OSN August 30, 2021

Fortify Security Team
Aug 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305)

Date Published: August 30, 2021


Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial of service (DDoS) attacks and that it shares some of its code with the Mirai botnet family. To reduce the size of the executable files, each one is compressed with a modified version of the popular open-source packer, UPX. Because the packer is modified, it is less likely for reverse engineering tools to succeed in automatically unpacking the executable files, requiring more manual effort for analysis. Additionally, the malware achieves portability by statically linking all of its dependencies and making system calls directly inside the code.”

Title: DirtyMoe Botnet Is Back and It Has Surprises

Date Published: August 30, 2021


Excerpt: “DirtyMoe’s self-defense and hiding techniques can be found at local and network malware layers. The core of the DirtyMoe is the service that is protected by VMProtect. It extracts a Windows driver that utilizes various rootkit capabilities such as service, registry entry, and driver hiding. Additionally, the driver can hide selected files on the system volume and can inject an arbitrary DLL into each newly created process in the system. The network communication with a mother server is not hard-coded and is not invoked directly. DirtyMoe makes a DNS request to one hard-coded domain using a set of hardcoded DNS servers. However,  the final IP address and port are derived using another sequence of DNS requests. So, blocking one final IP address does not neutralize the malware, and we also cannot block DNS requests to DNS servers such as Google, Cloudflare, etc.”

Title: SideWalk Modular Backdoor Discovered in Newly Launched APT Campaigns

Date Published: August 30, 2021


Excerpt: “A new modular backdoor called SideWalk was recently discovered as part of new malicious campaigns launched by an APT group dubbed as SparklingGoblin. An advanced persistent threat can be deployed by cyber-criminals that have a high level of expertise and important resources to infiltrate a network. These malicious actors usually use this type of attack in order to target large organizations in an attempt to retrieve economic or financial information, and in some cases, they might try to use this form of attack in order to stop or block a company’s program or agenda. The SparklingGoblin APT was first seen back in May 2020 when cybersecurity researchers were tracking some attacks on Hong Kong universities by another group that used CrossWalk backdoor in 2019.”

Title: Microsoft Notifies About an Ongoing Open Redirects Phishing Campaign

Date Published: August 30, 2021


Excerpt: “Microsoft has warned about this delivery method in April, when cybercriminals used it to deliver IcedID malware. The recent campaigns are similar, only the payload and the lure have changed. Website developer and designer Brian Johnson posted last week about two of his clients getting legal notifications about their websites being hacked to run DDoS attacks against a major company (Intuit, Hubspot). The sender threatened with legal action unless the recipients didn’t “immediately clean” their website of the malicious files that helped deploy the DDoS attack. “I have shared the log file with the recorded evidence that the attack is coming from [example.com] and also detailed guidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our network,” reads the fake notification.”

Title: Bangkok Airways Apologizes for Passport Info Breach as Lockbit Ransomware Group Threatens Data Leak

Date Published: August 30, 2021


Excerpt: “Bangkok Airways did not respond to requests for comment from ZDNet about how many customers were involved in the breach or what timeframe the data came from, but in its statement the company said an investigation revealed that the names, nationalities, genders, phone numbers, emails, addresses, contact information, passport information, historical travel information, partial credit card information and special meal information for passengers of the airline had been accessed. The company said it is still conducting an investigation into the attack and is working on strengthening its IT system as it identifies potential victims.”

Title: T-Mobile Hacker Used Brute Force Attack to Steal Customers’ Data

Date Published: August 29, 2021


Excerpt: “Earlier this month, T-Mobile suffered a data breach in which a hacker claimed to steal the personal data of 100 million customers. Although the company acknowledged the breach yet claimed that the incident affected 40 million customers. Now, T-Mobile has revealed additional information on how the hacker successfully targeted the telecom giant and stole data that was supposed to be guarded by top-notch security practices. The CEO of T-Mobile Mike Sievert apologized to the customers for the data breach and reassured them that the carrier is taking steps to make their servers secure to avoid such attacks in the future.”

Title: Fake DMCA Complaints, DDoS Threats Lead to Bazaloader Malware

Date Published: August 27, 2021


Excerpt: “The goal is the same though: use contact forms to deliver BazaLoader malware that often drops Cobalt Strike, which can lead to data theft or a ransomware attack. Microsoft has warned about this delivery method in April, when cybercriminals used it to deliver IcedID malware. The recent campaigns are similar, only the payload and the lure have changed. Website developer and designer Brian Johnson posted last week about two of his clients getting legal notifications about their websites being hacked to run DDoS attacks against a major company (Intuit, Hubspot).”

Title: Microsoft Azure Customers Warned of Critical Bug Found in Cosmos DB

Date Published: August 30, 2021


Excerpt: “This month, cybersecurity researchers at the cloud security company Wiz have noticed they could have obtained access to the primary read-write key for most users of the Cosmos DB database system, which allowed them to steal, modify, or get rid of millions of databases. Following the Wiz warning on 12 August 2021, Microsoft has immediately disabled the vulnerable feature, informed more than 30% of the potentially impacted individuals, and urged them to change their keys.”

Title: An RCE in Annke Video Surveillance Product Allows Hacking the Device

Date Published: August 30, 2021


Excerpt: “The flaw is a stack-based buffer overflow that affects the web service of the Annke N48PBB network video recorder (NVR), an attacker can trigger it to remotely execute arbitrary code and access sensitive information. The issue can allow an attacker to access recorded videos, delete footage, change configurations, and shut down certain cameras. Nozomi researchers noticed that the web interface of the device allows enablement of a SSH service on the device, which provides access to a restricted number of commands. The experts performed reverse engineering of the firmware to fully unrestricted SSH access. Experts first extracted the firmware of a device by physically attaching to the device’s onboard memory, then modified it to disable all SSH restrictions and add several debugging tools. At the end of the process, the firmware was rewritten to the device’s memory.”

Title: T-Mobile Ceo Apologizes for Massive Hack, Announces Cybersecurity Deal With Mandiant

Date Published: August 26, 2021


Excerpt: “He also implied that the leak of social security numbers, driver’s licenses and ID information was “like so many breaches before,” but admitted that the company had failed to keep their customers’ data safe. “The last two weeks have been humbling for all of us at T-Mobile as we have worked tirelessly to navigate a malicious cyberattack on our systems. Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them,” Sievert said. “We spend lots of time and effort to try to stay a step ahead of them, but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry”.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...