OSN August 6, 2021

Fortify Security Team
Aug 6, 2021

Title: Admin’s Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path’s for Profit

Date Published: August 6, 2021


Excerpt: “In an attack scenario, an adversary would need to entice a remote user or system to authenticate back to the adversary-controlled host in order to relay the credential to the certificate server. The SpoolSample (https[:]//github[.]com/leechristensen/SpoolSample) tool, created by @tifkin_, provides a method to invoke the MS-RPRN RPC service to entice servers via the Print Spooler to authenticate back to the adversary but, the tool requires active directory user credentials.”

Title: HTTP/2 Implementation Errors Exposing Websites to Serious Risks

Date Published: August 5, 2021


Excerpt: “Nearly 50% of all websites currently use the HTTP/2 (H2) protocol, which was introduced in 2015 as a faster and simpler alternative to HTTP/1.1. As Google describes it, “all the core concepts, such as HTTP methods, status codes, URIs, and header fields, remain in place,” with the new protocol. “Instead, HTTP/2 modifies how the data is formatted (framed) and transported between the client and server, both of which manage the entire process, and hides all the complexity from our applications within the new framing layer.”

Title: 4 Uncommon Programming Languages for Malware Development

Date Published: August 5, 2021


Excerpt: “Programming languages for malware development, such as DLang, Nim, Rust, and Go, are becoming famous among malware authors to bypass security defenses and address the weak points in their development process, BlackBerry researchers report. The research team selected these four programming languages because they have noticed an increase in their use for malicious intent and an increased number of malware families using them. Now the question arises why there is an escalation in the number of malware families being detected using these uncommon programming languages for malware development? Let’s find the answer.”

Title: Angry Conti Ransomware Affiliate Leaks Gang’s Attack Playbook

Date Published: August 5, 2021


Excerpt: “By and large, it is the holy grail of the pentester operation behind the Conti ransomware “pentester” team from A-Z. The implications are huge and allow new pentester ransomware operators to level up their pentester skills for ransomware step by step.” “The leak also shows the maturity of their ransomware organization and how sophisticated, meticulous and experienced they are while targeting corporations worldwide.” “It also provides a plethora of detection opportunities including the group focus on AnyDesk persistence and Atera security software agent persistence to survive detections.” This leak illustrates the vulnerability of ransomware-as-a-service operations, as a singly unhappy affiliate could lead to the exposure of carefully cultivated information and resources used in attacks.”

Title: Black Hat: Badalloc Bugs Expose Millions of IoT Devices to Hijack

Date Published: August 6, 2021


Excerpt: “BadAlloc is the name given to a swathe of memory allocation vulnerabilities found in IoT and OT products by Microsoft researchers. Disclosed in April, the bugs could allow “adversaries to bypass security controls in order to execute malicious code or cause a system crash,” according to the firm. The vulnerabilities exist in memory allocation functions present in at least 17 real-time operating systems (RTOS), SDKs, and self-memory management applications, impacting and impact functions including malloc, calloc, realloc, memalign, and more.”

Title: Starhub Suffers Data Breach, but Says No System Was Compromised

Date Published: August 6, 2021


Excerpt: “The file contained mobile numbers, email addresses, and identity card numbers for 57,191 customers who had subscribed to StarHub’s before 2007, it said. Apart from broadband and mobile, the telco also offers pay TV services in Singapore. All affected customers were from its consumer business, according to its website. When asked, a StarHub spokesperson would not say which of its customers were impacted or whether they were still customers. She also declined to reveal how often it conducted its online surveillance, citing security considerations, saying only that the telco conducted such activities “regularly”.”

Title: Microsoft Patched the Issue With Windows Containers That Enabled Siloscape

Date Published: August 5, 2021


Excerpt: “Microsoft recently added additional security checks that address the Windows container escape that we discovered last year. This is the same escape that enabled Siloscape, the first known vulnerability targeting Windows containers, which we discovered earlier this year. Several findings regarding Windows containers led up to our report on Siloscape. We started with an overview of the architecture, followed by an article on how to use some of those findings to break out of the container. To address the issue, Microsoft focused on the key function that enabled the container escape, which prevents exploitation. Now, there will also be a check for whether the function is being called from inside a container. If so, it will be blocked. These new changes Microsoft introduced directly prevent Siloscape’s attack technique.”

Title: Spam Mail With Vishing Numbers

Date Published: August 6, 2021


Excerpt: “The scam relies on recipients being so alarmed by the not-insubstantial loss that they will act rashly, hoping to get their money back. Of course, their money hasn’t gone anywhere — at least, not yet. This particular strain of spam e-mails contain no links, but they do include a phone number that the victim is asked to call if they want to change or cancel the order. Sometimes the number sits unobtrusively somewhere at the bottom of the text. Other times it is highlighted in red and repeated several times in the message.”

Title: VMware Addresses Critical Flaws in Its Products

Date Published: August 6, 2021


Excerpt: “VMware Workspace One Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. VMware has evaluated this issue to be of ‘Important‘ severity with a maximum CVSSv3 base score of 8.6.” states the report. reads the security advisory published by the company. “A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication.”

Title: The Logic Behind Three Random Words

Date Published: August 6, 2021


Excerpt: “We’ve covered, at length, how enforcing complexity requirements is a poor defence against guessing attacks. Our minds struggle to remember random character strings, so we use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required ‘complexity’ criteria. vOf course, attackers are familiar with these strategies and use this knowledge to optimise their attacks. Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords. Faced with making yet another password with specific requirements, users fall back on variations of something they already know and use, falsely believing it to be strong because it satisfies password strength meters (and is accepted by online services).”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...