OSN August 9, 2021

Fortify Security Team
Aug 9, 2021

Title: Synology Warns of Malware Infecting NAS Devices with Ransomware
Date Published:  August 9, 2021


Excerpt:  “Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks that lead to ransomware infections.  According to Synology’s PSIRT (Product Security Incident Response Team), Synology NAS devices compromised in these attacks are later used in further attempts to breach more Linux systems.  “These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware,” Synology said in a security advisory.”

Title: Australian Govt Warns of Escalating LockBit Ransomware Attacks
Date Published:  August 8, 2021


Excerpt:  “The Australian Cyber Security Centre (ACSC) warns of an increase of LockBit 2.0 ransomware attacks against Australian organizations starting July 2021.  “ACSC has observed an increase in reporting of LockBit 2.0 ransomware incidents in Australia,” Australia’s cybersecurity agency said in a security alert issued on Thursday.  According to the agency, LockBit victims also report threats of having data stolen during the attacks leaked online, a known and popular tactic among ransomware gangs to coerce their targets into paying the ransoms.”

Title: Microsoft Exchange Servers Scanned for ProxyShell Vulnerability, Patch Now
Date Published:  August 7, 2021


Excerpt:  “Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference.  Before we get to the active scanning of these vulnerabilities, it is important to understand how they have been disclosed.  ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together.”

Title: Why Ransomware is Such a Threat to Critical Infrastructure
Date Published:  August 9, 2021


Excerpt:  “A recent spike in large-scale ransomware attacks has highlighted the vulnerabilities in the nation’s critical infrastructure and the ease with which their systems can be breached.  Little more than a decade ago, what was considered critical infrastructure was largely limited to air traffic control and generation and transmission of energy, and security regulations have been tightly focused on these areas. Today, however, there’s a growing acknowledgment that infrastructure encompasses much more, from stormwater systems to garbage processors, telecom providers, hospitals, financial services, pipelines, and more.  Cyberattacks and ransomware pose a greater risk to critical infrastructure than a non-digital external threat like a nation-state does, and the size and scale of the infrastructure has little to do with the scope of the risk; ransomware is just as much as threat to a water treatment plant in downtown Smallville, USA, as it is to a large-scale energy grid or gasoline pipeline.”

Title: CVE-2021-20090 Actively Exploited to Target Millions of IoT Devices Worldwide
Date Published:  August 7, 2021


Excerpt:  “Threat actors actively exploit a critical authentication bypass vulnerability, tracked as CVE-2021-20090, impacting home routers with Arcadyan firmware to deploy a Mirai bot.  “A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.” reads the advisory published by Tenable.  This flaw potentially affects millions of IOT devices manufactured by no less than 17 vendors, including some ISPs.  The ongoing attacks were spotted by researchers from Juniper Threat Labs, experts believe that were conducted by a threat actor that targeted IoT devices in a campaign since February.”

Title: 5 Ways to Stop Ransomware in its Tracks
Date Published:  August 9, 2021


Excerpt:  “Ransomware is now the most disruptive cyber threat facing global organizations, according to the CEO of the National Cyber Security Centre (NCSC). The scale of the problem is such that leaders at both the recent G7 and NATO conferences called on hostile nations such as Russia to take a harder line on the criminal groups they’re sheltering.  No organization is safe. From hospitals dealing with surges in COVID-19 cases to critical energy infrastructure in the US to UK train stations — the only rule businesses must learn is that it’s not a case of “if” but “when.” Attacks surged by 150% in 2020, with the average extortion amount doubling, according to some experts. This is down to three key factors: Ransomware-as-a-Service (RaaS) growth has lowered the barrier to entry for various affiliate groups. The large number of victim organizations choosing to pay extorters. Poor corporate cybersecurity.”

Title: NCSC Sticks by ‘Three Random Words’ Strategy for Passwords
Date Published:  August 9, 2021


Excerpt:  “Combining three random words is more effective than using complex combinations for passwords, says the National Cyber Security Council (NCSC).  An NCSC blog post dated August 9 explains how this train of thought or “think random” helps to “keep the bad guys out.” The post follows on from a previous one from nearly five years ago, “Three random words or #thinkrandom.”  According to the post, enforcing “complex requirements” for passwords is a poor defense against guessing attacks. This is because “minds struggle to remember random character strings,” and, being human, we use “predictable patterns” to meet the required criteria.  Cyber hackers are all too familiar with this and use it to make their attacks more effective. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches.   “Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” says the NCSC post. “Faced with making yet another password with specific requirements, users fall back on variations of something they already know and use, falsely believing it to be strong because it satisfies password strength meters (and is accepted by online services).”

