OSN August 31, 2021

Fortify Security Team
Aug 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain
Date Published: August 31, 2021

https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/

Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat actors to bypass some authentication controls. They can avoid triggering an alarm if the right tools or solutions aren’t in place. Therefore, organizations need to focus on putting defense best practices in place. Those measures include enabling multi factor authentication on users’ email accounts and monitoring for suspicious behavior using extended detection and response.”

Title: CVE-2021-39276: Fortress S03 WiFi Home Security System Vulnerabilities
Date Published: August 31, 2021

https://www.rapid7.com/blog/post/2021/08/31/cve-2021-3927-67-fortress-s03-wifi-home-security-system-vulnerabilities/

Excerpt: “What follows are details regarding the two disclosed vulnerabilities. Generally speaking, these issues are trivially easy to exploit by motivated attackers who already have some knowledge of the target. CVE-2021-39276: Unauthenticated API Access If a malicious actor knows a user’s email address, they can use it to query the cloud-based API to return an International Mobile Equipment Identity (IMEI) number, which appears to also serve as the device’s serial number. The following post request structure is used to make this unauthenticated query and return the IMEI.”

Title: Attracting Flies With Honey(Gain): Adversarial Abuse of Proxyware
Date Published: August 31, 2021

https://www.zdnet.com/article/cyberattackers-are-now-quietly-selling-off-their-victims-internet-bandwidth/

Excerpt: “Organizations should be aware of these applications, how they work, and how they are being taken advantage of, as they may pose a significant risk to corporate environments. Users’ bandwidth can be sold to platform customers to access the internet, while the actions performed by them over this access are logged to the organization’s IP address. This is a recent trend, but the potential to grow is enormous. We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks. These networks may also allow threat actors to obfuscate the source of their attacks, making them appear as if they are originating from legitimate corporate networks.”

Title: Ransomware Attacks on U.S. Schools and Colleges Cost $6.62bn in 2020
Date Published: August 31, 2021

https://www.comparitech.com/blog/information-security/school-ransomware-attacks/

Excerpt: “According to the figures we did find (for 39 out of 77 attacks), schools suffered an average downtime of just under 7 days in 2020. But the recovery process lasted 55.4 days. Downtime relates to schools being shut and/or services being largely unavailable, while the recovery period may mean schools are open but certain servers, devices, and services are unavailable. Based on these figures, ransomware attacks may have caused 201 days of downtime and 1,108 days of recovery time in 2020.”

Title: New Variant of Konni RAT Used in a Campaign That Targeted Russia
Date Published: August 30, 2021

https://securityaffairs.co/wordpress/121625/apt/konni-rat-target-russia.html

Excerpt: “These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the “^var” string using findstr and then writes the content of the line staring from “var” into y.js. At the end it calls Wscript Shell function to executes the Java Script file (y.js).” reads the analysis published by Malwarebytes. “The clever part is that the actor tried to hide its malicious JS which is the start of its main activities at the end of the document content and did not put it directly into the macro to avoid being detected by AV products as well as hiding its main intent from them.”

Title: Bangkok Air Confirms Passenger PII Leak After Ransomware Attack
Date Published: August 30, 2021

https://therecord.media/bangkok-air-confirms-passenger-pii-leak-after-ransomware-attack/

Excerpt: “Per the airline, some of the personal data that may have been included in the stolen files included data fields such as passenger name, family name, nationality, gender, phone number, email, address, contact information, passport information, historical travel information, partial credit card information, and special meal information. Bangkok Airways said it notified local law enforcement of the breach and is now warning customers that some of the stolen data might be weaponized against them through unsolicited calls or emails.”

Title: Proxytoken: An Authentication Bypass in Microsoft Exchange Server
Date Published: August 30, 2021

https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server

Excerpt: “In summary, when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.”

