OSN July 20, 2021

by | Jul 20, 2021 | Open Source News

Title: China Says Microsoft Hacking Accusations Fabricated by US and Allies
Date Published: July 20, 2021

https://www.bbc.com/news/world-asia-china-57898147

Excerpt: “The US and other Western countries on Monday accused China of hacking Microsoft Exchange – a popular email platform used by companies worldwide. They said it was part of a broader pattern of “reckless” behaviorM that threatened global security. China says it opposes all forms of cyber-crime, and has called the claims “fabricated”. “The US has mustered its allies to carry out unreasonable criticisms against China on the issue of cybersecurity,” foreign ministry spokesman Zhao Lijian told reporters.”

Title: Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013
Date Published: July 20, 2021

https://us-cert.cisa.gov/ncas/alerts/aa21-201a

Excerpt: “CISA and the FBI provided incident response and remediation support to a number of victims of this activity. Overall, the U.S. Government identified and tracked 23 U.S. natural gas pipeline operators targeted from 2011 to 2013 in this spearphishing and intrusion campaign. Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 8 had an unknown depth of intrusion. The U.S. Government has attributed this activity to Chinese state-sponsored actors. CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”

Title: FBI: Threat Actors May Be Targeting the 2020 Tokyo Summer Olympics
Date Published: July 20, 2021

https://www.bleepingcomputer.com/news/security/fbi-threat-actors-may-be-targeting-the-2020-tokyo-summer-olympics/

Excerpt: “Last year, the US Department of Justice charged six Russian Main Intelligence Directorate (GRU) intelligence operatives believed to be part of the Russian-backed hacking group known as Sandworm for hacking operations targeting the Pyeongchang Winter Olympics. Between December 2017 through February 2018, they coordinated spear-phishing campaigns and developed malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, visitors, and International Olympic Committee (IOC) officials.”

Title: Microsoft Secured Court Order to Take Down Domains Used in BEC Campaign
Date Published: July 20, 2021

https://securityaffairs.co/wordpress/120334/cyber-crime/microsoft-bec-campaign.html

Excerpt: “In this instance, the criminals identified a legitimate email communication from the compromised account of an Office 365 customer referencing payment issues and asking for advice on processing payments. The criminals capitalized on this information and sent an impersonation email from a homoglyph domain using the same sender name and nearly identical domain. The only difference between the genuine communication and the imposter communication was a single letter changed in the mail exchange domain, done to escape notice of the recipient and deceive them into believing the email was a legitimate communication from a known trusted source.” reads the post published by Microsoft.”

Title: TSA Pushes More Cybersecurity Mandates on Critical Pipeline Owners, Emphasizing Ransomware
Date Published: July 20, 2021

https://www.cyberscoop.com/tsa-pipeline-ransomware-directive/

Excerpt: “This Security Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review,” a DHS statement reads. The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats.”

Title: Patients to be Notified of Unauthorized Access to a Single UNC School of Medicine Email Account
Date Published: July 19, 2021

https://www.businesswire.com/news/home/20210719005463/en/Patients-to-be-Notified-of-Unauthorized-Access-to-a-Single-UNC-School-of-Medicine-Email-Account

Excerpt: “On May 20, 2021, SOM and UNC Hospitals learned that an unauthorized person may have gained access to a single SOM faculty member’s email account. This SOM faculty member provides clinical services at UNC Hospitals. SOM and UNC Hospitals secured the impacted email account, began an investigation, and a cyber security firm was engaged to assist in the investigation. The investigation confirmed that the unauthorized access was isolated and limited to April 20, 2021. SOM and UNC Hospitals have no indication that any other SOM or UNC Hospitals user email accounts or patient information systems were involved or accessed.”

Title: Debugging MosaicLoader, One Step at a Time
Date Published: July 20, 2021

https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf

Excerpt: “ Bitdefender researchers have noticed a new malware strain spiking in our telemetry. What caught our attention were processes that add local exclusions in Windows Defender for specific file names (prun.exe, appsetup.exe, etc.), that all reside in the same folder, called \PublicGaming\. Further investigation revealed that this malware is a downloader that can deliver any payload to the infected system. We named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.”

Title: A Bug in Fortinet Fortimanager and Fortianalyzer Allows Unauthenticated Hackers to Run Code as Root
Date Published: July 20, 2021

https://securityaffairs.co/wordpress/120350/security/fortinet-fortimanager-fortianalyzer-bug.html

Excerpt: “An attacker could trigger the flaw by sending a specially crafted request to the “FGFM” port of a vulnerable device. The advisory states that FGFM is disabled by default on FortiAnalyzer by default on FortiAnalyzer and can be enabled only on specific hardware models, including 1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.  The company also provides workaround to address the issue, it consists of disabling FortiManager features on the FortiAnalyzer unit using the following command: config system global set fmg-status disable.”

Title: Our Database Has Never Been Hacked, Says IEBC
Date Published: July 18, 2021

https://techtrendske.co.ke/our-database-has-never-been-hacked-says-iebc/

Excerpt: “The suspect was identified as one Kiprop, a 21-year university student who according to the Director of Criminal Investigation (DCI), hacked the database and fished out personal details of about 61,617 voters. Kiprop, who is suspected to be running a high-tech mobile phone scam syndicate, was arrested on Saturday in Juja in an operation led by investigators from the Crime Research and Intelligence Bureau, supported by Safaricom’s fraud investigations team and Jomo Kenyatta University of Agriculture and Technology security officers. In his possession was a bag containing SIM cards belonging to Safaricom, Airtel, and Telkom mobile phone service. He was also found with data containing names of registered voters, their ID numbers, and dates of birth.”

Title: Understanding PrintNightmare Vulnerability
Date Published: July 20, 2021

https://hidocohen.medium.com/understanding-printnightmare-vulnerability-cf4f1e0e506c

Excerpt: “According to that diagram, we can see that the client-server communication is done over RPC and the process that is responsible for handling such requests is spoolsv.exe. Under the hood, spoolsv.exe uses a DLL called Localspl.dll which is responsible for communicating with the kernel components and actually doing the work. When a client wants to add a new printer driver on a remote system it can use the function RpcAddPrinterDriverEx. The privilege that the client needs is SeLoadDriverPrivilege which is enabled by default to the Administrators group. The vulnerable function allows the attacker to skip that privilege check and load any printer driver it desires without the required permissions, which leads to remote code execution with escalated privileges.”