OSN August 30, 2021

Fortify Security Team
Aug 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)

Date Published: August 30, 2021

https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/

Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial of service (DDoS) attacks and that it shares some of its code with the Mirai botnet family. To reduce the size of the executable files, each one is compressed with a modified version of the popular open-source packer, UPX. Because the packer is modified, it is less likely for reverse engineering tools to succeed in automatically unpacking the executable files, requiring more manual effort for analysis. Additionally, the malware achieves portability by statically linking all of its dependencies and making system calls directly inside the code.”

Title: DirtyMoe Botnet Is Back and It Has Surprises

Date Published: August 30, 2021

https://decoded.avast.io/martinchlumecky/dirtymoe-1/#ref

Excerpt: “DirtyMoe’s self-defense and hiding techniques can be found at local and network malware layers. The core of the DirtyMoe is the service that is protected by VMProtect. It extracts a Windows driver that utilizes various rootkit capabilities such as service, registry entry, and driver hiding. Additionally, the driver can hide selected files on the system volume and can inject an arbitrary DLL into each newly created process in the system. The network communication with a mother server is not hard-coded and is not invoked directly. DirtyMoe makes a DNS request to one hard-coded domain using a set of hardcoded DNS servers. However,  the final IP address and port are derived using another sequence of DNS requests. So, blocking one final IP address does not neutralize the malware, and we also cannot block DNS requests to DNS servers such as Google, Cloudflare, etc.”

Title: SideWalk Modular Backdoor Discovered in Newly Launched APT Campaigns

Date Published: August 30, 2021

https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/

Excerpt: “A new modular backdoor called SideWalk was recently discovered as part of new malicious campaigns launched by an APT group dubbed as SparklingGoblin. An advanced persistent threat can be deployed by cyber-criminals that have a high level of expertise and important resources to infiltrate a network. These malicious actors usually use this type of attack in order to target large organizations in an attempt to retrieve economic or financial information, and in some cases, they might try to use this form of attack in order to stop or block a company’s program or agenda. The SparklingGoblin APT was first seen back in May 2020 when cybersecurity researchers were tracking some attacks on Hong Kong universities by another group that used CrossWalk backdoor in 2019.”

Title: Microsoft Notifies About an Ongoing Open Redirects Phishing Campaign

Date Published: August 30, 2021

https://heimdalsecurity.com/blog/ongoing-open-redirects-phishing-campaign-announced-by-microsoft/

Excerpt: “Microsoft has warned about this delivery method in April, when cybercriminals used it to deliver IcedID malware. The recent campaigns are similar, only the payload and the lure have changed. Website developer and designer Brian Johnson posted last week about two of his clients getting legal notifications about their websites being hacked to run DDoS attacks against a major company (Intuit, Hubspot). The sender threatened with legal action unless the recipients didn’t “immediately clean” their website of the malicious files that helped deploy the DDoS attack. “I have shared the log file with the recorded evidence that the attack is coming from [example.com] and also detailed guidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our network,” reads the fake notification.”

Title: Bangkok Airways Apologizes for Passport Info Breach as Lockbit Ransomware Group Threatens Data Leak

Date Published: August 30, 2021

https://www.zdnet.com/article/bangkok-airways-apologizes-for-passport-info-breach-as-lockbit-ransomware-group-threatens-release-of-more-data/

Excerpt: “Bangkok Airways did not respond to requests for comment from ZDNet about how many customers were involved in the breach or what timeframe the data came from, but in its statement the company said an investigation revealed that the names, nationalities, genders, phone numbers, emails, addresses, contact information, passport information, historical travel information, partial credit card information and special meal information for passengers of the airline had been accessed. The company said it is still conducting an investigation into the attack and is working on strengthening its IT system as it identifies potential victims.”

Title: T-Mobile Hacker Used Brute Force Attack to Steal Customers’ Data

Date Published: August 29, 2021

https://www.hackread.com/t-mobile-hacker-brute-force-customers-data/

Excerpt: “Earlier this month, T-Mobile suffered a data breach in which a hacker claimed to steal the personal data of 100 million customers. Although the company acknowledged the breach yet claimed that the incident affected 40 million customers. Now, T-Mobile has revealed additional information on how the hacker successfully targeted the telecom giant and stole data that was supposed to be guarded by top-notch security practices. The CEO of T-Mobile Mike Sievert apologized to the customers for the data breach and reassured them that the carrier is taking steps to make their servers secure to avoid such attacks in the future.”

