OSN August 31, 2021

Fortify Security Team
Aug 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain
Date Published: August 31, 2021

https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/

Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat actors to bypass some authentication controls. They can avoid triggering an alarm if the right tools or solutions aren’t in place. Therefore, organizations need to focus on putting defense best practices in place. Those measures include enabling multi factor authentication on users’ email accounts and monitoring for suspicious behavior using extended detection and response.”

Title: CVE-2021-39276: Fortress S03 WiFi Home Security System Vulnerabilities
Date Published: August 31, 2021

https://www.rapid7.com/blog/post/2021/08/31/cve-2021-3927-67-fortress-s03-wifi-home-security-system-vulnerabilities/

Excerpt: “What follows are details regarding the two disclosed vulnerabilities. Generally speaking, these issues are trivially easy to exploit by motivated attackers who already have some knowledge of the target. CVE-2021-39276: Unauthenticated API Access If a malicious actor knows a user’s email address, they can use it to query the cloud-based API to return an International Mobile Equipment Identity (IMEI) number, which appears to also serve as the device’s serial number. The following post request structure is used to make this unauthenticated query and return the IMEI.”

Title: Attracting Flies With Honey(Gain): Adversarial Abuse of Proxyware
Date Published: August 31, 2021

https://www.zdnet.com/article/cyberattackers-are-now-quietly-selling-off-their-victims-internet-bandwidth/

Excerpt: “Organizations should be aware of these applications, how they work, and how they are being taken advantage of, as they may pose a significant risk to corporate environments. Users’ bandwidth can be sold to platform customers to access the internet, while the actions performed by them over this access are logged to the organization’s IP address. This is a recent trend, but the potential to grow is enormous. We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks. These networks may also allow threat actors to obfuscate the source of their attacks, making them appear as if they are originating from legitimate corporate networks.”

Title: Ransomware Attacks on U.S. Schools and Colleges Cost $6.62bn in 2020
Date Published: August 31, 2021

https://www.comparitech.com/blog/information-security/school-ransomware-attacks/

Excerpt: “According to the figures we did find (for 39 out of 77 attacks), schools suffered an average downtime of just under 7 days in 2020. But the recovery process lasted 55.4 days. Downtime relates to schools being shut and/or services being largely unavailable, while the recovery period may mean schools are open but certain servers, devices, and services are unavailable. Based on these figures, ransomware attacks may have caused 201 days of downtime and 1,108 days of recovery time in 2020.”

Title: New Variant of Konni RAT Used in a Campaign That Targeted Russia
Date Published: August 30, 2021

https://securityaffairs.co/wordpress/121625/apt/konni-rat-target-russia.html

Excerpt: “These malicious documents used by Konni APT have been weaponized with the same simple but clever macro. It just uses a Shell function to execute a one-liner cmd command. This one liner command gets the current active document as input and looks for the “^var” string using findstr and then writes the content of the line staring from “var” into y.js. At the end it calls Wscript Shell function to executes the Java Script file (y.js).” reads the analysis published by Malwarebytes. “The clever part is that the actor tried to hide its malicious JS which is the start of its main activities at the end of the document content and did not put it directly into the macro to avoid being detected by AV products as well as hiding its main intent from them.”

Title: Bangkok Air Confirms Passenger PII Leak After Ransomware Attack
Date Published: August 30, 2021

https://therecord.media/bangkok-air-confirms-passenger-pii-leak-after-ransomware-attack/

Excerpt: “Per the airline, some of the personal data that may have been included in the stolen files included data fields such as passenger name, family name, nationality, gender, phone number, email, address, contact information, passport information, historical travel information, partial credit card information, and special meal information. Bangkok Airways said it notified local law enforcement of the breach and is now warning customers that some of the stolen data might be weaponized against them through unsolicited calls or emails.”

Title: Proxytoken: An Authentication Bypass in Microsoft Exchange Server
Date Published: August 30, 2021

https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server

Excerpt: “In summary, when the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request. Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.”

