OSN September 13, 2021

Fortify Security Team
Sep 13, 2021

Title: Windows MSHTML Zero-Day Exploits Shared on Hacking Forums
Date Published: September 12, 2021

https://www.bleepingcomputer.com/news/microsoft/windows-mshtml-zero-day-exploits-shared-on-hacking-forums/

Excerpt: “While they soon reproduced the exploits, modified them for further capabilities, and discovered a new document preview vector, the researchers did not disclose details for fear other threat actors would abuse it. Unfortunately, threat actors have been able to reproduce the exploit on their own from information, and malicious document samples posted online and have begun sharing detailed guides and information on hacking forums. Starting on Thursday, threat actors began sharing public information about the HTML component of the exploit and how to create the malicious document. On Friday, more instructions were posted on generating the payload and a CAB file that included the path traversal vulnerability component.”

Title: GitHub Tackles Severe Vulnerabilities in Node.js Packages
Date Published: September 9, 2021

https://www.zdnet.com/article/github-tackles-seven-vulnerabilities-in-node-js-packages/

Excerpt: “The tar Node.js package is used to mimic the tar archive system on Unix, whereas @npmcli/arborist has been developed to manage node_modules trees. Tar is a core npm dependency for npm package extraction, and @npmcli/arborist is a core dependency for npm CLI. Node-tar has accounted for 22,390,735 weekly downloads, at the time of writing, whereas @npmcli/arborist has been downloaded 405,551 times over the past week. In total, seven vulnerabilities have been verified through the bug bounty reports and the security team at GitHub’s findings.”

Title: Olympus: Investigating Potential Cybersecurity Incident Affecting Limited Areas of Our EMEA IT System
Date Published: September 11, 2021

https://www.olympus-europa.com/company/en/news/press-releases/2021-09-11t03-00-00/investigating-potential-cybersecurity-incident-affecting-limited-areas-of-our-emea-it-system.html?2021-09-11t03-00-00.html

Excerpt: “Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners. We are currently working to determine the extent of the issue and will continue to provide updates as new information becomes available. We apologize for any inconvenience this has caused.”

Title: North Korean Hacker Recently Employed Social Media to Launch a Cyberattack
Date Published: September 13, 2021

https://cybersecuritylog.com/north-korean-hacker-recently-employed-social-media-to-launch-a-cyberattack

Excerpt: “Aside from that, they used email to infect the victim with malware, in order to get feedback on a column they claimed to have written about North Korean political affairs. A macro virus has been attached to this email, and if the recipient accepts to download the file, the virus will infect the target’s computer, causing it to crash and freeze. Using the social media feature of spear-phishing to target specific individuals, the attackers exploited the technique as a natural extension of standard spear phishing techniques.”

Title: Department of Justice and Constitutional Development of South Africa Hit by a Ransomware Attack
Date Published: September 13, 2021

https://securityaffairs.co/wordpress/122128/cyber-crime/department-of-justice-and-constitutional-development-of-south-africa-ransomware.html

Excerpt: “A ransomware attack hit the Department of Justice and Constitutional Development of South Africa, multiple services, including email and bail services have been impacted. The incident did not affect child maintenance payments for the month because they were already processed. The Department claims that no data has been exfiltrated by the ransomware operators. The department revealed that the security breach took place on September 6, the IT staff notified law enforcement and is working with them to quickly restore the operations. “This has led to all information systems being encrypted and unavailable to both internal employees as well as members of the public. As a result, all electronic services provided by the department are affected, including the issuing of letters of authority, bail services, e-mail and the departmental website”.”

Title: Are the Companies Systems/Information Protected Under the Employee’s Home Office Environments?
Date Published: September 13, 2021

https://teracloud.medium.com/are-the-companies-systems-information-protected-under-the-employees-home-office-environments-2dcf39fa983a

Excerpt: “Finally, people must understand that even if they are outside the office, the device from which they work is a door to the entire organization, so they must guarantee proper use. With a large number of professionals working from home, connecting to the Internet from a home network, probably poorly protected, and with outdated software, each of those employees is a potential target.
If you have a small or medium business and feel that your information and that of your clients is at risk, do not hesitate to contact us. We can help you solve security problems and provide you with cloud services that will promote the growth and support of your company. We have a free assessment and we are experts in protecting information and ensuring that your business has the necessary tools so that you can offer products and services in complete safety.”

Title: The Truth About VPNS — Your Privacy Is Compromised!
Date Published: September 13, 2021

https://www.zdnet.com/article/healthcare-orgs-in-california-arizona-send-out-breach-notice-letters-for-nearly-150000-after-ssns-accessed-during-ransomware-attacks/

Excerpt: “Even if you get a trustworthy VPN provider that doesn’t sell or misuse your data you can still be easily tracked and identified on the web. your IP address is only one of the many thousands of data points modern trackers collect about you, for example, most websites are running Google Analytics or other Google tracking services many VPN providers themselves are running Google trackers on their websites this means that even if you log off of your Google account you are still being tracked in over a short time the data you generate becomes comprehensive enough to identify you anything from snippets of your browsing history, cache, cookies, browser configuration or device configuration along with your operating system, battery life, and screen resolution can be uniquely identified.”

