OSN July 20, 2021

Fortify Security Team
Jul 20, 2021

Title: China Says Microsoft Hacking Accusations Fabricated by US and Allies
Date Published: July 20, 2021


Excerpt: “The US and other Western countries on Monday accused China of hacking Microsoft Exchange – a popular email platform used by companies worldwide. They said it was part of a broader pattern of “reckless” behaviorM that threatened global security. China says it opposes all forms of cyber-crime, and has called the claims “fabricated”. “The US has mustered its allies to carry out unreasonable criticisms against China on the issue of cybersecurity,” foreign ministry spokesman Zhao Lijian told reporters.”

Title: Chinese Gas Pipeline Intrusion Campaign, 2011 to 2013
Date Published: July 20, 2021


Excerpt: “CISA and the FBI provided incident response and remediation support to a number of victims of this activity. Overall, the U.S. Government identified and tracked 23 U.S. natural gas pipeline operators targeted from 2011 to 2013 in this spearphishing and intrusion campaign. Of the known targeted entities, 13 were confirmed compromises, 3 were near misses, and 8 had an unknown depth of intrusion. The U.S. Government has attributed this activity to Chinese state-sponsored actors. CISA and the FBI assess that these actors were specifically targeting U.S. pipeline infrastructure for the purpose of holding U.S. pipeline infrastructure at risk. Additionally, CISA and the FBI assess that this activity was ultimately intended to help China develop cyberattack capabilities against U.S. pipelines to physically damage pipelines or disrupt pipeline operations.”

Title: FBI: Threat Actors May Be Targeting the 2020 Tokyo Summer Olympics
Date Published: July 20, 2021


Excerpt: “Last year, the US Department of Justice charged six Russian Main Intelligence Directorate (GRU) intelligence operatives believed to be part of the Russian-backed hacking group known as Sandworm for hacking operations targeting the Pyeongchang Winter Olympics. Between December 2017 through February 2018, they coordinated spear-phishing campaigns and developed malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, partners, visitors, and International Olympic Committee (IOC) officials.”

Title: Microsoft Secured Court Order to Take Down Domains Used in BEC Campaign
Date Published: July 20, 2021


Excerpt: “In this instance, the criminals identified a legitimate email communication from the compromised account of an Office 365 customer referencing payment issues and asking for advice on processing payments. The criminals capitalized on this information and sent an impersonation email from a homoglyph domain using the same sender name and nearly identical domain. The only difference between the genuine communication and the imposter communication was a single letter changed in the mail exchange domain, done to escape notice of the recipient and deceive them into believing the email was a legitimate communication from a known trusted source.” reads the post published by Microsoft.”

Title: TSA Pushes More Cybersecurity Mandates on Critical Pipeline Owners, Emphasizing Ransomware
Date Published: July 20, 2021


Excerpt: “This Security Directive requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review,” a DHS statement reads. The lives and livelihoods of the American people depend on our collective ability to protect our Nation’s critical infrastructure from evolving threats.”

Title: Patients to be Notified of Unauthorized Access to a Single UNC School of Medicine Email Account
Date Published: July 19, 2021


Excerpt: “On May 20, 2021, SOM and UNC Hospitals learned that an unauthorized person may have gained access to a single SOM faculty member’s email account. This SOM faculty member provides clinical services at UNC Hospitals. SOM and UNC Hospitals secured the impacted email account, began an investigation, and a cyber security firm was engaged to assist in the investigation. The investigation confirmed that the unauthorized access was isolated and limited to April 20, 2021. SOM and UNC Hospitals have no indication that any other SOM or UNC Hospitals user email accounts or patient information systems were involved or accessed.”

Title: Debugging MosaicLoader, One Step at a Time
Date Published: July 20, 2021


Excerpt: “ Bitdefender researchers have noticed a new malware strain spiking in our telemetry. What caught our attention were processes that add local exclusions in Windows Defender for specific file names (prun.exe, appsetup.exe, etc.), that all reside in the same folder, called \PublicGaming\. Further investigation revealed that this malware is a downloader that can deliver any payload to the infected system. We named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.”

Title: A Bug in Fortinet Fortimanager and Fortianalyzer Allows Unauthenticated Hackers to Run Code as Root
Date Published: July 20, 2021


Excerpt: “An attacker could trigger the flaw by sending a specially crafted request to the “FGFM” port of a vulnerable device. The advisory states that FGFM is disabled by default on FortiAnalyzer by default on FortiAnalyzer and can be enabled only on specific hardware models, including 1000D, 1000E, 2000E, 3000D, 3000E, 3000F, 3500E, 3500F, 3700F, 3900E.  The company also provides workaround to address the issue, it consists of disabling FortiManager features on the FortiAnalyzer unit using the following command: config system global set fmg-status disable.”

Title: Our Database Has Never Been Hacked, Says IEBC
Date Published: July 18, 2021


Excerpt: “The suspect was identified as one Kiprop, a 21-year university student who according to the Director of Criminal Investigation (DCI), hacked the database and fished out personal details of about 61,617 voters. Kiprop, who is suspected to be running a high-tech mobile phone scam syndicate, was arrested on Saturday in Juja in an operation led by investigators from the Crime Research and Intelligence Bureau, supported by Safaricom’s fraud investigations team and Jomo Kenyatta University of Agriculture and Technology security officers. In his possession was a bag containing SIM cards belonging to Safaricom, Airtel, and Telkom mobile phone service. He was also found with data containing names of registered voters, their ID numbers, and dates of birth.”

Title: Understanding PrintNightmare Vulnerability
Date Published: July 20, 2021


Excerpt: “According to that diagram, we can see that the client-server communication is done over RPC and the process that is responsible for handling such requests is spoolsv.exe. Under the hood, spoolsv.exe uses a DLL called Localspl.dll which is responsible for communicating with the kernel components and actually doing the work. When a client wants to add a new printer driver on a remote system it can use the function RpcAddPrinterDriverEx. The privilege that the client needs is SeLoadDriverPrivilege which is enabled by default to the Administrators group. The vulnerable function allows the attacker to skip that privilege check and load any printer driver it desires without the required permissions, which leads to remote code execution with escalated privileges.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...