OSN August 9, 2021

Fortify Security Team
Aug 9, 2021

Title: Synology Warns of Malware Infecting NAS Devices with Ransomware
Date Published:  August 9, 2021


Excerpt:  “Taiwan-based NAS maker Synology has warned customers that the StealthWorker botnet is targeting their network-attached storage devices in ongoing brute-force attacks that lead to ransomware infections.  According to Synology’s PSIRT (Product Security Incident Response Team), Synology NAS devices compromised in these attacks are later used in further attempts to breach more Linux systems.  “These attacks leverage a number of already infected devices to try and guess common administrative credentials, and if successful, will access the system to install its malicious payload, which may include ransomware,” Synology said in a security advisory.”

Title: Australian Govt Warns of Escalating LockBit Ransomware Attacks
Date Published:  August 8, 2021


Excerpt:  “The Australian Cyber Security Centre (ACSC) warns of an increase of LockBit 2.0 ransomware attacks against Australian organizations starting July 2021.  “ACSC has observed an increase in reporting of LockBit 2.0 ransomware incidents in Australia,” Australia’s cybersecurity agency said in a security alert issued on Thursday.  According to the agency, LockBit victims also report threats of having data stolen during the attacks leaked online, a known and popular tactic among ransomware gangs to coerce their targets into paying the ransoms.”

Title: Microsoft Exchange Servers Scanned for ProxyShell Vulnerability, Patch Now
Date Published:  August 7, 2021


Excerpt:  “Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference.  Before we get to the active scanning of these vulnerabilities, it is important to understand how they have been disclosed.  ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together.”

Title: Why Ransomware is Such a Threat to Critical Infrastructure
Date Published:  August 9, 2021


Excerpt:  “A recent spike in large-scale ransomware attacks has highlighted the vulnerabilities in the nation’s critical infrastructure and the ease with which their systems can be breached.  Little more than a decade ago, what was considered critical infrastructure was largely limited to air traffic control and generation and transmission of energy, and security regulations have been tightly focused on these areas. Today, however, there’s a growing acknowledgment that infrastructure encompasses much more, from stormwater systems to garbage processors, telecom providers, hospitals, financial services, pipelines, and more.  Cyberattacks and ransomware pose a greater risk to critical infrastructure than a non-digital external threat like a nation-state does, and the size and scale of the infrastructure has little to do with the scope of the risk; ransomware is just as much as threat to a water treatment plant in downtown Smallville, USA, as it is to a large-scale energy grid or gasoline pipeline.”

Title: CVE-2021-20090 Actively Exploited to Target Millions of IoT Devices Worldwide
Date Published:  August 7, 2021


Excerpt:  “Threat actors actively exploit a critical authentication bypass vulnerability, tracked as CVE-2021-20090, impacting home routers with Arcadyan firmware to deploy a Mirai bot.  “A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication.” reads the advisory published by Tenable.  This flaw potentially affects millions of IOT devices manufactured by no less than 17 vendors, including some ISPs.  The ongoing attacks were spotted by researchers from Juniper Threat Labs, experts believe that were conducted by a threat actor that targeted IoT devices in a campaign since February.”

Title: 5 Ways to Stop Ransomware in its Tracks
Date Published:  August 9, 2021


Excerpt:  “Ransomware is now the most disruptive cyber threat facing global organizations, according to the CEO of the National Cyber Security Centre (NCSC). The scale of the problem is such that leaders at both the recent G7 and NATO conferences called on hostile nations such as Russia to take a harder line on the criminal groups they’re sheltering.  No organization is safe. From hospitals dealing with surges in COVID-19 cases to critical energy infrastructure in the US to UK train stations — the only rule businesses must learn is that it’s not a case of “if” but “when.” Attacks surged by 150% in 2020, with the average extortion amount doubling, according to some experts. This is down to three key factors: Ransomware-as-a-Service (RaaS) growth has lowered the barrier to entry for various affiliate groups. The large number of victim organizations choosing to pay extorters. Poor corporate cybersecurity.”