Title: Ransomware Lessons for a Nation Held Hostage
Date Published: September 12, 2021

https://www.lawfareblog.com/ransomware-lessons-nation-held-hostage

Excerpt: “Instead, anti-ransomware policy should focus on punishing the perpetrators. Some existing hostage recovery policies crack down on perpetrators directly through specialized units designed to disrupt hostage-taking attacks. In the United States, this looks like the FBI’s Hostage Rescue Team and two military Special Forces units—the Army’s Delta Force and the Navy’s SEALs—which relentlessly train to disrupt hostage crises around the world. In Colombia, specialized units in both the police and army focus exclusively on hostage-taking; they have been credited with driving the dramatic reduction in Colombian kidnapping over the past 20 years.”

Title: Snake Oil COVID-19 Treatment Sites Seized by Us Authorities
Date Published: September 12, 2021

https://sliitcs2.medium.com/snake-oil-covid-19-treatment-sites-seized-by-us-authorities-a03dd31791fd

Excerpt: “The two domains — http://pharmacywalmart[.]com and https://stromectolivermectin[.]com — both resolved to https://en.pharmacywalmart[.]com/buystromectol-usa[.]html and featured unauthorized use of the Walmart logo in an attempt to lend credibility to a scam that cynically played on pandemic-related fears. Each site purported to offer experimental or unapproved treatments for Covid-19 while in reality only existing to collect the personal details and financial information of prospective marks. People also easily got scammed and given their personal details, phone numbers, credential information such as credit card or master card numbers, pin numbers and ID numbers. Pharmacywalmart[.]com purported to offer for sale a number of drugs, including “Stromectol (Ivermectin), Aralen (Chloroquine) and Kaletra (Lopinavir and Ritonavir), for the experimental and unapproved treatment or prevention of Covid-19”, according to a statement by the US Department of Justice on the domain seizure action.”

Title: Revil Ransomware Operators Are Targeting New Victims
Date Published: September 12, 2021

https://securityaffairs.co/wordpress/122106/cyber-crime/revil-ransomware-resumed-operations.html

Excerpt: “Starting from July 13, the infrastructure and the websites used by the REvil ransomware gang were mysteriously unreachable. The Tor leak site, the payment website “decoder[.]re”, and their backend infrastructure went offline simultaneously. According to Bleeping Computer, on September 9th, someone uploaded a new REvil ransomware sample compiled on September 4th to VirusTotal. This is clearly proof that the gang resumed their operations, the group also added Ohio Gratings inc to the list of the victims on their leak site. BleepingComputer also noticed that after the return of the group, a new public representative named ‘REvil’ had begun posting at cybercrime forums. REvil representative said that the gang temporarily shut down its operations after their previors representative of the gang, Unknown, was likely arrested and servers were compromised.“

Recent Posts

May 6, 2022

Title: Google Docs Crashes on Seeing "And. And. And. And. And." Date Published: May 6, 2022 https://www.bleepingcomputer.com/news/technology/google-docs-crashes-on-seeing-and-and-and-and-and/ Excerpt: “A bug in Google Docs is causing it to crash when a series of words...

May 5, 2022

Title: Tor Project Upgrades Network Speed Performance with New System Date Published: May 5, 2022 https://www.bleepingcomputer.com/news/security/tor-project-upgrades-network-speed-performance-with-new-system/ Excerpt: “The Tor Project has published details about a...

May 3, 2022

Title: Aruba and Avaya Network Switches are Vulnerable to RCE Attacks Date Published: May 3, 2022 https://www.bleepingcomputer.com/news/security/aruba-and-avaya-network-switches-are-vulnerable-to-rce-attacks/ Excerpt: “Security researchers have discovered five...

May 2, 2022

Title: U.S. DoD Tricked into Paying $23.5 Million to Phishing Actor Date Published: May 2, 2022 https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/ Excerpt: “The U.S. Department of Justice (DoJ) has announced the...

April 29, 2022

Title: EmoCheck now Detects New 64-bit Versions of Emotet Malware Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/ Excerpt: “The Japan CERT has released a new version of their...

April 28, 2022

Title: New Bumblebee Malware Takes Over BazarLoader's Ransomware Delivery Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-takes-over-bazarloaders-ransomware-delivery/ Excerpt: “A newly discovered malware loader...

April 27, 2022

Title: Chinese State-Backed Hackers now Target Russian State Officers Date Published: April 27, 2022 https://www.bleepingcomputer.com/news/security/chinese-state-backed-hackers-now-target-russian-state-officers/ Excerpt: “Security researchers analyzing a phishing...