OSN August 3, 2021

Fortify Security Team
Aug 3, 2021
Title: Bypassing Authentication on Arcadyan Routers With CVE-2021-20090 and Rooting Some Buffalo

Date Published: August 3, 2021

https://medium.com/tenable-techblog/bypassing-authentication-on-arcadyan-routers-with-cve-2021-20090-and-rooting-some-buffalo-ea1dd30980c2

Excerpt: “Shortly before the 90 day disclosure date for the vulnerabilities discussed in this blog, I was trying to determine the number of potentially affected devices visible online via Shodan and BinaryEdge. In my searches, I noticed that a number of devices which presented similar web interfaces to those seen on the Buffalo devices. Too similar, in fact, as they appeared to use almost all the same strange methods for hiding the httokens in img tags, and javascript functions obfuscated in “enkripsi” strings.”

Title: This New Phishing Attack Is ‘Sneakier Than Usual’, Microsoft Warns

Date Published: August 2, 2021

https://www.zdnet.com/article/microsoft-watch-out-for-this-sneakier-than-usual-phishing-attack/?&web_view=true

Excerpt: “The phishing group is using Microsoft SharePoint in the display name to entice victims to click the link. The email poses as a “file share” request to access bogus “Staff Reports”, “Bonuses”, “Pricebooks”, and other content hosted in a supposed Excel spreadsheet. It also contains a link that navigates to the phishing page and plenty of Microsoft branding. While convincing Microsoft logos are littered across the email, the main phishing URL relies on a Google storage resource that points the victim to the Google App Engine domain AppSpot – a place to host web applications.”

Title: Ghostemperor Operation Employs Unknown Malware to Target High-Profile Organizations

Date Published: August 3, 2021

https://heimdalsecurity.com/blog/ghostemperor-operation-employs-unknown-malware-to-target-high-profile-organizations/

Excerpt: “GhostEmperor is a Chinese-speaking threat actor that has mostly focused on targets in Southeast Asia, including several government entities and telecom companies. The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.” This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.”

Title: RDP Brute Force Attacks Explained

Date Published: August 3, 2021

https://blog.malwarebytes.com/explained/2021/08/rdp-brute-force-attacks-explained/

Excerpt: “RDP brute force attacks represent a serious, on-going danger to Internet-connected Windows computers. However, there are a number of ways to protect yourself against them. As in all areas of computer security, defense in depth is the best approach, so aim to do as many things on this list as you reasonably can. Turn it off. The simplest way to protect yourself from RDP brute force attacks is to just turn off RDP permanently, if you don’t need it. Use a strong password. Brute force attacks exploit weak passwords so in theory a strong password is enough to keep attackers out. In practice, users often overestimate how strong their passwords are, and even technically strong passwords can be rendered useless if they are stolen or leaked. For those and other reasons it’s best to use at least one of the other methods in this list too.”

Title: Chinese Hackers Target Major Southeast Asian Telecom Companies

Date Published: August 3, 2021

https://thehackernews.com/2021/08/chinese-hackers-target-major-southeast.html

Excerpt: “The goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers.”

Title: Escaping From a Truly Air Gapped Network via Apple AWDL

Date Published: August 3, 2021

https://medium.com/sensorfu/escaping-from-a-truly-air-gapped-network-via-apple-awdl-6cf6f9ea3499

Excerpt: “The AWDL network is well isolated by default so there is no easy path out from the network. However, because of the ICMPv6 Node Information Query we have more knowledge about the devices which are near to us. If you join the AWDL network all the common data shared is anonymized and based on generated random addresses. Devices won’t route your traffic anywhere and only link-local addresses are in use. There is not much to do except the designed functionalities.”

Title: Google Chrome to No Longer Show Secure Website Indicators

Date Published: August 2, 2021

https://www.bleepingcomputer.com/news/google/google-chrome-to-no-longer-show-secure-website-indicators/

Excerpt: “It has appeared to have worked as according to the ‘HTTPS encryption on the web’ of Google’s Transparency Report, over 90% of all browser connections in Google Chrome currently use an HTTPS connection. Currently, when you visit a secure site, Google Chrome will display a little locked icon indicating that your communication with the site is encrypted, as shown below. As most website communication is now secure, Google is testing a new feature that removes the lock icon for secure sites. This feature is available to test in Chrome 93 Beta, and Chrome 94 Canary builds by enabling the ‘Omnibox Updated connection security indicators’ flag.”

