OSN June 29, 2021

Fortify Security Team
Jun 29, 2021

Title: 700 Million LinkedIn Records For Sale on Hacker Forum, June 22nd 2021
Date Published: June 29, 2021


Excerpt: “The seller, “GOD User” TomLiner, stated they were in possession of the 700 million records on June 22 2021, and included a sample of 1 million records on RaidForums to prove their claims. Our researchers have viewed the sample and can confirm that the damning records include information such as full names, gender, email addresses, phone numbers, and industry information.”

Title: Attackers Breach Microsoft Customer Service Accounts
Date Published: June 28, 2021


Excerpt: “Microsoft officially announced the attacks after Reuters obtained an email sent to customers which explained that the threat group Nobelium stole customer-service-agent credentials to gain access and launch attacks against Microsoft customers. “The Microsoft Threat Intelligence Center is tracking new activity from the Nobelium threat actor,” the software giant said in a blog post. “Our investigation into the methods and tactics being used continues, but we have seen password-spray and brute-force attacks”.”

Title: Microsoft Successfully Hit by A Dependency Hijacking Attack Again
Date Published: June 29, 2021


Excerpt: “”The DNS queries were coming from which is a Microsoft DNS server and after that, a POST request from 51.141.173[.]203 which is also an IP address from Microsoft (UK),” explains dos Santos in his blog post. The researcher states that accessing https://51.141.173[.]203 presented him with an SSL certificate listing Microsoft as the organization, with the Common Name (CN) field listing *.test.svc.halowaypoint[.]com. The domain halowaypoint.com represents the Halo video game series, published by Microsoft’s Xbox Game Studios. This further confirmed the researcher’s suspicions that a Microsoft server had been successfully hit by his dependency hijacking attack, and the researcher contacted Microsoft.”

Title: Microsoft Refining Third-Party Driver Vetting Processes After Signing Malicious Rootkit
Date Published: June 28, 2021


Excerpt: “In a Microsoft Security Response Center (MSRC) blog post Friday, Microsoft said it was investigating the incident, in which an unnamed entity submitted drivers for certification through the WHCP. Microsoft did not explicitly confirm that it had signed — and had therefore validated as trusted — at least one malicious driver. However, Microsoft said it had suspended the account of the party that had submitted the drivers and had reviewed other submissions of theirs for malware.”

Title: Aem CRX Bypass: The 0-Day That Took Control Over Some Enterprise AEM CRX Package Manager
Date Published: June 28, 2021


Excerpt: “Adobe Experience Manager (AEM) is a widely used content management solution for building digital customer experiences, like websites, mobile apps and forms. Comprehensive and easy to use, AEM has become the preferred Content Management System (CMS) for many high-profile enterprises. This bug allows attackers to bypass authentication and gain access to CRX Package Manager. Packages enable the importing and exporting of repository content, and the Package Manager can be used for configuring, building, downloading, installing and deleting packages on local AEM installations.”

Title: New Ransomware Variant Uses Golang Packer
Date Published: June 28, 2021


Excerpt: “What’s new about this ransomware variant is the use of a Golang packer to encrypt the C++ written payload. Although Golang-written malware and packers are not new, compiling it with the latest Golang (Go1.16) makes it challenging to debug for malware researchers. That’s because all necessary libraries are statically linked and included in the compiler binary and the function name recovery is difficult. The sample accepts different CLI arguments, suggesting it can limit the encryption to a specified path. After executing with the right key parameter (Command execution bin.exe  -key “[REDACTED]”), it starts decrypting the payload that is reflectively loaded into memory. The payload is the actual ransomware written in C++.”

Title:  Revil Ransomware’s New Linux Encryption Targets ESXi Virtual Machines
Date Published: June 28, 2021


Excerpt: “By targeting virtual machines this way, REvil can encrypt many servers at once with a single command. Wosar told BleepingComputer that other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty have also created Linux encryptors to target ESXi virtual machines. “The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically,” said Wosar. File hashes associated with the REvil Linux encryption have been collected by security researcher Jaime Blasco and shared on Alienvault’s Open Threat Exchange.”

Title: Ransomware Gangs Now Creating Websites to Recruit Affiliates
Date Published: June 28, 2021


Excerpt: “To attract partners, LockBit claims to offer the fastest encryption and file-stealing (StealBit) tools “all over the world.” This move from LockBit comes after the actor in late May tried to get ransomware talks back on a popular Russian-speaking forum by proposing a private section only for “authoritative users, in whom there is no doubt.” While one user thought this to be a good idea, they also pointed out that the ransomware topic “is now better known than ISIS terrorists,” meaning that the forum would get unwanted attention.”

Title: Cobalt Strike: Favorite Tool from APT to Crimeware
Date Published: June 29, 2021


Excerpt: “When mapped to the MITRE ATT&CK framework, Proofpoint’s visibility into the attack chain focuses on Initial Access, Execution, and Persistence mechanisms. That is: How are threat actors attempting to compromise hosts and what payloads are they deploying first? Our corpus of threat actor data includes criminal and state-associated threat actor groups. Based on our data, Proofpoint assesses with high confidence that Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020.”

Title: Windows 11 May Support Intel 7th Gen, AMD Zen 1 CPUs in the Future
Date Published: June 28, 2021


Excerpt: “”As we release to Windows Insiders and partner with our OEMs, we will test to identify devices running on Intel 7th generation and AMD Zen 1 that may meet our principles,” Microsoft said in a new blog post. Microsoft also acknowledged the confusion they caused with the updated hardware requirements, especially when it came to the now required TPM 2.0 requirement. “Based on the feedback so far, we acknowledge that it was not fully prepared to share the level of detail or accuracy you expected from us on why a Windows 10 PC doesn’t meet upgrade requirements,” said Microsoft.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...