OSN August 3, 2021

Fortify Security Team
Aug 3, 2021
Title: Bypassing Authentication on Arcadyan Routers With CVE-2021-20090 and Rooting Some Buffalo

Date Published: August 3, 2021


Excerpt: “Shortly before the 90 day disclosure date for the vulnerabilities discussed in this blog, I was trying to determine the number of potentially affected devices visible online via Shodan and BinaryEdge. In my searches, I noticed that a number of devices which presented similar web interfaces to those seen on the Buffalo devices. Too similar, in fact, as they appeared to use almost all the same strange methods for hiding the httokens in img tags, and javascript functions obfuscated in “enkripsi” strings.”

Title: This New Phishing Attack Is ‘Sneakier Than Usual’, Microsoft Warns

Date Published: August 2, 2021


Excerpt: “The phishing group is using Microsoft SharePoint in the display name to entice victims to click the link. The email poses as a “file share” request to access bogus “Staff Reports”, “Bonuses”, “Pricebooks”, and other content hosted in a supposed Excel spreadsheet. It also contains a link that navigates to the phishing page and plenty of Microsoft branding. While convincing Microsoft logos are littered across the email, the main phishing URL relies on a Google storage resource that points the victim to the Google App Engine domain AppSpot – a place to host web applications.”

Title: Ghostemperor Operation Employs Unknown Malware to Target High-Profile Organizations

Date Published: August 3, 2021


Excerpt: “GhostEmperor is a Chinese-speaking threat actor that has mostly focused on targets in Southeast Asia, including several government entities and telecom companies. The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.” This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020.”

Title: RDP Brute Force Attacks Explained

Date Published: August 3, 2021


Excerpt: “RDP brute force attacks represent a serious, on-going danger to Internet-connected Windows computers. However, there are a number of ways to protect yourself against them. As in all areas of computer security, defense in depth is the best approach, so aim to do as many things on this list as you reasonably can. Turn it off. The simplest way to protect yourself from RDP brute force attacks is to just turn off RDP permanently, if you don’t need it. Use a strong password. Brute force attacks exploit weak passwords so in theory a strong password is enough to keep attackers out. In practice, users often overestimate how strong their passwords are, and even technically strong passwords can be rendered useless if they are stolen or leaked. For those and other reasons it’s best to use at least one of the other methods in this list too.”

Title: Chinese Hackers Target Major Southeast Asian Telecom Companies

Date Published: August 3, 2021


Excerpt: “The goal of the attackers behind these intrusions was to gain and maintain continuous access to telecommunication providers and to facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers.”

Title: Escaping From a Truly Air Gapped Network via Apple AWDL

Date Published: August 3, 2021


Excerpt: “The AWDL network is well isolated by default so there is no easy path out from the network. However, because of the ICMPv6 Node Information Query we have more knowledge about the devices which are near to us. If you join the AWDL network all the common data shared is anonymized and based on generated random addresses. Devices won’t route your traffic anywhere and only link-local addresses are in use. There is not much to do except the designed functionalities.”

Title: Google Chrome to No Longer Show Secure Website Indicators

Date Published: August 2, 2021


Excerpt: “It has appeared to have worked as according to the ‘HTTPS encryption on the web’ of Google’s Transparency Report, over 90% of all browser connections in Google Chrome currently use an HTTPS connection. Currently, when you visit a secure site, Google Chrome will display a little locked icon indicating that your communication with the site is encrypted, as shown below. As most website communication is now secure, Google is testing a new feature that removes the lock icon for secure sites. This feature is available to test in Chrome 93 Beta, and Chrome 94 Canary builds by enabling the ‘Omnibox Updated connection security indicators’ flag.”

Title: COVID-19 Vaccine Portal for Italy’s Lazio Region Hit With Cyberattack

Date Published: August 3, 2021


Excerpt: “He later told a press conference that the region was facing an attack “of a terrorist nature” and called it a criminal offensive that is “the most serious that has ever occurred” on Italian territory. “The attacks are still taking place. The situation is very serious,” he said, according to ANSA. A source told the news outlet that the cyberattackers gained access to the system using the profile of an administrator. Through the stolen profile, they were able to activate a “crypto-locker” malware that “encrypted the data on the system,” the sources said. CNN reported that local officials have received a ransom demand.”

Title: ‘PwnedPiper’: Devastating Bugs in >80% of Hospital Pneumatics

Date Published: August 2, 2021


Excerpt: “From there, they can gain access to the hospital’s internal networks and target the Translogic PTS systems, which are also connected to the hospital’s internal networks. After that, five of the PipedPiper bugs can be used to achieve RCE. The attacker can continue by exploiting one of the bugs to compromise a Nexus station. An intruder could then harvest logins from the station, such as the RFID credentials of any staffer who uses the PTS system, details about the system and the layout of the PTS network.”

Title: 35 Million Us Residents’ Personal Details Exposed on the Web: Report

Date Published: July 29, 2021


Excerpt: “A mysterious marketing database containing the personal details of an estimated 35 million people was exposed on the web without a password, Comparitech researchers report. The database included names, contact information, home addresses, ethnicities, and a wealth of demographic information ranging from hobbies and interests to shopping habits and media consumption. The sample of files viewed by Comparitech researchers indicated a majority of the records pertained to residents of Chicago, Los Angeles, and San Diego, and their surrounding areas.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...