OSN August 20, 2021

by | Aug 20, 2021 | Open Source News

Title: Researchers Find New Evidence Linking Diavol Ransomware to Trickbot Gang

Date Published: August 19, 2021

https://thehackernews.com/2021/08/researchers-find-new-evidence-linking.html

Excerpt: “Diavol’s links to TrickBot also boil down to the fact that HTTP headers used for command-and-control (C2) communication are set to prefer Russian language content, which matches the language used by the operators. A point of similarity between the two ransomware samples concerns the registration process, where the victim machine uses the identifier created in the previous step to register itself with a remote server. “This registration to the botnet is nearly identical in both samples analyzed,” IBM Security’s Charlotte Hammond and Chris Caridi said. “The primary difference is the registration URL changing from https://[server_address]/bots/register to https://[server_address]/BnpOnspQwtjCA/register”.”

Title: Nk-Linked Inkysquid Apt Leverages Ie Exploits in Recent Attacks

Date Published: August 19, 2021

https://securityaffairs.co/wordpress/121262/apt/inkysquid-apt-ie-exploirs.html

Excerpt: “The researchers discovered a suspicious code that was loaded via www.dailynk[.]com to malicious subdomains of jquery[.]services. Below some examples of URLs used to load malicious code: hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1 hxxps://www.dailynk[.]com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2. The attackers modified the content of legitimate files used by the website and included the code to redirect users to load malicious JavaScript from the attacker-owned domain jquery[.]services. The attackers included the malicious code only for short periods of time making hard the detection of the attack. The threat actors leverage exploits for two Internet Explorer vulnerabilities, tracked as CVE-2020-1380 and CVE-2021-26411, that were respectively patched in August 2020 and March 2021.”

Title: Cars and Hospital Equipment Running Blackberry Qnx May Be Affected by Badalloc Vulnerability

Date Published: August 18, 2021

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/08/cars-and-hospital-equipment-running-blackberry-qnx-may-be-affected-by-badalloc-vulnerability/

Excerpt: “The FDA, in its warning that certain medical devices may be affected by BlackBerry QNX cybersecurity vulnerabilities, points to the CISA alert. CISA mentions CVE-2021-22156 which describes an integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.”

Title: Ohio Man Admits to Operating Illegal Bitcoin ‘Mixer’ Service

Date Published: August 19, 2021

https://www.bankinfosecurity.com/ohio-man-admits-to-operating-illegal-bitcoin-mixer-service-a-17334

Excerpt: “Helix functioned as a bitcoin mixer and “tumbler” for darknet users who wanted to hide the origins of their virtual currency, according to the Justice Department. Tumbling is the process of using a third-party service or technology to launder bitcoins, while mixing involves breaking the “connection between a bitcoin address sending coins and the addresses that they are sent to,” according to a 2016 blog post published by Will Gragido, a security researcher at Digital Shadows. In February 2020, the Justice Department unsealed a three-count indictment charging Harmon with money laundering conspiracy, operating an unlicensed money transmitting business and conducting money transmission without a license.”

Title: Ransomware: LockBit 2.0 Borrows Ryuk and Egregor’s Tricks

Date Published: August 20, 2021

https://www.bankinfosecurity.com/ransomware-lockbit-20-borrows-ryuk-egregors-tricks-a-17335

Excerpt: “Trend Micro says it’s been seeing a large number of LockBit 2.0 attacks against victims in Chile as well as Italy, Taiwan and the U.K. Those results are based on the firm’s own telemetry. Such a perspective varies by security firm, because it’s based on the firm’s own honeypots as well as any malware encountered by customers running its endpoint and server security software. LockBit is one of a number of operations that continue to exfiltrate data as part of a double extortion tactic designed to increase the pressure on victims to pay. Many attackers now claim to have stolen data – although thieves do have a propensity to lie – and use dedicated data leak sites to first try to name and shame victims who won’t pay, followed by leaking extracts of stolen data.”

Title: Citizen Lab Finds Apple’s China Censorship Process Bleeds Into Hong Kong and Taiwan

Date Published: August 19, 2021

https://abnormalsecurity.com/blog/nigerian-ransomware-soliciting-employees-demonware/

Excerpt: “Historically, ransomware has been delivered via email attachments or, more recently, using direct network access obtained through things like unsecure VPN accounts or software vulnerabilities. Seeing an actor attempt to use basic social engineering techniques to convince an internal target to be complicit in an attack against their employer was notable. The tactic used by this actor, however, gave us an opportunity to better understand it. Since the actor invited a target to get in touch with him, we did just that. We constructed a fictitious persona and reached out to the actor on Telegram to see if we could get a response. It didn’t take long for a response to come back, and the resulting conversation gave us an incredible inside look at the mindset of this threat actor.”

Title: Mozi Iot Botnet Now Also Targets Netgear, Huawei, and Zte Network Gateways

Date Published: August 20, 2021

https://thehackernews.com/2021/08/mozi-iot-botnet-now-also-targets.html

Excerpt: “Now fresh research from Microsoft’s IoT security team has discovered that the malware “takes specific actions to increase its chances of survival upon reboot or any other attempt by other malware or responders to interfere with its operation,” including achieving persistence on targeted devices and blocking TCP ports (23, 2323, 7547, 35000, 50023, and 58000) that are used to gain remote access to the gateway. What’s more, Mozi has been upgraded to support new commands that enable the malware to hijack HTTP sessions and carry out DNS spoofing so as to redirect traffic to an attacker-controlled domain.”

Title: A Hacker Steals 600 Million From A Company … And The Victim Offers Him An Employment Contract After His Big Coup

Date Published: August 20, 2021

https://tehnologijaviews.medium.com/a-hacker-steals-600-million-from-a-company-and-the-victim-offers-him-an-employment-contract-2b659c6d708e

Excerpt: “However, the story gets even stranger. As announced by the Poly Network itself on its blog , the company explained that they have maintained direct daily contact with the hacker and that he has shown them his “concern” about “the security and deployment strategy of Poly Network.”
In addition to maintaining fluid communication with the person who robbed them, Poly Network has awarded a reward of $ 500,000 to the hacker for returning the money and for sharing the details of their modus operandi with the company.”

Title: Cisco Warns of Server Name Identification Data Exfiltration Flaw in Multiple Products

Date Published: August 20, 2021

https://securityaffairs.co/wordpress/121299/security/cisco-sni-data-exfiltration-flaw.html

Excerpt: “Cisco warns of a vulnerability in Server Name Identification (SNI) request filtering that affects multiple products (Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine) that could be exploited by an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised server. “A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host.” states the advisory published by Cisco.”

Title: False Payment Promises Lead To Microsoft Credential Phish

Date Published: August 19, 2021

https://cofense.com/blog/microsoft-credential-phish/

Excerpt: “Leveraging a legitimate business process makes the user more likely to act on it unless they’re paying keen attention to the details. Threat actors use these kinds of psychological, personalized funds-related tactics to send out attacks. Although this is one of the commonly-used tricks for phishing, it still works to lure the user. Should users enter their credentials, the campaign then redirects to Google’s home page. As mentioned in previous blogs, similar campaigns usually redirect the user to the legitimate Office[.]com webpage to construct a “genuine” experience. This may have been a mistake by the threat actor.”