentenced to seven years in prison for his role as a “pen tester” and perpetuating a criminal scheme that enabled the gang to compromise millions of customers debit and credit cards. Andrii Kolpakov, 33, was arrested in Spain on June 28, 2018, and subsequently extradited to the U.S. the following year on June 1, 2019. In June 2020, Kolpakov pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.”

Title: Clop Gang Partners Laundered $500 Million in Ransomware Payments
Date Published: June 24, 2021

https://thehackernews.com/2021/06/clop-gang-members-laundered-500-million.html

Excerpt: “The cybercrime ring that was apprehended last week in connection with Clop (aka Cl0p) ransomware attacks against dozens of companies in the last few months helped launder money totaling $500 million for several malicious actors through a plethora of illegal activities. “The group — also known as FANCYCAT — has been running multiple criminal activities: distributing cyber attacks; operating a high-risk exchanger; and laundering money from dark web operations and high-profile cyber attacks such as Cl0p and Petya ransomware,” popular cryptocurrency exchange Binance said Thursday.”

Title: Malicious Spam Campaigns Delivering Banking Trojans
Date Published: June 24, 2021

https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917/

Excerpt: “The first campaign we called ‘DotDat’. It distributed ZIP attachments that claimed to be some sort of cancelled operation or compensation claims with the names in the following format [document type (optional)]-[some digits]-[date in MMDDYYYY format]. We assume the dates correspond with the campaign spikes. The ZIP archives contained a malicious MS Excel file with the same name. The Excel file downloads a malicious payload via a macro (see details below) from a URL with the following format [host]/[digits].[digits].dat and executes it. The URL is generated during execution using the Excel function NOW(). The payload is either the IcedID downloader (Trojan.Win32.Ligooc) or QBot packed with a polymorph packer.”

Title: 30 Million Dell Devices Affected by Biosconnect Code Execution Bugs
Date Published: June 25, 2021

https://www.hackread.com/dell-devices-biosconnect-code-execution-bugs/

Excerpt: “According to Eclypsium researchers, one bug leads to an insecure TLS connection from BIOS to Dell, whereas three are overflow vulnerabilities, classified as CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, and CVE-2021-21574, respectively. The first issue occurs when BIOSConnect connects to Dell’s back-end HTTP server. It accepts any valid wildcard certificate, letting an attacker deliver attacker-controlled content to the victim device under Dell’s guise.”

Title: Data Breach Confirmed at Workforce West Virginia
Date Published: June 23, 2021

https://www.wboy.com/news/west-virginia/data-breach-confirmed-at-workforce-west-virginia/

Excerpt: “According to Workforce WV, they learned on April 13, 2021, an “unauthorized individual” had accessed the job seekers database. The organization says they immediately took the system offline, took steps to make sure the network was secure and began an investigation. The investigation also included hiring a computer forensic firm to help determine what had happened and what information may have been accessed.”

Title: CVE-2020-3580: Proof of Concept Published for Cisco ASA Flaw Patched in October
Date Published: June 24, 2021

https://www.tenable.com/blog/cve-2020-3580-proof-of-concept-published-for-cisco-asa-flaw-patched-in-october

Excerpt: “All four vulnerabilities exist because Cisco ASA and FTD software web services do not sufficiently validate user-supplied inputs. To exploit any of these vulnerabilities, an attacker would need to convince “a user of the interface” to click on a specially crafted link. Successful exploitation would allow the attacker to execute arbitrary code within the interface and access sensitive, browser-based information.”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...