OSN August 9, 2021

Fortify Security Team
Aug 9, 2021

Title: Synology Warns of Malware Infecting NAS Devices with Ransomware
Date Published:  August 9, 2021


Excerpt:  “Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks that lead to ransomware infections.  According to Synology’s PSIRT (Product Security Incident Response Team), Synology NAS devices compromised in these attacks are later used in further attempts to breach more Linux systems.  “These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware,” Synology said in a security advisory.”

Title: Australian Govt Warns of Escalating LockBit Ransomware Attacks
Date Published:  August 8, 2021


Excerpt:  “The Australian Cyber Security Centre (ACSC) warns of an increase of LockBit 2.0 ransomware attacks against Australian organizations starting July 2021.  “ACSC has observed an increase in reporting of LockBit 2.0 ransomware incidents in Australia,” Australia’s cybersecurity agency said in a security alert issued on Thursday.  According to the agency, LockBit victims also report threats of having data stolen during the attacks leaked online, a known and popular tactic among ransomware gangs to coerce their targets into paying the ransoms.”

Title: Microsoft Exchange Servers Scanned for ProxyShell Vulnerability, Patch Now
Date Published:  August 7, 2021


Excerpt:  “Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference.  Before we get to the active scanning of these vulnerabilities, it is important to understand how they have been disclosed.  ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together.”

Title: Why Ransomware is Such a Threat to Critical Infrastructure
Date Published:  August 9, 2021


Excerpt:  “A recent spike in large-scale ransomware attacks has highlighted the vulnerabilities in the nation’s critical infrastructure and the ease with which their systems can be breached.  Little more than a decade ago, what was considered critical infrastructure was largely limited to air traffic control and generation and transmission of energy, and security regulations have been tightly focused on these areas. Today, however, there’s a growing acknowledgment that infrastructure encompasses much more, from stormwater systems to garbage processors, telecom providers, hospitals, financial services, pipelines, and more.  Cyberattacks and ransomware pose a greater risk to critical infrastructure than a non-digital external threat like a nation-state does, and the size and scale of the infrastructure has little to do with the scope of the risk; ransomware is just as much as threat to a water treatment plant in downtown Smallville, USA, as it is to a large-scale energy grid or gasoline pipeline.”

Title: CVE-2021-20090 Actively Exploited to Target Millions of IoT Devices Worldwide
Date Published:  August 7, 2021


Excerpt:  “Threat actors actively exploit a critical authentication bypass vulnerability, tracked as CVE-2021-20090, impacting home routers with Arcadyan firmware to deploy a Mirai bot.  “A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.” reads the advisory published by Tenable.  This flaw potentially affects millions of IOT devices manufactured by no less than 17 vendors, including some ISPs.  The ongoing attacks were spotted by researchers from Juniper Threat Labs, experts believe that were conducted by a threat actor that targeted IoT devices in a campaign since February.”

Title: 5 Ways to Stop Ransomware in its Tracks
Date Published:  August 9, 2021


Excerpt:  “Ransomware is now the most disruptive cyber threat facing global organizations, according to the CEO of the National Cyber Security Centre (NCSC). The scale of the problem is such that leaders at both the recent G7 and NATO conferences called on hostile nations such as Russia to take a harder line on the criminal groups they’re sheltering.  No organization is safe. From hospitals dealing with surges in COVID-19 cases to critical energy infrastructure in the US to UK train stations — the only rule businesses must learn is that it’s not a case of “if” but “when.” Attacks surged by 150% in 2020, with the average extortion amount doubling, according to some experts. This is down to three key factors: Ransomware-as-a-Service (RaaS) growth has lowered the barrier to entry for various affiliate groups. The large number of victim organizations choosing to pay extorters. Poor corporate cybersecurity.”

Title: NCSC Sticks by ‘Three Random Words’ Strategy for Passwords
Date Published:  August 9, 2021


Excerpt:  “Combining three random words is more effective than using complex combinations for passwords, says the National Cyber Security Council (NCSC).  An NCSC blog post dated August 9 explains how this train of thought or “think random” helps to “keep the bad guys out.” The post follows on from a previous one from nearly five years ago, “Three random words or #thinkrandom.”  According to the post, enforcing “complex requirements” for passwords is a poor defense against guessing attacks. This is because “minds struggle to remember random character strings,” and, being human, we use “predictable patterns” to meet the required criteria.  Cyber hackers are all too familiar with this and use it to make their attacks more effective. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches.   “Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” says the NCSC post. “Faced with making yet another password with specific requirements, users fall back on variations of something they already know and use, falsely believing it to be strong because it satisfies password strength meters (and is accepted by online services).”

Title: Conti Ransomware Affiliate Goes Rogue, Leaks “Gang Data”
Date Published:  August 6, 2021


Excerpt:  “As you already know, many of today’s ransomware attacks aren’t conducted by the core criminals who actually write the malware code.  The core crooks like to keep out of the limelight by recruiting “affiliates” to handle the actual network intrusions.  (These cybergangs often use regular business vocabulary, even referring to their victims as “customers” and describing their extortion attempts as “negotiations”.)  In theory, affiliates can get really rich, because they typically get paid 70% of any ransom that gets extorted – and individual ransoms can run into millions of dollars these days.  And in practice, the core criminals – the ones who write the malware, operate the “affiliate system”, and collect the Bitcoin blackmail payments – can get super-rich, because they get 30% of everything.  However, according to The Record, which published a screenshot of a post in a cybercrime forum by a user discussing the Conti ransomware crew: Yes, of course they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays.  The implication, clearly, is that affiliates in the Conti ransomware crew are not being paid 70% of the actual ransom amount, but 70% of an imaginary but lower number.”

Title: FTC: Phishing Campaign Targets Unemployment Benefits & PII
Date Published:  August 6, 2021


Excerpt:  “The Federal Trade Commission (FTC) this week warned of a phishing campaign targeting victims’ unemployment insurance benefits and personally identifiable information (PII).  Malicious text messages claim that victims must “make necessary corrections” to their unemployment insurance claim, verify their personal information, or reactivate their UI benefits account. The texts include a link that redirects to a fake state workforce agency website, where victims are asked to enter site credentials and personal data such as a Social Security number.  “Fraudsters can use the information to file fraudulent UI benefits claims or for other identity theft,” officials wrote in a warning.”

Title: FragAttacks Foil 2 Decades of Wireless Security
Date Published:  August 6, 2021


Excerpt:  “The evolution of wireless security could at best be described as trial and error. The initial standard that debuted in the late 1990s — Wired Equivalent Privacy (WEP) — had significant security problems, and the first two version of Wireless Protected Access, WPA and WPA2, both have been found to be vulnerable to a variety of other security issues.  The trials continue with a host of so-called fragmentation attacks, or FragAttacks, that abuse the aggregation and fragmentation to allow machine-in-the-middle attacks. Details of the vulnerabilities, which have been kept secret for nine months, were disclosed at the Black Hat USA briefings on Aug. 5.  The issues occur in the way that small network packets are combined for transport, known as aggregation, or the way that large network packets are split up to improve reliability, known as aggregation. Even devices using WPA3, the latest wireless security standard, can be vulnerable, Mathy Vanhoef, a postdoctoral researcher at New York University Abu Dhabi, said during his Black Hat presentation.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...