OSN June 29, 2021

Fortify Security Team
Jun 29, 2021

Title: 700 Million LinkedIn Records For Sale on Hacker Forum, June 22nd 2021
Date Published: June 29, 2021

https://www.privacysharks.com/exclusive-700-million-linkedin-records-for-sale-on-hacker-forum-june-22nd-2021/

Excerpt: “The seller, “GOD User” TomLiner, stated they were in possession of the 700 million records on June 22 2021, and included a sample of 1 million records on RaidForums to prove their claims. Our researchers have viewed the sample and can confirm that the damning records include information such as full names, gender, email addresses, phone numbers, and industry information.”

Title: Attackers Breach Microsoft Customer Service Accounts
Date Published: June 28, 2021

https://threatpost.com/russian-attackers-breach-microsoft/167340/

Excerpt: “Microsoft officially announced the attacks after Reuters obtained an email sent to customers which explained that the threat group Nobelium stole customer-service-agent credentials to gain access and launch attacks against Microsoft customers. “The Microsoft Threat Intelligence Center is tracking new activity from the Nobelium threat actor,” the software giant said in a blog post. “Our investigation into the methods and tactics being used continues, but we have seen password-spray and brute-force attacks”.”

Title: Microsoft Successfully Hit by A Dependency Hijacking Attack Again
Date Published: June 29, 2021

https://www.bleepingcomputer.com/news/security/microsoft-successfully-hit-by-dependency-hijacking-again/

Excerpt: “”The DNS queries were coming from 13.66.137.90 which is a Microsoft DNS server and after that, a POST request from 51.141.173[.]203 which is also an IP address from Microsoft (UK),” explains dos Santos in his blog post. The researcher states that accessing https://51.141.173[.]203 presented him with an SSL certificate listing Microsoft as the organization, with the Common Name (CN) field listing *.test.svc.halowaypoint[.]com. The domain halowaypoint.com represents the Halo video game series, published by Microsoft’s Xbox Game Studios. This further confirmed the researcher’s suspicions that a Microsoft server had been successfully hit by his dependency hijacking attack, and the researcher contacted Microsoft.”

Title: Microsoft Refining Third-Party Driver Vetting Processes After Signing Malicious Rootkit
Date Published: June 28, 2021

https://www.darkreading.com/endpoint/microsoft-refining-third-party-driver-vetting-processes-after-signing-malicious-rootkit/d/d-id/1341420

Excerpt: “In a Microsoft Security Response Center (MSRC) blog post Friday, Microsoft said it was investigating the incident, in which an unnamed entity submitted drivers for certification through the WHCP. Microsoft did not explicitly confirm that it had signed — and had therefore validated as trusted — at least one malicious driver. However, Microsoft said it had suspended the account of the party that had submitted the drivers and had reviewed other submissions of theirs for malware.”

Title: Aem CRX Bypass: The 0-Day That Took Control Over Some Enterprise AEM CRX Package Manager
Date Published: June 28, 2021

https://labs.detectify.com/2021/06/28/aem-crx-bypass-0day-control-over-some-enterprise-aem-crx-package-manager/

Excerpt: “Adobe Experience Manager (AEM) is a widely used content management solution for building digital customer experiences, like websites, mobile apps and forms. Comprehensive and easy to use, AEM has become the preferred Content Management System (CMS) for many high-profile enterprises. This bug allows attackers to bypass authentication and gain access to CRX Package Manager. Packages enable the importing and exporting of repository content, and the Package Manager can be used for configuring, building, downloading, installing and deleting packages on local AEM installations.”

Title: New Ransomware Variant Uses Golang Packer
Date Published: June 28, 2021

https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/

Excerpt: “What’s new about this ransomware variant is the use of a Golang packer to encrypt the C++ written payload. Although Golang-written malware and packers are not new, compiling it with the latest Golang (Go1.16) makes it challenging to debug for malware researchers. That’s because all necessary libraries are statically linked and included in the compiler binary and the function name recovery is difficult. The sample accepts different CLI arguments, suggesting it can limit the encryption to a specified path. After executing with the right key parameter (Command execution bin.exe  -key “[REDACTED]”), it starts decrypting the payload that is reflectively loaded into memory. The payload is the actual ransomware written in C++.”

Title:  Revil Ransomware’s New Linux Encryption Targets ESXi Virtual Machines
Date Published: June 28, 2021

https://www.bleepingcomputer.com/news/security/revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines/

Excerpt: “By targeting virtual machines this way, REvil can encrypt many servers at once with a single command. Wosar told BleepingComputer that other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty have also created Linux encryptors to target ESXi virtual machines. “The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically,” said Wosar. File hashes associated with the REvil Linux encryption have been collected by security researcher Jaime Blasco and shared on Alienvault’s Open Threat Exchange.”

Title: Ransomware Gangs Now Creating Websites to Recruit Affiliates
Date Published: June 28, 2021

https://www.bleepingcomputer.com/news/security/ransomware-gangs-now-creating-websites-to-recruit-affiliates/

Excerpt: “To attract partners, LockBit claims to offer the fastest encryption and file-stealing (StealBit) tools “all over the world.” This move from LockBit comes after the actor in late May tried to get ransomware talks back on a popular Russian-speaking forum by proposing a private section only for “authoritative users, in whom there is no doubt.” While one user thought this to be a good idea, they also pointed out that the ransomware topic “is now better known than ISIS terrorists,” meaning that the forum would get unwanted attention.”

Title: Cobalt Strike: Favorite Tool from APT to Crimeware
Date Published: June 29, 2021

https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware

Excerpt: “When mapped to the MITRE ATT&CK framework, Proofpoint’s visibility into the attack chain focuses on Initial Access, Execution, and Persistence mechanisms. That is: How are threat actors attempting to compromise hosts and what payloads are they deploying first? Our corpus of threat actor data includes criminal and state-associated threat actor groups. Based on our data, Proofpoint assesses with high confidence that Cobalt Strike is becoming increasingly popular among threat actors as an initial access payload, not just a second-stage tool threat actors use once access is achieved, with criminal threat actors making up the bulk of attributed Cobalt Strike campaigns in 2020.”

Title: Windows 11 May Support Intel 7th Gen, AMD Zen 1 CPUs in the Future
Date Published: June 28, 2021

https://www.bleepingcomputer.com/news/microsoft/windows-11-may-support-intel-7th-gen-amd-zen-1-cpus-in-the-future/

Excerpt: “”As we release to Windows Insiders and partner with our OEMs, we will test to identify devices running on Intel 7th generation and AMD Zen 1 that may meet our principles,” Microsoft said in a new blog post. Microsoft also acknowledged the confusion they caused with the updated hardware requirements, especially when it came to the now required TPM 2.0 requirement. “Based on the feedback so far, we acknowledge that it was not fully prepared to share the level of detail or accuracy you expected from us on why a Windows 10 PC doesn’t meet upgrade requirements,” said Microsoft.”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...