OSN July 21, 2021

Fortify Security Team
Jul 21, 2021

Title: Groundhog Day: Npm Package Caught Stealing Browser Passwords
Date Published: July 21, 2021

https://blog.secure.software/groundhog-day-npm-package-caught-stealing-browser-passwords

Excerpt: “It isn’t malicious by itself, but it can be when put into the malicious use context. For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line. This might sound very familiar, as one of our previous blog posts disclosed a similar password stealing PE executable found in another NPM package. It seems that true and tested techniques have a tendency to repeat themselves.”

Title: Sequoia: A Local Privilege Escalation Vulnerability in Linux’s File System Layer (CVE-2021-33909)
Date Published: July 20, 2021

https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909

Excerpt: “Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable. As soon as the Qualys research team confirmed the vulnerability, Qualys engaged in responsible vulnerability disclosure and coordinated with vendor and open-source distributions to announce the vulnerability.”

Title: Duckduckgo’s New Email Privacy Service Forwards Tracker-Free Messages
Date Published: July 20, 2021

https://www.bleepingcomputer.com/news/security/duckduckgos-new-email-privacy-service-forwards-tracker-free-messages/

Excerpt: “Reading your email should be a private activity. You may be surprised to learn that 70% of emails contain trackers that can detect when you’ve opened a message, where you were when you opened it, and what device you were using. If that isn’t creepy enough, this email data can be used to profile you, including to target you with ads, and influence the content you see online. Ever open an email and see a related ad about it soon thereafter? Yup, blame email trackers. This data about you is also usually sent directly to third parties, most likely without your consent.”

Title: Xloader Malware Steals Logins From Macos and Windows Systems
Date Published: July 21, 2021

https://www.bleepingcomputer.com/news/security/xloader-malware-steals-logins-from-macos-and-windows-systems/

Excerpt: “Derived from the Formbook info-stealer for Windows, XLoader emerged last February and has grown in popularity, advertised as a cross-platform (Windows and macOS) botnet with no dependencies. The connection between the two malware pieces was confirmed after a member of the community reverse-engineered XLoader and found that it had the same executable as Formbook. The advertiser explained that Formbook’s developer contributed a lot to creating XLoader, and the two malware had similar functionality (steal login credentials, capture screenshots, log keystrokes, and execute malicious files).”

Title: CVE-2021-3438: 16 Years In Hiding – Millions of Printers Worldwide Vulnerable
Date Published: July 20, 2021

https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/

Excerpt: “An exploitable kernel driver vulnerability can lead an unprivileged user to a SYSTEM account and run code in kernel mode (since the vulnerable driver is locally available to anyone). Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products. Successfully exploiting a driver vulnerability might allow attackers to potentially install programs, view, change, encrypt or delete data, or create new accounts with full user rights. Weaponizing this vulnerability might require chaining other bugs as we didn’t find a way to weaponize it by itself given the time invested.”

Title: Summer of Sam – Incorrect Permissions on Windows 10/11 Hives
Date Published: July 19, 2021

https://www.businesswire.com/news/home/20210719005463/en/Patients-to-be-Notified-of-Unauthorized-Access-to-a-Single-UNC-School-of-Medicine-Email-Account

Excerpt: “As shown above, I have one VSS with the path of \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1. And due to incorrect permissions set on the SYSTEM and SAM hives, I can now simply try to copy these files from the VSS. While the built-in copy command will not work, there are other ways to do this – @gentilkiwi used Mimikatz (of course), and below is a simple C program compiled that literally takes one argument and copies the file to destination (thanks to my colleague @filip_dragovic for help):”

Title: China Dismisses Exchange Attribution and Accuses Us of Whitewashing Its Cyber Heists
Date Published: July 21, 2021

https://www.zdnet.com/article/china-dismisses-exchange-attribution-and-accuses-us-of-whitewashing-its-cyber-heists/

Excerpt: “The US ganged up with its allies to make groundless accusations out of thin air against China on the cybersecurity issue. This act confuses right with wrong and smears and suppresses China out of political purpose. China will never accept this,” he said. “China firmly opposes and combats all forms of cyber attacks. It will never encourage, support or condone cyber attacks. This position has been consistent and clear.” Naturally, this flies in the face of the attribution made on Monday that accused China of using “criminal contract hackers” for its cyber operations.”

Title: Some URL Shortener Services Distribute Android Malware, Including Banking or SMS Trojans
Date Published: July 20, 2021

https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/

Excerpt: “There are two scenarios for Android users that we observed during our research. In the first one, when the victim wants to download an Android application other than from Google Play, there is a request to enable browser notifications from that website, followed by a request to download an application called adBLOCK app.apk. This might create the illusion that this adBLOCK app will block displayed advertisements in the future, but the opposite is true. This app has nothing to do with legitimate adBLOCK application available from official source. When the user taps on the download button, the browser is redirected to a different website where the user is apparently offered an ad-blocking app named adBLOCK, but ends up downloading Android/FakeAdBlocker.”

Title: Over 80 Us Municipalities’ Sensitive Information, Including Resident’s Personal Data, Left Vulnerable in Massive Data Breach
Date Published: July 20, 2021

https://www.wizcase.com/blog/us-municipality-breach-report/

Excerpt: “Over 100 US cities appeared to be using the same product, mapsonline.net, provided by an American company named PeopleGIS. The data of these municipalities was stored in several misconfigured Amazon S3 buckets that were sharing similar naming conventions to MapsOnline. Due to this, we believe these cities are using the same software solution. Our team reached out to the company and the buckets have since been secured. PeopleGIS is a Massachusetts-based company specializing in information management software. Many city municipalities in the state of Massachusetts and a few in surrounding states like Connecticut and New Hampshire use their software and platforms to manage a variety of data.”

Title: Adversaries Continue to Abuse Trust in the Supply Chain
Date Published: July 20, 2021

https://www.zdnet.com/article/adversaries-continue-to-abuse-trust-in-the-supply-chain/

Excerpt: “All the tools that organizations rely on — such as tax software, oil pipeline sensors, collaboration platforms, and even security agents — are built on top of the same vulnerable code, platforms, and software libraries that your vulnerability management team is screaming from the hills to patch or update immediately. Organizations need to both hold their supply chain partners, vendors, and others accountable for addressing the vulnerabilities in the software that they’ve built on top of this house of cards as well as understand the exposure they have by deploying said software within their environments.”

Recent Posts

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...

OSN August 25, 2021

Title: Fake Opensea Support Staff Are Stealing Cryptowallets and NFTS Date Published: August 24, 2021 https://www.bleepingcomputer.com/news/security/fake-opensea-support-staff-are-stealing-cryptowallets-and-nfts/ Excerpt: “When an OpenSea user needs support, they can...

OSN August 24, 2021

Title: A Phishing Attack Exposes Medical Information for 12,000 Patients at Revere Health Date Published: August 23, 2021 https://www.thespectrum.com/story/news/2021/08/23/phishing-attack-exposes-information-12-000-patients-st-george/8214230002/ Excerpt: “A healthcare...