OSN August 31, 2021

Fortify Security Team
Aug 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain
Date Published: August 31, 2021

https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/

Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat actors to bypass some authentication controls. They can avoid triggering an alarm if the right tools or solutions aren’t in place. Therefore, organizations need to focus on putting defense best practices in place. Those measures include enabling multi factor authentication on users’ email accounts and monitoring for suspicious behavior using extended detection and response.”

Title: CVE-2021-39276: Fortress S03 WiFi Home Security System Vulnerabilities
Date Published: August 31, 2021

https://www.rapid7.com/blog/post/2021/08/31/cve-2021-3927-67-fortress-s03-wifi-home-security-system-vulnerabilities/

Excerpt: “What follows are details regarding the two disclosed vulnerabilities. Generally speaking, these issues are trivially easy to exploit by motivated attackers who already have some knowledge of the target. CVE-2021-39276: Unauthenticated API Access If a malicious actor knows a user’s email address, they can use it to query the cloud-based API to return an International Mobile Equipment Identity (IMEI) number, which appears to also serve as the device’s serial number. The following post request structure is used to make this unauthenticated query and return the IMEI.”

Title: Attracting Flies With Honey(Gain): Adversarial Abuse of Proxyware
Date Published: August 31, 2021

https://www.zdnet.com/article/cyberattackers-are-now-quietly-selling-off-their-victims-internet-bandwidth/

Excerpt: “Organizations should be aware of these applications, how they work, and how they are being taken advantage of, as they may pose a significant risk to corporate environments. Users’ bandwidth can be sold to platform customers to access the internet, while the actions performed by them over this access are logged to the organization’s IP address. This is a recent trend, but the potential to grow is enormous. We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks. These networks may also allow threat actors to obfuscate the source of their attacks, making them appear as if they are originating from legitimate corporate networks.”

Title: Ransomware Attacks on U.S. Schools and Colleges Cost $6.62bn in 2020
Date Published: August 31, 2021

https://www.comparitech.com/blog/information-security/school-ransomware-attacks/

Excerpt: “According to the figures we did find (for 39 out of 77 attacks), schools suffered an average downtime of just under 7 days in 2020. But the recovery process lasted 55.4 days. Downtime relates to schools being shut and/or services being largely unavailable, while the recovery period may mean schools are open but certain servers, devices, and services are unavailable. Based on these figures, ransomware attacks may have caused 201 days of downtime and 1,108 days of recovery time in 2020.”

Title: New Variant of Konni RAT Used in a Campaign That Targeted Russia
Date Published: August 30, 2021

https://securityaffairs.co/wordpress/121625/apt/konni-rat-target-russia.html

Excerpt: “These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the “^var” string using findstr and then writes the content of the line staring from “var” into y.js. At the end it calls Wscript Shell function to executes the Java Script file (y.js).” reads the analysis published by Malwarebytes. “The clever part is that the actor tried to hide its malicious JS which is the start of its main activities at the end of the document content and did not put it directly into the macro to avoid being detected by AV products as well as hiding its main intent from them.”

Title: Bangkok Air Confirms Passenger PII Leak After Ransomware Attack
Date Published: August 30, 2021

https://therecord.media/bangkok-air-confirms-passenger-pii-leak-after-ransomware-attack/

Excerpt: “Per the airline, some of the personal data that may have been included in the stolen files included data fields such as passenger name, family name, nationality, gender, phone number, email, address, contact information, passport information, historical travel information, partial credit card information, and special meal information. Bangkok Airways said it notified local law enforcement of the breach and is now warning customers that some of the stolen data might be weaponized against them through unsolicited calls or emails.”

Title: Proxytoken: An Authentication Bypass in Microsoft Exchange Server
Date Published: August 30, 2021

https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server

Excerpt: “In summary, when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.”

Title: Lockfile Ransomware Uses Never-Before Seen Encryption to Avoid Detection
Date Published: August 31, 2021

https://threatpost.com/lockfile-ransomware-avoid-detection/169042/

Excerpt: “Researchers used WinDbg and .writemem to write the OPEN section to disk to analyze the code statically in Ghidra, an open-source reverse-engineering tool. There they found the ransomware’s main function, the first part of which initializes a crypto library that LockFile likely uses for its encryption functions, they said. The ransomware then uses the Windows Management Interface (WMI) command-line tool WMIC.EXE–which is part of every Windows installation—to terminate all processes with vmwp in their name, repeating the process for other critical business processes associated with virtualization software and databases.”

Title: Internal of the Android Kernel Backdoor Vulnerability
Date Published: August 31, 2021

https://paper.seebug.org/1690/

Excerpt: “Looking back at the history of Android kernel vulnerabilities, it can be found that most of the Android kernel vulnerabilities are memory vulnerabilities, while logic vulnerabilities are relatively rare. Because memory vulnerabilities have typical vulnerability patterns, obvious side effects, and more complete detection methods, such vulnerabilities are easier to find. Correspondingly, logic vulnerabilities have no typical vulnerability patterns (often closely related to functions), uncertain side effects, and lack of universal detection methods. Therefore, it is relatively difficult to mine such vulnerabilities. Because of this, logical loopholes have their unique charm.”

Title: Canada Accepted 7,300 More Immigration Applications Due to Technical Bug
Date Published: August 31, 2021

https://www.bleepingcomputer.com/news/security/canada-accepted-7-300-more-immigration-applications-due-to-technical-bug/

Excerpt: “We move applications around our global network to ensure they are processed as efficiently as possible, which means applications may not be processed at or decided upon by decision makers at the office closest to where a client lives, or where an application is submitted,” concluded IRCC in their email to BleepingComputer. IRCC is expected to enact a separate public policy for processing applications from persons requiring accommodation, details of which are to be announced. Temporary residents and international students wanting to assess their eligibility towards one or more immigration streams can check out the online eligibility tool.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...