OSN July 22, 2021

Fortify Security Team
Jul 22, 2021

Title: Microsoft Issues Windows 10 Workaround Fix for ‘SeriousSAM’ Bug
Date Published: July 22, 2021


Excerpt: “For this reason, Microsoft is recommending sysadmin delete the backup copies of the VSS files. The OS maker does not offer a patch for the bug, rather a simple workaround. Microsoft explains the two step process as: “Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config” and “create a new System Restore point (if desired).” It also cautions that deleting VSS shadow copies “could impact restore operations, including the ability to restore data with third-party backup applications”.”

Title: CISA Analyzed Stealthy Malware Found on Compromised Pulse Secure Devices
Date Published: July 22, 2021


Excerpt: “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a security alert related to the discovery of 13 malware samples on compromised Pulse Secure devices, many of which were undetected by antivirus products. Experts pointed out that only one of the malware samples analyzed by CISA was uploaded on VirusTotal with a low detection rate. The agency published a malware analysis report (MARs) for each malicious code, the report also includes threat actor techniques, tactics, and procedures (TTPs) and indicators of compromise (IOCs) for the threat.”

Title: Pegasus Spyware Has Been Here for Years. We Must Stop Ignoring It
Date Published: July 22, 2021


Excerpt: “The spyware, called Pegasus and developed by the Israeli company NSO Group, is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents, and, while NSO Group has repeatedly denied allegations that it complicitly sells Pegasus to human right abusers, it is difficult to reconcile exactly how the zero-click spyware program—which non-consensually and invisibly steals emails, text messages, photos, videos, locations, passwords, and social media activity—is at the same time a tool that can, in its very use, respect the rights of those around the world to speak freely, associate safely, and live privately.”

Title: 1,000 Gb of Local Government Data Exposed by Massachusetts Software Company
Date Published: July 22, 2021


Excerpt: “Ata Hakçil and his team discovered more than 80 misconfigured Amazon S3 buckets holding data related to these municipalities. The data ranged from residential records like deeds and tax information to business licenses and job applications for government positions. Due to the sensitive nature of the documents, many of the forms included people’s email address, physical address, phone number, driver’s license number, real estate tax information, license photographs and photos of property.”

Title: Top Organizations on GitHub Vulnerable to Dependency Confusion Attacks
Date Published: July 21, 2021


Excerpt: “Out of the top 1000 organizations we scanned, 212 had at least one dependency confusion-related misconfiguration in their codebase. This is quite a serious concern because a major part of the open-source ecosystem depends on these giants and these repositories have a good number of users. Hence, if any of their projects get affected, there’s a high probability that millions of users will be at risk. To give you an idea of the impact, the projects that we found issues in, had a total of over 1,24,937 stars on GitHub in total. GitHub stars represent ‘endorsement’ from users and while it may not be a unit of measuring downloads of a particular project, it still says a lot about their influence.”

Title: Oracle Warns of Critical Remotely Exploitable Weblogic Server Flaws
Date Published: July 22, 2021


Excerpt: “Oracle on Tuesday released its quarterly Critical Patch Update for July 2021 with 342 fixes spanning across multiple products, some of which could be exploited by a remote attacker to take control of an affected system. Chief among them is CVE-2019-2729, a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services that’s remotely exploitable without authentication. It’s worth noting that the weakness was originally addressed as part of an out-of-band security update in June 2019.”

Title: Atlassian Asks Customers to Patch Critical Jira Vulnerability
Date Published: July 22, 2021


Excerpt: “The vulnerability stems from a missing authentication check or in other words unrestricted access to Ehcache RMI ports. Ehcache is a widely used open-source cache used by Java applications for enhancing performance and scalability. RMI refers to remote method invocation, a concept in Java similar to remote procedure calls (RPC) in OOP languages. RMI lets programmers invoke methods present in remote objects—such as those present within an application running on a shared network, right from their application as they would run a local method or procedure.”

Title: Thousands of Humana Customers Have Their Medical Data Leaked Online by Threat Actors
Date Published: July 22, 2021


Excerpt: “The leak comes more than four months after Humana, the third-largest health insurance company in the US, notified 65,000 of its health plan members about a security breach where “a subcontractor’s employee disclosed medical records to unauthorized individuals” between October 12, 2020, and December 16, 2020. In May, one of the patients affected by the breach filed a lawsuit against the company. On July 18, we reached out to Humana to verify that the data belonged to them, but they have not responded yet. One of the forum members who downloaded the database claims that the archive contains information from 2020, and not 2019, as suggested by the leaker. If the forum member’s claims are true, the leaked database might potentially be part of the 2020 breach.”

Title: 740 Ransomware Victims Named on Data Leak Sites in Q2 2021: Report
Date Published: July 22, 2021


Excerpt: “More than 350 US organizations were hit by ransomware in Q2 compared to 46 from France, 39 from the UK and 35 from Italy. The researchers behind the report questioned whether Q3 would see more attacks resembling the Kaseya ransomware attack, where REvil operators used a zero-day vulnerability to compromise more than 40 Managed Service Providers.”Ransomware operations will likely continue to operate brazenly into the third quarter of 2021, giving limited thought to who they are targeting and more to how much money they might make,” the researchers wrote.”

Title: HTA Files Distributed as Fake Chrome Patches for CVE-2021-30554
Date Published: July 22, 2021


Excerpt: “The email was received by one of our PDC customers with well-conditioned users who quickly report. It warns the user about a recently reported vulnerability in Google Chrome and a corresponding update for the employee to apply. A web browser like Chrome is a vital everyday tool for employees across several industries, so threat actors urge recipients to apply the update within 48 hours or functionality may cease (Figure 1). However, any seasoned Chrome user knows these updates are available directly within Chrome, and enterprise users know their IT department manages pushing out software updates.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...