OSN September 15, 2021

Fortify Security Team
Sep 15, 2021

Title: Zloader Attacks Able to Disable Windows Defender
Date Published: September 15, 2021

https://heimdalsecurity.com/blog/zloader-attacks-able-to-disable-windows-defender/

Excerpt: “The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness. The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy the execution of their payloads. This is the first time we have observed this attack chain in a ZLoader campaign. At the time of writing, we have no evidence that the delivery chain has been implemented by a specific affiliate or if it was provided by the main operator. SentinelLabs continues to monitor this threat in order to track further activity.”

Title: Attackers Impersonate DoT in Two-Day Phishing Scam
Date Published: September 15, 2021

https://threatpost.com/attackers-impersonate-dot-phishing-scam/169484/

Excerpt: “Between Aug. 16-18, researchers at e-mail security provider INKY detected 41 phishing emails dangling the lure of bidding for projects benefitting from a $1 trillion infrastructure package recently passed by Congress, according to a report written by INKY’s Roger Kay, vice president of security strategy, that was published on Wednesday. The campaign – which targeted companies in industries such as engineering, energy and architecture that likely would work with the USDOT – sends potential victims an initial email in which they’re told that the USDOT is inviting them to submit a bid for a department project by clicking a big blue button with the words “Click Here to Bid”.”

Title: U.S. Fines Former NSA Employees Who Provided Hacker-for-Hire Services to Uae
Date Published: September 14, 2021

https://therecord.media/us-fines-former-nsa-employees-who-provided-hacker-for-hire-services-to-uae/

Excerpt: “Marc Baier, 49, Ryan Adams, 34, and Daniel Gericke, 40, broke US export control laws that require companies and individuals to obtain a special license from the State Department’s Directorate of Defense Trade Controls (DDTC) before providing defense-related services to a foreign government.

According to court documents [PDF], the three suspects helped the UAE company develop and successfully deploy at least two hacking tools. The three entered into a first-of-its-kind deferred prosecution agreement with the DOJ today, agreeing to pay $750,000, $600,000, and $335,000, respectively, over a three-year term, in order to avoid jail time for their actions.”

Title: Northern Light Health Reports Data Breach
Date Published: September 16, 2021

https://wgme.com/news/local/northern-light-health-reports-data-breach

Excerpt: “Northern Light Health says some contact information was stolen like patients’ names, addresses, phone numbers, email addresses, and date of birth, but no banking or financial information. Northern Light Health says it is working to review its existing policies and procedures regarding its third-party vendors and is working with Blackbaud to evaluate additional measures and safeguards to protect against this type of incident in the future.”

Title: The Concept of Zero Trust and Why You Should Consider Implementing It
Date Published: September 16, 2021

https://medium.com/@CryptixAG/the-concept-of-zero-trust-and-why-you-should-consider-implementing-it-a82bc6dee43

Excerpt: “The Zero Trust Network or Zero Trust Architecture was originally developed by John Kindervag in 2010 during his tenure as vice-president of Forrester Research. It represents a shift from the prior “castle-and-moat-approach” in which the company-internal systems were protected with firewall as moat. In this outdated approach (not fit for the age of cloud computing and remote working), it was assumed that all users inside the company perimeter act responsibly and can be trusted.”

Title: Cybercriminals Recreate Cobalt Strike in Linux
Date Published: September 15, 2021

https://www.zdnet.com/article/cybercriminals-recreate-cobalt-strike-in-linux/

Excerpt: “Dubbed Vermilion Strike, Intezer said on Tuesday that the new variation leans on Cobalt Strike functionality, including its command-and-control (C2) protocol, its remote access functionality, and its ability to run shell instructions. Cobalt Strike is a legitimate penetration testing tool for Windows systems. Released in 2012, the tool has been constantly abused by threat actors including advanced persistent threat (APT) groups such as Cozy Bear and campaigns designed to spread Trickbot and the Qbot/Qakbot banking Trojan.”

Title: Analyzing The ForcedEntry Zero-Click iPhone Exploit Used By Pegasus
Date Published: September 15, 2021

https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html

Excerpt: “According to Citizen Lab’s report, Kismet was used from July to September 2020 and was launched against devices running at least iOS 13.5.1 and 13.7. It was likely not effective against the iOS 14 update in September. Then, in February 2021, the NSO Group started deploying the zero-click exploit that managed to circumvent BlastDoor, which Citizen Lab calls ForcedEntry. Amnesty Tech, a global collective of digital rights advocates and security researchers, also observed zero-click iMessage exploit activity during this period and referred to it as Megalodon.”

Title: Cybercriminals Recreate Cobalt Strike in Linux
Date Published: September 15, 2021

https://www.zdnet.com/article/cybercriminals-recreate-cobalt-strike-in-linux/

Excerpt: “Dubbed Vermilion Strike, Intezer said on Tuesday that the new variation leans on Cobalt Strike functionality, including its command-and-control (C2) protocol, its remote access functionality, and its ability to run shell instructions. Cobalt Strike is a legitimate penetration testing tool for Windows systems. Released in 2012, the tool has been constantly abused by threat actors including advanced persistent threat (APT) groups such as Cozy Bear and campaigns designed to spread Trickbot and the Qbot/Qakbot banking Trojan.”

Title: Two-Thirds of Cloud Attacks Could Be Stopped by Checking Configurations, Research Finds
Date Published: September 15, 2021

https://www.zdnet.com/article/two-thirds-of-cloud-attacks-could-be-stopped-by-checking-configurations-research-finds/

Excerpt: “Misconfiguration, API errors or exposure, and oversight in securing cloud environments have also led to the creation of a thriving underground market for public cloud initial access. According to IBM, in 71% of ads listed — out of close to 30,000 — Remote Desktop Protocol (RDP) access is on offer for criminal purposes. In some cases, cloud environment access is being sold for as little as a few dollars, although depending on the perceived value of the target — such as for information theft or potential ransomware payments — access can fetch thousands of dollars.”

Title: DOJ Fines NSA Hackers Who Assisted Uae in Attacks on Dissidents
Date Published: September 15, 2021

https://www.zdnet.com/article/doj-fines-nsa-hackers-who-assisted-uae-in-attacks-on-dissidents/

Excerpt: “Despite the accusations listed in the court filing, the DOJ said Baier, Adams, and Gericke — all former NSA employees or members of the US military — reached an agreement on September 7 to pay the fines in addition to other restrictions on their work. Baier will be forced to pay $750,000, Adams will pay $600,000 and Gericke will pay $335,000 over a three-year term. All three will also be forced to cooperate with the FBI and DOJ on other investigations and relinquish any foreign or US security clearances.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...