Title: Lockfile Ransomware Uses Never-Before Seen Encryption to Avoid Detection
Date Published: August 31, 2021

https://threatpost.com/lockfile-ransomware-avoid-detection/169042/

Excerpt: “Researchers used WinDbg and .writemem to write the OPEN section to disk to analyze the code statically in Ghidra, an open-source reverse-engineering tool. There they found the ransomware’s main function, the first part of which initializes a crypto library that LockFile likely uses for its encryption functions, they said. The ransomware then uses the Windows Management Interface (WMI) command-line tool WMIC.EXE–which is part of every Windows installation—to terminate all processes with vmwp in their name, repeating the process for other critical business processes associated with virtualization software and databases.”

Title: Internal of the Android Kernel Backdoor Vulnerability
Date Published: August 31, 2021

https://paper.seebug.org/1690/

Excerpt: “Looking back at the history of Android kernel vulnerabilities, it can be found that most of the Android kernel vulnerabilities are memory vulnerabilities, while logic vulnerabilities are relatively rare. Because memory vulnerabilities have typical vulnerability patterns, obvious side effects, and more complete detection methods, such vulnerabilities are easier to find. Correspondingly, logic vulnerabilities have no typical vulnerability patterns (often closely related to functions), uncertain side effects, and lack of universal detection methods. Therefore, it is relatively difficult to mine such vulnerabilities. Because of this, logical loopholes have their unique charm.”

Title: Canada Accepted 7,300 More Immigration Applications Due to Technical Bug
Date Published: August 31, 2021

https://www.bleepingcomputer.com/news/security/canada-accepted-7-300-more-immigration-applications-due-to-technical-bug/

Excerpt: “We move applications around our global network to ensure they are processed as efficiently as possible, which means applications may not be processed at or decided upon by decision makers at the office closest to where a client lives, or where an application is submitted,” concluded IRCC in their email to BleepingComputer. IRCC is expected to enact a separate public policy for processing applications from persons requiring accommodation, details of which are to be announced. Temporary residents and international students wanting to assess their eligibility towards one or more immigration streams can check out the online eligibility tool.”

Recent Posts

OSN November 2, 2021

Title: Possible Cyber Attack Hits ‘Brain’ of N.L. Health-care System, Delaying Thousands of Appointments Date Published: November 1, 2021 cbc.ca/news/canada/newfoundland-labrador/health-services-it-outage-update-nov-1-1.6232426 Excerpt: "A cyberattack appears to be...

OSN November 1, 2021

Title: New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code Date Published: November 1, 2021 https://thehackernews.com/2021/11/new-trojan-source-technique-lets.html Excerpt: "A novel class of vulnerabilities could be leveraged by threat...

OSN October 29, 2021

Title: Footprinting and Reconnaissance using Windows OS Date Published: October 29, 2021 https://medium.com/@the_harvester/footprinting-and-reconnaissance-using-windows-os-36760fb47870 Excerpt: "This blog is in continuation previous blog on footprinting and...

OSN October 28, 2021

Title: Ransomware Gangs Use SEO Poisoning To Infect Visitors Date Published: October 28, 2021 https://www.bleepingcomputer.com/news/security/ransomware-gangs-use-seo-poisoning-to-infect-visitors/ Excerpt: "According to the findings of the Menlo Security team, SEO...

OSN August 30, 2021

Title: New Mirai Variant Targets WebSVN Command Injection Vulnerability (CVE-2021-32305) Date Published: August 30, 2021 https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/ Excerpt: “Analysis of this malware reveals that it is used to perform distributed denial...

OSN August 27, 2021

Title: Microsoft Azure Vulnerability Exposed Thousands of Cloud Databases Date Published: August 27, 2021 https://www.cyberscoop.com/microsoft-azure-cloud-vulnerability/ Excerpt: “The flaw would have allowed any Azure Cosmos DB user to read, write and delete another...

OSN August 26, 2021

Title: Microsoft Breaks Silence on Barrage of ProxyShell Attacks Date Published: August 26, 2021 https://threatpost.com/microsoft-barrage-proxyshell-attacks/168943/ Excerpt: “The company released an advisory late Wednesday letting customers know that threat actors may...