Title: Lockfile Ransomware Uses Never-Before Seen Encryption to Avoid Detection
Date Published: August 31, 2021

https://threatpost.com/lockfile-ransomware-avoid-detection/169042/

Excerpt: “Researchers used WinDbg and .writemem to write the OPEN section to disk to analyze the code statically in Ghidra, an open-source reverse-engineering tool. There they found the ransomware’s main function, the first part of which initializes a crypto library that LockFile likely uses for its encryption functions, they said. The ransomware then uses the Windows Management Interface (WMI) command-line tool WMIC.EXE–which is part of every Windows installation—to terminate all processes with vmwp in their name, repeating the process for other critical business processes associated with virtualization software and databases.”

Title: Internal of the Android Kernel Backdoor Vulnerability
Date Published: August 31, 2021

https://paper.seebug.org/1690/

Excerpt: “Looking back at the history of Android kernel vulnerabilities, it can be found that most of the Android kernel vulnerabilities are memory vulnerabilities, while logic vulnerabilities are relatively rare. Because memory vulnerabilities have typical vulnerability patterns, obvious side effects, and more complete detection methods, such vulnerabilities are easier to find. Correspondingly, logic vulnerabilities have no typical vulnerability patterns (often closely related to functions), uncertain side effects, and lack of universal detection methods. Therefore, it is relatively difficult to mine such vulnerabilities. Because of this, logical loopholes have their unique charm.”

Title: Canada Accepted 7,300 More Immigration Applications Due to Technical Bug
Date Published: August 31, 2021

https://www.bleepingcomputer.com/news/security/canada-accepted-7-300-more-immigration-applications-due-to-technical-bug/

Excerpt: “We move applications around our global network to ensure they are processed as efficiently as possible, which means applications may not be processed at or decided upon by decision makers at the office closest to where a client lives, or where an application is submitted,” concluded IRCC in their email to BleepingComputer. IRCC is expected to enact a separate public policy for processing applications from persons requiring accommodation, details of which are to be announced. Temporary residents and international students wanting to assess their eligibility towards one or more immigration streams can check out the online eligibility tool.”

Recent Posts

May 6, 2022

Title: Google Docs Crashes on Seeing "And. And. And. And. And." Date Published: May 6, 2022 https://www.bleepingcomputer.com/news/technology/google-docs-crashes-on-seeing-and-and-and-and-and/ Excerpt: “A bug in Google Docs is causing it to crash when a series of words...

May 5, 2022

Title: Tor Project Upgrades Network Speed Performance with New System Date Published: May 5, 2022 https://www.bleepingcomputer.com/news/security/tor-project-upgrades-network-speed-performance-with-new-system/ Excerpt: “The Tor Project has published details about a...

May 3, 2022

Title: Aruba and Avaya Network Switches are Vulnerable to RCE Attacks Date Published: May 3, 2022 https://www.bleepingcomputer.com/news/security/aruba-and-avaya-network-switches-are-vulnerable-to-rce-attacks/ Excerpt: “Security researchers have discovered five...

May 2, 2022

Title: U.S. DoD Tricked into Paying $23.5 Million to Phishing Actor Date Published: May 2, 2022 https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/ Excerpt: “The U.S. Department of Justice (DoJ) has announced the...

April 29, 2022

Title: EmoCheck now Detects New 64-bit Versions of Emotet Malware Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/ Excerpt: “The Japan CERT has released a new version of their...

April 28, 2022

Title: New Bumblebee Malware Takes Over BazarLoader's Ransomware Delivery Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-takes-over-bazarloaders-ransomware-delivery/ Excerpt: “A newly discovered malware loader...

April 27, 2022

Title: Chinese State-Backed Hackers now Target Russian State Officers Date Published: April 27, 2022 https://www.bleepingcomputer.com/news/security/chinese-state-backed-hackers-now-target-russian-state-officers/ Excerpt: “Security researchers analyzing a phishing...