Title: COVID-19 Vaccine Portal for Italy’s Lazio Region Hit With Cyberattack

Date Published: August 3, 2021

https://www.zdnet.com/article/covid-19-vaccine-booking-website-for-italys-lazio-region-hit-with-cyberattack/

Excerpt: “He later told a press conference that the region was facing an attack “of a terrorist nature” and called it a criminal offensive that is “the most serious that has ever occurred” on Italian territory. “The attacks are still taking place. The situation is very serious,” he said, according to ANSA. A source told the news outlet that the cyberattackers gained access to the system using the profile of an administrator. Through the stolen profile, they were able to activate a “crypto-locker” malware that “encrypted the data on the system,” the sources said. CNN reported that local officials have received a ransom demand.”

Title: ‘PwnedPiper’: Devastating Bugs in >80% of Hospital Pneumatics

Date Published: August 2, 2021

https://threatpost.com/pwnedpiper-bugs-hospital-pneumatics/168277/

Excerpt: “From there, they can gain access to the hospital’s internal networks and target the Translogic PTS systems, which are also connected to the hospital’s internal networks. After that, five of the PipedPiper bugs can be used to achieve RCE. The attacker can continue by exploiting one of the bugs to compromise a Nexus station. An intruder could then harvest logins from the station, such as the RFID credentials of any staffer who uses the PTS system, details about the system and the layout of the PTS network.”

Title: 35 Million Us Residents’ Personal Details Exposed on the Web: Report

Date Published: July 29, 2021

https://www.comparitech.com/blog/information-security/35-million-us-residents-exposed/

Excerpt: “A mysterious marketing database containing the personal details of an estimated 35 million people was exposed on the web without a password, Comparitech researchers report. The database included names, contact information, home addresses, ethnicities, and a wealth of demographic information ranging from hobbies and interests to shopping habits and media consumption. The sample of files viewed by Comparitech researchers indicated a majority of the records pertained to residents of Chicago, Los Angeles, and San Diego, and their surrounding areas.”

Recent Posts

November 29, 2022

Title: Malicious Android App Found Powering Account Creation Service Date Published: November 28, 2022 https://www.bleepingcomputer.com/news/security/malicious-android-app-found-powering-account-creation-service/ Excerpt: “A fake Android SMS application, with 100,000...

November 28, 2022

Title: Ransomboggs Ransomware Hit Several Ukrainian Entities, Experts Attribute It to Russia Date Published: November 28, 2022 https://securityaffairs.co/wordpress/139028/cyber-warfare-2/ransomboggs-ransomware-targeted-ukraine.html Excerpt: “Several Ukrainian...

November 23, 2022

Title: Microsoft Releases Out-Of-Band Update to Fix Kerberos Auth Issues Caused by a Patch for Cve-2022-37966 Date Published: November 23, 2022 https://securityaffairs.co/wordpress/138869/security/out-of-band-fix-kerberos-issues.html Excerpt: “Microsoft released an...

November 22, 2022

Title: Aurora Infostealer Malware Increasingly Adopted by Cybergangs Date Published: November 21, 2022 https://www.bleepingcomputer.com/news/security/aurora-infostealer-malware-increasingly-adopted-by-cybergangs/ Excerpt: “Cybercriminals are increasingly turning to a...

November 21, 2022

Title: New Ransomware Encrypts Files, Then Steals Your Discord Account Date Published: November 20, 2022 https://www.bleepingcomputer.com/news/security/new-ransomware-encrypts-files-then-steals-your-discord-account/ Excerpt: “The new 'AXLocker' ransomware family is...

November 18, 2022

Title: Phishing Kit Impersonates Well-Known Brands to Target Us Shoppers Date Published: November 17, 2022 https://www.bleepingcomputer.com/news/security/phishing-kit-impersonates-well-known-brands-to-target-us-shoppers/ Excerpt: “A sophisticated phishing kit has been...

November 17, 2022

Title: Iran-Linked Threat Actors Compromise US Federal Network Date Published: November 17, 2022 https://securityaffairs.co/wordpress/138639/apt/iran-compromises-us-federal-network.html Excerpt: “Iran-linked threat actors compromised a Federal Civilian Executive...