OSN June 28,2021

Fortify Security Team
Jun 28, 2021

Title: Microsoft Admits to Have Mistakenly-Signed a Software Driver Loaded With Rootkit Malware
Date Published: June 28, 2021

https://techstory.in/microsoft-admits-signing-a-software-driver-loaded-with-rootkit-malware/

Excerpt: “Microsoft was saved by a thin margin because there is no sign of the malware corrupting or stealing any certificates from the company servers. The Windows-maker is not sure how the malware got into the system and that it would be refining its signing process, validation, and access policies, according to reports. The malware spread to the entire Microsoft gaming community but unless a user goes out of the way to access the malware, it cannot automatically harm any gamer’s system. Microsoft says that the rootkit malware only works post-exploitation and obtaining administrator access for installation is necessary.”

Title: Spear Phishing Campaign with New Techniques Aimed at Aviation Companies
Date Published: June 25, 2021

https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies

Excerpt: “The infection cycle begins with phishing emails sent to aviation companies that contain malicious links disguised as pdf attachments. The link in the email directs the user to VB Script hosting sites, from which the initial payload (.vbs) is delivered. The .vbs script then drops the second stage payload, an xml file containing inline C# .NET assembly code that acts as a RAT loader. The loader hollows and injects the final payload, AsyncRAT, into the victim process (RegSvcs.exe). AsyncRAT, also known as RevengeRAT, connects to its C2 server, takes control of the compromised machine, and introduces additional payloads. I will now dive into each of these steps in a bit more detail.”

Title: A Cisco ASA Vulnerability Is Actively Exploited
Date Published: June 28, 2021

https://heimdalsecurity.com/blog/a-cisco-asa-vulnerability-is-actively-exploited/

Excerpt: “This specific Cisco ASA vulnerability is a cross-site scripting (XSS) vulnerability tracked as CVE-2020-3580. Cisco was the first to disclose the vulnerability as they issued a fix in October 202o but it seems that the initial patch issued for the Cisco ASA vulnerability CVE-2020-3580 was incomplete, as a further fix was released in April 2021. The Cisco ASA is a cybersecurity perimeter-defense appliance that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities, therefore the successful exploitation in regard to this means that unauthenticated, remote attackers might be able to execute arbitrary code within the [ASA] interface.”

Title: Details of Over 200,000 Students Leaked in Cyberattack
Date Published: June 28, 2021

https://www.jpost.com/israel-news/details-of-over-200000-students-leaked-in-cyberattack-672179

Excerpt: “A pro-Palestinian Malaysian hacker group known as “DragonForce” claimed that it hacked into AcadeME last week, stating “THE LARGEST AND MOST ADVANCED STUDENT AND GRADUATE RECRUITMENT NETWORK IN ISRAEL Hacked By DragonForce Malaysia” in a Telegram message on June 20. The group claimed that they leaked emails, passwords, first and last names, addresses and even phone numbers of students who were registered on AcadeME. DragonForce attacked screenshots of code, server addresses and a table including email addresses and names.”

Title: Cybercrime Malware News Builder for Babuk Locker Ransomware Leaked Online
Date Published: June 27, 2021

https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/

Excerpt: “The leak of the Babuk Locker builder comes two months after the Babuk Locker ransomware gang announced that it was retiring from ransomware operations after a high-profile attack on the Washington, DC police department in late April. The gang is believed to have followed through on its retirement plans in late May when it rebranded its ransomware leak site into Payload[.]bin and started operating as a third-party host for other ransomware gangs that wanted to leak files from victims but did not want to operate their own leak site.”

Title: NFC Flaws Let Researchers Hack ATMs by Waving a Phone
Date Published: June 24, 2021

https://www.wired.com/story/atm-hack-nfc-bugs-point-of-sale/

Excerpt: “Rodriguez says he alerted the affected vendors—which include ID Tech, Ingenico, Verifone, Crane Payment Innovations, BBPOS, Nexgo, and the unnamed ATM vendor—to his findings between 7 months and a year ago. Even so, he warns that the sheer number of affected systems and the fact that many point-of-sale terminals and ATMs don’t regularly receive software updates—and in many cases require physical access to update—mean that many of those devices likely remain vulnerable. “Patching so many hundreds of thousands of ATMs physically, it’s something that would require a lot of time,” Rodriguez says.”

Title: Mercedes-Benz USA Announces Initial Findings of Data Investigation Affecting Customers and Interested Buyers
Date Published: June 24, 2021

https://media.mbusa.com/releases/release-ee5a810c1007117e79e1c871352a4afa-mercedes-benz-usa-announces-initial-findings-of-data-investigation-affecting-customers-and-interested-buyers

Excerpt: “On June 11, 2021, a vendor informed Mercedes-Benz that sensitive personal information of less than 1,000 Mercedes-Benz customers and interested buyers was inadvertently made accessible on a cloud storage platform. This confirmation was part of an ongoing investigation conducted in cooperation with the vendor. The issue was uncovered through the dedicated work of an external security researcher. It is our understanding the information was entered by customers and interested buyers on dealer and Mercedes-Benz websites between January 1, 2014 and June 19, 2017. No Mercedes-Benz system was compromised as a result of this incident, and at this time, we have no evidence that any Mercedes-Benz files were maliciously misused.”

Title: Epsilon Red – Our Research Reveals More Than 3.5 Thousand Servers Are Still Vulnerable
Date Published: June 26, 2021

https://securityaffairs.co/wordpress/119415/security/epsilon-red-vulnerable-servers.html

Excerpt: “During our research, we checked all publicly obtainable sources offering actionable intelligence on Epsilon Red. Our findings suggest that the new ransomware variant appears to be properly detected by the majority of leading antivirus vendors. This specific ransomware variant is attempting to propagate using a variety of recently discovered Microsoft Exchange server vulnerabilities, such as CVE-2020-1472, CVE-2021-26855, CVE-2021-27065 to drop ransomware on the affected hosts. We found 695 vulnerable ZeroLogon servers in the US, an additional 71 vulnerable servers in Australia, and 36 more in Argentina. These servers are directly susceptible and exploitable by the Epsilon Red ransomware campaign.”

Title: ISPs Must Provide Emergency Video Service to Deaf Users: Ofcom
Date Published: June 25, 2021

https://www.bleepingcomputer.com/news/technology/isps-must-provide-emergency-video-service-to-deaf-users-ofcom/

Excerpt: “UK telecom and broadcasting regulator, Ofcom has mandated new requirements for Internet Service Providers (ISPs) and phone companies to provide additional services for users with special needs. These include companies in the sector—even those not typically providing telephony services to offer an emergency video relay service that users with hearing or speech impairments can rely on. Although these requirements are may impose new challenges on telecoms, their goal is to provide equivalent access to emergency services for British Sign Language (BSL) users.”

Title: Industrial Automation And Control Systems Under Cyberattack
Date Published: June 25, 2021

https://cybersecurityventures.com/industrial-automation-and-control-systems-under-cyberattack/

Excerpt: “Cybersecurity experts across the industry share the rugged journey through industrial control security and the demanding criteria for IEC certifications. Enterprises struggle to merge security design, concepts of defense, and life cycle management into a solid product development framework. Failing to document security configurations, updated management policies, and other pertinent information is a guaranteed deal-breaker. But the major land mine to certification is failure to execute appropriate standards in security testing throughout the development lifecycle. “Each organization has unique IIoT components that must meet specific levels of process maturity and product security requirements,” says Morgan Hung, CEO and general manager at Onward Security.”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...