Title: NCSC Sticks by ‘Three Random Words’ Strategy for Passwords
Date Published:  August 9, 2021


Excerpt:  “Combining three random words is more effective than using complex combinations for passwords, says the National Cyber Security Council (NCSC).  An NCSC blog post dated August 9 explains how this train of thought or “think random” helps to “keep the bad guys out.” The post follows on from a previous one from nearly five years ago, “Three random words or #thinkrandom.”  According to the post, enforcing “complex requirements” for passwords is a poor defense against guessing attacks. This is because “minds struggle to remember random character strings,” and, being human, we use “predictable patterns” to meet the required criteria.  Cyber hackers are all too familiar with this and use it to make their attacks more effective. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches.   “Counter-intuitively, the enforcement of these complexity requirements results in the creation of more predictable passwords,” says the NCSC post. “Faced with making yet another password with specific requirements, users fall back on variations of something they already know and use, falsely believing it to be strong because it satisfies password strength meters (and is accepted by online services).”

Title: Conti Ransomware Affiliate Goes Rogue, Leaks “Gang Data”
Date Published:  August 6, 2021


Excerpt:  “As you already know, many of today’s ransomware attacks aren’t conducted by the core criminals who actually write the malware code.  The core crooks like to keep out of the limelight by recruiting “affiliates” to handle the actual network intrusions.  (These cybergangs often use regular business vocabulary, even referring to their victims as “customers” and describing their extortion attempts as “negotiations”.)  In theory, affiliates can get really rich, because they typically get paid 70% of any ransom that gets extorted – and individual ransoms can run into millions of dollars these days.  And in practice, the core criminals – the ones who write the malware, operate the “affiliate system”, and collect the Bitcoin blackmail payments – can get super-rich, because they get 30% of everything.  However, according to The Record, which published a screenshot of a post in a cybercrime forum by a user discussing the Conti ransomware crew: Yes, of course they recruit suckers and divide the money among themselves, and the boys are fed with what they will let them know when the victim pays.  The implication, clearly, is that affiliates in the Conti ransomware crew are not being paid 70% of the actual ransom amount, but 70% of an imaginary but lower number.”

Title: FTC: Phishing Campaign Targets Unemployment Benefits & PII
Date Published:  August 6, 2021


Excerpt:  “The Federal Trade Commission (FTC) this week warned of a phishing campaign targeting victims’ unemployment insurance benefits and personally identifiable information (PII).  Malicious text messages claim that victims must “make necessary corrections” to their unemployment insurance claim, verify their personal information, or reactivate their UI benefits account. The texts include a link that redirects to a fake state workforce agency website, where victims are asked to enter site credentials and personal data such as a Social Security number.  “Fraudsters can use the information to file fraudulent UI benefits claims or for other identity theft,” officials wrote in a warning.”

Title: FragAttacks Foil 2 Decades of Wireless Security
Date Published:  August 6, 2021


Excerpt:  “The evolution of wireless security could at best be described as trial and error. The initial standard that debuted in the late 1990s — Wired Equivalent Privacy (WEP) — had significant security problems, and the first two version of Wireless Protected Access, WPA and WPA2, both have been found to be vulnerable to a variety of other security issues.  The trials continue with a host of so-called fragmentation attacks, or FragAttacks, that abuse the aggregation and fragmentation to allow machine-in-the-middle attacks. Details of the vulnerabilities, which have been kept secret for nine months, were disclosed at the Black Hat USA briefings on Aug. 5.  The issues occur in the way that small network packets are combined for transport, known as aggregation, or the way that large network packets are split up to improve reliability, known as aggregation. Even devices using WPA3, the latest wireless security standard, can be vulnerable, Mathy Vanhoef, a postdoctoral researcher at New York University Abu Dhabi, said during his Black Hat presentation.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...