OSN June 28,2021

Fortify Security Team
Jun 28, 2021

Title: Microsoft Admits to Have Mistakenly-Signed a Software Driver Loaded With Rootkit Malware
Date Published: June 28, 2021


Excerpt: “Microsoft was saved by a thin margin because there is no sign of the malware corrupting or stealing any certificates from the company servers. The Windows-maker is not sure how the malware got into the system and that it would be refining its signing process, validation, and access policies, according to reports. The malware spread to the entire Microsoft gaming community but unless a user goes out of the way to access the malware, it cannot automatically harm any gamer’s system. Microsoft says that the rootkit malware only works post-exploitation and obtaining administrator access for installation is necessary.”

Title: Spear Phishing Campaign with New Techniques Aimed at Aviation Companies
Date Published: June 25, 2021


Excerpt: “The infection cycle begins with phishing emails sent to aviation companies that contain malicious links disguised as pdf attachments. The link in the email directs the user to VB Script hosting sites, from which the initial payload (.vbs) is delivered. The .vbs script then drops the second stage payload, an xml file containing inline C# .NET assembly code that acts as a RAT loader. The loader hollows and injects the final payload, AsyncRAT, into the victim process (RegSvcs.exe). AsyncRAT, also known as RevengeRAT, connects to its C2 server, takes control of the compromised machine, and introduces additional payloads. I will now dive into each of these steps in a bit more detail.”

Title: A Cisco ASA Vulnerability Is Actively Exploited
Date Published: June 28, 2021


Excerpt: “This specific Cisco ASA vulnerability is a cross-site scripting (XSS) vulnerability tracked as CVE-2020-3580. Cisco was the first to disclose the vulnerability as they issued a fix in October 202o but it seems that the initial patch issued for the Cisco ASA vulnerability CVE-2020-3580 was incomplete, as a further fix was released in April 2021. The Cisco ASA is a cybersecurity perimeter-defense appliance that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities, therefore the successful exploitation in regard to this means that unauthenticated, remote attackers might be able to execute arbitrary code within the [ASA] interface.”

Title: Details of Over 200,000 Students Leaked in Cyberattack
Date Published: June 28, 2021


Excerpt: “A pro-Palestinian Malaysian hacker group known as “DragonForce” claimed that it hacked into AcadeME last week, stating “THE LARGEST AND MOST ADVANCED STUDENT AND GRADUATE RECRUITMENT NETWORK IN ISRAEL Hacked By DragonForce Malaysia” in a Telegram message on June 20. The group claimed that they leaked emails, passwords, first and last names, addresses and even phone numbers of students who were registered on AcadeME. DragonForce attacked screenshots of code, server addresses and a table including email addresses and names.”

Title: Cybercrime Malware News Builder for Babuk Locker Ransomware Leaked Online
Date Published: June 27, 2021


Excerpt: “The leak of the Babuk Locker builder comes two months after the Babuk Locker ransomware gang announced that it was retiring from ransomware operations after a high-profile attack on the Washington, DC police department in late April. The gang is believed to have followed through on its retirement plans in late May when it rebranded its ransomware leak site into Payload[.]bin and started operating as a third-party host for other ransomware gangs that wanted to leak files from victims but did not want to operate their own leak site.”

Title: NFC Flaws Let Researchers Hack ATMs by Waving a Phone
Date Published: June 24, 2021


Excerpt: “Rodriguez says he alerted the affected vendors—which include ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and the unnamed ATM vendor—to his findings between 7 months and a year ago. Even so, he warns that the sheer number of affected systems and the fact that many point-of-sale terminals and ATMs don’t regularly receive software updates—and in many cases require physical access to update—mean that many of those devices likely remain vulnerable. “Patching so many hundreds of thousands of ATMs physically, it’s something that would require a lot of time,” Rodriguez says.”

Title: Mercedes-Benz USA Announces Initial Findings of Data Investigation Affecting Customers and Interested Buyers
Date Published: June 24, 2021


Excerpt: “On June 11, 2021, a vendor informed Mercedes-Benz that sensitive personal information of less than 1,000 Mercedes-Benz customers and interested buyers was inadvertently made accessible on a cloud storage platform. This confirmation was part of an ongoing investigation conducted in cooperation with the vendor. The issue was uncovered through the dedicated work of an external security researcher. It is our understanding the information was entered by customers and interested buyers on dealer and Mercedes-Benz websites between January 1, 2014 and June 19, 2017. No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.”

Title: Epsilon Red – Our Research Reveals More Than 3.5 Thousand Servers Are Still Vulnerable
Date Published: June 26, 2021


Excerpt: “During our research, we checked all publicly obtainable sources offering actionable intelligence on Epsilon Red. Our findings suggest that the new ransomware variant appears to be properly detected by the majority of leading antivirus vendors. This specific ransomware variant is attempting to propagate using a variety of recently discovered Microsoft Exchange server vulnerabilities, such as CVE-2020-1472, CVE-2021-26855, CVE-2021-27065 to drop ransomware on the affected hosts. We found 695 vulnerable ZeroLogon servers in the US, an additional 71 vulnerable servers in Australia, and 36 more in Argentina. These servers are directly susceptible and exploitable by the Epsilon Red ransomware campaign.”

Title: ISPs Must Provide Emergency Video Service to Deaf Users: Ofcom
Date Published: June 25, 2021


Excerpt: “UK telecom and broadcasting regulator, Ofcom has mandated new requirements for Internet Service Providers (ISPs) and phone companies to provide additional services for users with special needs. These include companies in the sector—even those not typically providing telephony services to offer an emergency video relay service that users with hearing or speech impairments can rely on. Although these requirements are may impose new challenges on telecoms, their goal is to provide equivalent access to emergency services for British Sign Language (BSL) users.”

Title: Industrial Automation And Control Systems Under Cyberattack
Date Published: June 25, 2021


Excerpt: “Cybersecurity experts across the industry share the rugged journey through industrial control security and the demanding criteria for IEC certifications. Enterprises struggle to merge security design, concepts of defense, and life cycle management into a solid product development framework. Failing to document security configurations, updated management policies, and other pertinent information is a guaranteed deal-breaker. But the major land mine to certification is failure to execute appropriate standards in security testing throughout the development lifecycle. “Each organization has unique IIoT components that must meet specific levels of process maturity and product security requirements,” says Morgan Hung, CEO and general manager at Onward Security.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...