OSN August 4, 2021

Fortify Security Team
Aug 8, 2021

Title: BazarCall to Conti Ransomware via Trickbot and Cobalt Strike

Date Published: August 1, 2021

https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/

Excerpt: “The Trickbot payload came from a phishing campaign associated with BazarCall, delivering weaponized XLSB files. Upon execution, certutil.exe was copied to %programdata% and renamed with random alphanumeric characters. Certutil was used to download and load the Trickbot DLL into memory. Trickbot was automatically tasked to inject into the wermgr.exe process and use its well-known “pwgrab” module to steal browser credentials. As part of further automated tasking, Trickbot performed an initial reconnaissance of the environment using native Windows tools such as nltest.exe and net.exe.”

Title: Hotcobalt – New Cobalt Strike DoS Vulnerability That Lets You Halt Operations

Date Published: August 4, 2021

https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/

Excerpt: “By manipulating the screenshot’s size we can make the server allocate an arbitrary size of memory, the size of which is totally controllable by us. However, in order to trigger this piece of code, we need to be able to talk to the server like a Beacon. By combining all the knowledge of Beacon communication flow with our configuration parser, we have all we need to fake a Beacon. We’ve published a POC python script that does just that: it parses a Beacon’s configuration and uses the information stored in it to register a new random Beacon on the server.”

Title: Qualys Partners With Red Hat to Improve Linux and Kubernetes Security

Date Published: August 4, 2021

https://www.zdnet.com/article/qualys-partners-with-red-hat-to-improve-linux-and-kubernetes-security/

Excerpt: “In this case, the CoreOS Cloud Agent for OpenShift works with Qualys’s Container Security Runtime. This provides continuous discovery of packages and vulnerabilities for the complete OpenShift stack. It does this by placing a lightweight snippet of Qualys code into the container image. Once there, it enables policy-driven monitoring, detection, and blocking of unwanted container behavior at runtime. This eliminates the need for host-based sidecar management and privileged containers. Once instrumented in the image, it will work within each container irrespective of where the container is instantiated and it doesn’t need any additional administration containers. ”

Title: Russian Federal Agencies Were Attacked With Chinese Webdav-O Virus

Date Published: August 4, 2021

https://thehackernews.com/2021/08/russian-federal-agencies-were-attacked.html

Excerpt: “The main goal of the hackers was to completely compromise the IT infrastructure and steal confidential information, including documents from closed segments and email correspondence of key federal executive authorities,” Solar JSOC noted, adding the “cybercriminals ensured themselves a high level of secrecy through the use of legitimate utilities, undetectable malware, and a deep understanding of the specifics of the work of information protection tools installed in government bodies.”

Title: Infra:Halt Security Bugs Impact Critical Industrial Control Devices

Date Published: August 4, 2021

https://www.bleepingcomputer.com/news/security/infra-halt-security-bugs-impact-critical-industrial-control-devices/

Excerpt: “High-severity and critical vulnerabilities collectively referred to as INFRA:HALT are affecting all versions of NicheStack below 4.3, a proprietary TCP/IP stack used by at least 200 industrial automation vendors, many in the leading segment of the market. The stack is commonly found on real-time operating systems (RTOS) powering operational technology (OT) and industrial control system (ICS) devices to provide internet and network functionality. INFRA:HALT is a set of 14 vulnerabilities discovered by Forescout Research Labs using JFrog’s automated software risk analysis platform. It is part of the company’s Project Memoria Research (Amnesia:33, NUMBER:JACK, NAME:WRECK) that focuses on the security of TCP/IP stacks.”

Title: Hackers Are Using CAPTCHA Techniques to Scam Email Users

Date Published: August 4, 2021

https://www.cyberscoop.com/captcha-email-hack-scam-proofpoint/

Excerpt: “Cybersecurity researchers also say that companies shouldn’t underestimate basic cyber hygiene in combatting ransomware. Hackers are increasingly turning to email to distribute initial malware that’s used later to download ransomware rather than using email as the initial attack vector. In 2020, Proofpoint detected 48 million emails that contained malware that was used to launch ransomware. Top threats detected by Proofpoint included names like The Trick, Dridex and Qbot.”

Title: Raccoon Stealer Bundles Malware, Propagates Via Google SEO

Date Published: August 3, 2021

https://threatpost.com/raccoon-stealer-google-seo/168301/

Excerpt: “For starters, Raccoon Stealer has pivoted from inbox-based infections to ones that leverage Google Search. According to Sophos, threat actors have been proficient in their optimization of malicious web pages to rank high in Google search results. The bait to lure victims in this campaign is software pirating tools such as programs to “crack” licensed software for illicit use or “keygen” programs that promise to generate registration keys to unlock licensed software.”

Title: Google: Linux Kernel and Its Toolchains Are Underinvested by at Least 100 Engineers

Date Published: August 4, 2021

https://www.theregister.com/2021/08/04/google_linux_kernel_security/

Excerpt: “Reasonable long-term cost? Linux, which is a free operating system, largely powers many of the world’s most profitable companies, not least Google itself whose parent company Alphabet reported $19.36bn operating profit in its quarter ending 30 June. The company could employ an additional 100 Linux security engineers without blinking, as could Amazon, which likewise runs mostly on Linux and reported revenue for its last quarter of $113.1bn.”

Title: New Chinese Spyware Being Used in Widespread Cyber Espionage Attacks

Date Published: August 4, 2021

https://thehackernews.com/2021/08/new-chinese-spyware-being-used-in.html

Excerpt: “A threat actor presumed to be of Chinese origin has been linked to a series of 10 attacks targeting Mongolia, Russia, Belarus, Canada, and the U.S. from January to July 2021 that involve the deployment of a remote access trojan (RAT) on infected systems, according to new research. The intrusions have been attributed to an advanced persistent threat named APT31 (FireEye), which is tracked by the cybersecurity community under the monikers Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks).”

Title: Supply Chain Attacks from a Managed Detection and Response Perspective

Date Published: August 4, 2021

https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html

Excerpt: “However, this convenience comes at a price — just as IT staff can access machines from a single location, the centralized nature of modern tech infrastructure also means that malicious actors can target the primary hub to gain access to the whole system.  Even more concerning, cybercriminals no longer even have to launch a direct attack against an organization — they can bypass security measures by focusing on their target’s supply chain. For example, instead of trying to find weak points in the system of a large organization that will likely have strong defenses, an attacker can instead target smaller companies that develop software for larger enterprises.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...