Title: Conti Ransomware Affiliate Goes Rogue, Leaks “Gang Data”
Date Published:  August 6, 2021


Excerpt:  “As you already know, many of today’s ransomware attacks aren’t conducted by the core criminals who actually write the malware code.  The core crooks like to keep out of the limelight by recruiting “affiliates” to handle the actual network intrusions.  (These cybergangs often use regular business vocabulary, even referring to their victims as “customers” and describing their extortion attempts as “negotiations”.)  In theory, affiliates can get really rich, because they typically get paid 70% of any ransom that gets extorted – and individual ransoms can run into millions of dollars these days.  And in practice, the core criminals – the ones who write the malware, operate the “affiliate system”, and collect the Bitcoin blackmail payments – can get super-rich, because they get 30% of everything.  However, according to The Record, which published a screenshot of a post in a cybercrime forum by a user discussing the Conti ransomware crew: Yes, of course they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays.  The implication, clearly, is that affiliates in the Conti ransomware crew are not being paid 70% of the actual ransom amount, but 70% of an imaginary but lower number.”

Title: FTC: Phishing Campaign Targets Unemployment Benefits & PII
Date Published:  August 6, 2021


Excerpt:  “The Federal Trade Commission (FTC) this week warned of a phishing campaign targeting victims’ unemployment insurance benefits and personally identifiable information (PII).  Malicious text messages claim that victims must “make necessary corrections” to their unemployment insurance claim, verify their personal information, or reactivate their UI benefits account. The texts include a link that redirects to a fake state workforce agency website, where victims are asked to enter site credentials and personal data such as a Social Security number.  “Fraudsters can use the information to file fraudulent UI benefits claims or for other identity theft,” officials wrote in a warning.”

Title: FragAttacks Foil 2 Decades of Wireless Security
Date Published:  August 6, 2021


Excerpt:  “The evolution of wireless security could at best be described as trial and error. The initial standard that debuted in the late 1990s — Wired Equivalent Privacy (WEP) — had significant security problems, and the first two version of Wireless Protected Access, WPA and WPA2, both have been found to be vulnerable to a variety of other security issues.  The trials continue with a host of so-called fragmentation attacks, or FragAttacks, that abuse the aggregation and fragmentation to allow machine-in-the-middle attacks. Details of the vulnerabilities, which have been kept secret for nine months, were disclosed at the Black Hat USA briefings on Aug. 5.  The issues occur in the way that small network packets are combined for transport, known as aggregation, or the way that large network packets are split up to improve reliability, known as aggregation. Even devices using WPA3, the latest wireless security standard, can be vulnerable, Mathy Vanhoef, a postdoctoral researcher at New York University Abu Dhabi, said during his Black Hat presentation.”

Recent Posts

January 14, 2022

Title: Android users can now disable 2G to block Stingray attacks Date Published: January 13, 2022 https://www.bleepingcomputer.com/news/security/android-users-can-now-disable-2g-to-block-stingray-attacks/ Excerpt: "Google has finally rolled out an option on Android...

November 23, 2021

Title: Over 4000 UK Retailers Compromised by Magecart Attacks Date Published: November 23, 2021 https://www.infosecurity-magazine.com/news/4000-uk-retailers-compromised/ Excerpt: “UK government security experts have been forced to notify over 4000 domestic online...

November 2, 2021

Title: Possible Cyber Attack Hits ‘Brain’ of N.L. Health-care System, Delaying Thousands of Appointments Date Published: November 1, 2021 cbc.ca/news/canada/newfoundland-labrador/health-services-it-outage-update-nov-1-1.6232426 Excerpt: "A cyberattack appears to be...

OSN November 1, 2021

Title: New 'Trojan Source' Technique Lets Hackers Hide Vulnerabilities in Source Code Date Published: November 1, 2021 https://thehackernews.com/2021/11/new-trojan-source-technique-lets.html Excerpt: "A novel class of vulnerabilities could be leveraged by threat...

OSN October 29, 2021

Title: Footprinting and Reconnaissance using Windows OS Date Published: October 29, 2021 https://medium.com/@the_harvester/footprinting-and-reconnaissance-using-windows-os-36760fb47870 Excerpt: "This blog is in continuation previous blog on footprinting and...

OSN October 28, 2021

Title: Ransomware Gangs Use SEO Poisoning To Infect Visitors Date Published: October 28, 2021 https://www.bleepingcomputer.com/news/security/ransomware-gangs-use-seo-poisoning-to-infect-visitors/ Excerpt: "According to the findings of the Menlo Security team, SEO...

OSN August 31, 2021

Title: Cyberattacks Use Office 365 to Target Supply Chain Date Published: August 31, 2021 https://securityintelligence.com/articles/cyberattacks-office-365-supply-chain/ Excerpt: “Supply chain cyberattacks involving Office 365 are effective in that they enable threat...