OSN September 21, 2021

Fortify Security Team
Sep 21, 2021

Title: After Biden Warning, Hackers Define ‘Critical’ as They See Fit
Date Published: September 20, 2021


Excerpt: “In recent days, a Russia-linked ransomware group called BlackMatter attacked a grain cooperative in Iowa, an incident that appears to test Biden’s terms since “food and agriculture” is one of the protected sectors. In messages with Bloomberg News, however, BlackMatter said it has rules for how it operates its ransomware operation, a sort of ethical playbook for an illegal enterprise. Hospitals, the defense industry and the government sector are off-limits, according to details on the group’s dark web page. The hack on Iowa’s New Cooperative, however, didn’t violate Biden’s mandate, the group says.”

Title: Four Months on From Sophisticated Cyberattack, Alaska’s Health Department Is Still Recovering
Date Published: September 21, 2021


Excerpt: “The potential breach of personal information has only just been revealed, despite the incident being first detected in May and previous updates about the attack in June and August – according to a DHSS statement, this was delayed until now to avoid interference with a criminal investigation. And four months on from the initial attack, some DHSS online services still haven’t been restored and there’s no timeline for when they’ll be back. “All affected systems remain offline as we diligently and meticulously move through the three phases of our response. Work is continuing to restore online services in a manner that will better shield DHSS and Alaskans from future cyberattacks,” said Scott McCutcheon, technology officer at DHSS.”

Title: Hacked Sites Push Teamviewer Using Fake Expired Certificate Alert
Date Published: September 20, 2021


Excerpt: “The payload dropped on infected systems is TVRAT (aka TVSPY, TeamSpy, TeamViewerENT, or Teamviewer RAT), a malware designed to provide its operators with full remote access to infected hosts. Once deployed on an infected device, the malware will silently install and launch an instance of the TeamViewer remote control software. After being launched, the TeamViewer server will reach out to a command-and-control (C2) server to let the attackers know they can remotely take complete control of the newly compromised computer. TVRAT first surfaced in 2013 when it was delivered via spam campaigns as malicious attachments that tricked targets into enabling Office macros.”

Title: Apache Openoffice Is Currently Impacted by a Remote Code Execution Flaw
Date Published: September 21, 2021


Excerpt: “At the time of this writing, the flaw was only addressed with a beta software update and awaits the official release. Apache OpenOffice (AOO) is currently vulnerable to a remote code execution vulnerability and while the app’s source code has been patched, the fix has only been made available as beta software and awaits an official release. An attacker could trigger the flaw by tricking the victim into opening a specially crafted .dbf file. Lim told El Reg the CVE-2021-33035 “is a buffer overflow by a .dbf
file which overrides a return pointer with a DEP [data execution prevention] and ASLR [address space layout randomization] bypass to finally execute arbitrary commands by the attacker”.”

Title: Mafia Works Remotely, Too, It Seems: 100+ People Suspected of Phishing, SIM Swapping, Email Fraud Cuffed
Date Published: September 21, 2021


Excerpt: “Police arrested 106 people suspected of carrying out online fraud for an organized crime gang linked to the Italian Mafia, Europol said on Monday. Most of those detained were cuffed in Spain, and the rest in Italy, by Spanish National Police, Italian National Police, Europol, and Eurojust, we’re told. It’s claimed the suspects scammed hundreds of victims using phishing; SIM swapping attacks, in which crooks typically take control of people’s cellphone numbers to get account login tokens texted to them; and so-called business email compromise, in which fraudsters typically use bogus invoices and the like to trick company staff into transferring money to the thieves.”

Title: Chinese APT Data-Harvesting Campaign Analyzed
Date Published: September 20, 2021


Excerpt: “The threat actor, according to the report, gained initial access by compromising a victim’s web server by exploiting public-facing vulnerabilities for initial access. The threat actor used Winnti malware, known to be used in DNS tunneling by several adversaries – but it is also reportedly used with distinctive new backdoors or variants of existing malware families. The attackers then installed software to help collect information about the victim’s network, move laterally through the system and execute malicious files and help store tools.”

Title: Microsoft Investigates Outlook Issues With Security Keys, Search
Date Published: September 20, 2021


Excerpt: “Redmond is also looking for a fix to address reports of search results for Outlook Suggested Searches being inaccurate, incomplete, or missing. This issue is triggered by suggested search encoding that doesn’t match what Outlook for Microsoft 365 expects. Microsoft says that this bug mainly impacts Japanese, Russian, Hebrew, or Greek versions of Outlook but may also affect customers using other languages. Some Outlook customers also see sent messages incorrectly displaying follow-up flag status, leading to the flag not being applied for the recipient or being cleared without user interaction.”

Title: Hacker Makes Off With $12 Million in Latest DeFi Breach
Date Published: September 20, 2021


Excerpt: “In a series of tweets announcing the incident, pNetwork said, “We’re sorry to inform the community that an attacker was able to leverage a bug in our codebase and attack pBTC on BSC, stealing 277 BTC (most of its collateral). The other bridges were not affected. All other funds in the pNetwork are safe.” “The bridges will run with extra security measures in place for the first few days,” pNetwork said in a follow-up post. “This means slower transactions processing in exchange for higher security.” The platform says it will provide a $1.5 million bug bounty to the hacker, should they return the funds.”

Title: Multi-Party Breaches Cause 26-Times the Financial Damage of the Worst Single-Party Breach: Report
Date Published: September 21, 2021


Excerpt: “Using that as a filter, the incident base totaled 897 incidents from 2008 to 2020. More than half of the newly identified ripples were in 2019 and 2020, and the report postulated that there is a two-year delay between when an incident takes place and when the ripple effects fully unfold, with some taking as long as five years. A median multi-party breach causes 10 times the financial damage of a traditional single-party breach. In comparison, the worst of the multi-party breach events causes 26 times the financial damage of the worst single-party breach. It typically takes 379 days for a ripple event to impact 75% of its downstream victims, and the median number of organizations impacted by ripple events across the data set was 4.”

Title: Google to Auto-Reset Inactive Android App Permissions for Billions of Devices
Date Published: September 21, 2021


Excerpt: “Google intends to begin the gradual rollout in December to “billions of more devices,” running Android 6 and above with Google Play services. However, users having older Android versions can have this feature by manually enabling it for apps targeting API levels 23 to 29, Google explains in the blog post. While you might be tempted to allow a new image-filtering app access to your storage, there’s a good chance you will forget its existence after a few months. This security-enhancing feature will step in to reset the permissions once it is clear that the app has remained inactive for months. The aim is to bring more control over privacy-sensitive app permissions for Android users, especially those having dozens of apps on their devices, many of which are no longer in their regular use. The feature targets an app’s “runtime permissions,” or “dangerous permissions” for accessing contact details, location, messages, and other sensitive user data.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...