Title: Fake DMCA Complaints, DDoS Threats Lead to Bazaloader Malware

Date Published: August 27, 2021

https://www.bleepingcomputer.com/news/security/fake-dmca-complaints-ddos-threats-lead-to-bazaloader-malware/

Excerpt: “The goal is the same though: use contact forms to deliver BazaLoader malware that often drops Cobalt Strike, which can lead to data theft or a ransomware attack. Microsoft has warned about this delivery method in April, when cybercriminals used it to deliver IcedID malware. The recent campaigns are similar, only the payload and the lure have changed. Website developer and designer Brian Johnson posted last week about two of his clients getting legal notifications about their websites being hacked to run DDoS attacks against a major company (Intuit, Hubspot).”

Title: Microsoft Azure Customers Warned of Critical Bug Found in Cosmos DB

Date Published: August 30, 2021

https://heimdalsecurity.com/blog/microsoft-azure-customers-warned-of-critical-bug-found-in-cosmos-db/

Excerpt: “This month, cybersecurity researchers at the cloud security company Wiz have noticed they could have obtained access to the primary read-write key for most users of the Cosmos DB database system, which allowed them to steal, modify, or get rid of millions of databases. Following the Wiz warning on 12 August 2021, Microsoft has immediately disabled the vulnerable feature, informed more than 30% of the potentially impacted individuals, and urged them to change their keys.”

Title: An RCE in Annke Video Surveillance Product Allows Hacking the Device

Date Published: August 30, 2021

https://securityaffairs.co/wordpress/121538/hacking/annke-video-surveillance-product-rce.html

Excerpt: “The flaw is a stack-based buffer overflow that affects the web service of the Annke N48PBB network video recorder (NVR), an attacker can trigger it to remotely execute arbitrary code and access sensitive information. The issue can allow an attacker to access recorded videos, delete footage, change configurations, and shut down certain cameras. Nozomi researchers noticed that the web interface of the device allows enablement of a SSH service on the device, which provides access to a restricted number of commands. The experts performed reverse engineering of the firmware to fully unrestricted SSH access. Experts first extracted the firmware of a device by physically attaching to the device’s onboard memory, then modified it to disable all SSH restrictions and add several debugging tools. At the end of the process, the firmware was rewritten to the device’s memory.”

Title: T-Mobile Ceo Apologizes for Massive Hack, Announces Cybersecurity Deal With Mandiant

Date Published: August 26, 2021

https://www.zdnet.com/article/t-mobile-ceo-apologizes-for-massive-hack-announces-cybersecurity-deal-with-mandiant/

Excerpt: “He also implied that the leak of social security numbers, driver’s licenses and ID information was “like so many breaches before,” but admitted that the company had failed to keep their customers’ data safe. “The last two weeks have been humbling for all of us at T-Mobile as we have worked tirelessly to navigate a malicious cyberattack on our systems. Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them,” Sievert said. “We spend lots of time and effort to try to stay a step ahead of them, but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry”.”

Recent Posts

OSN November 2, 2021

Title: Possible Cyber Attack Hits ‘Brain’ of N.L. Health-care System, Delaying Thousands of Appointments Date Published: November 1, 2021 cbc.ca/news/canada/newfoundland-labrador/health-services-it-outage-update-nov-1-1.6232426 Excerpt: "A cyberattack appears to be...

OSN November 1, 2021

Title: New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code Date Published: November 1, 2021 https://thehackernews.com/2021/11/new-trojan-source-technique-lets.html Excerpt: "A novel class of vulnerabilities could be leveraged by threat...

OSN October 29, 2021

Title: Footprinting and Reconnaissance using Windows OS Date Published: October 29, 2021 https://medium.com/@the_harvester/footprinting-and-reconnaissance-using-windows-os-36760fb47870 Excerpt: "This blog is in continuation previous blog on footprinting and...

OSN October 28, 2021

Title: Ransomware Gangs Use SEO Poisoning To Infect Visitors Date Published: October 28, 2021 https://www.bleepingcomputer.com/news/security/ransomware-gangs-use-seo-poisoning-to-infect-visitors/ Excerpt: "According to the findings of the Menlo Security team, SEO...

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...