OSN September 21, 2021

Fortify Security Team
Sep 21, 2021

Title: After Biden Warning, Hackers Define ‘Critical’ as They See Fit
Date Published: September 20, 2021


Excerpt: “In recent days, a Russia-linked ransomware group called BlackMatter attacked a grain cooperative in Iowa, an incident that appears to test Biden’s terms since “food and agriculture” is one of the protected sectors. In messages with Bloomberg News, however, BlackMatter said it has rules for how it operates its ransomware operation, a sort of ethical playbook for an illegal enterprise. Hospitals, the defense industry and the government sector are off-limits, according to details on the group’s dark web page. The hack on Iowa’s New Cooperative, however, didn’t violate Biden’s mandate, the group says.”

Title: Four Months on From Sophisticated Cyberattack, Alaska’s Health Department Is Still Recovering
Date Published: September 21, 2021


Excerpt: “The potential breach of personal information has only just been revealed, despite the incident being first detected in May and previous updates about the attack in June and August – according to a DHSS statement, this was delayed until now to avoid interference with a criminal investigation. And four months on from the initial attack, some DHSS online services still haven’t been restored and there’s no timeline for when they’ll be back. “All affected systems remain offline as we diligently and meticulously move through the three phases of our response. Work is continuing to restore online services in a manner that will better shield DHSS and Alaskans from future cyberattacks,” said Scott McCutcheon, technology officer at DHSS.”

Title: Hacked Sites Push Teamviewer Using Fake Expired Certificate Alert
Date Published: September 20, 2021


Excerpt: “The payload dropped on infected systems is TVRAT (aka TVSPY, TeamSpy, TeamViewerENT, or Teamviewer RAT), a malware designed to provide its operators with full remote access to infected hosts. Once deployed on an infected device, the malware will silently install and launch an instance of the TeamViewer remote control software. After being launched, the TeamViewer server will reach out to a command-and-control (C2) server to let the attackers know they can remotely take complete control of the newly compromised computer. TVRAT first surfaced in 2013 when it was delivered via spam campaigns as malicious attachments that tricked targets into enabling Office macros.”

Title: Apache Openoffice Is Currently Impacted by a Remote Code Execution Flaw
Date Published: September 21, 2021


Excerpt: “At the time of this writing, the flaw was only addressed with a beta software update and awaits the official release. Apache OpenOffice (AOO) is currently vulnerable to a remote code execution vulnerability and while the app’s source code has been patched, the fix has only been made available as beta software and awaits an official release. An attacker could trigger the flaw by tricking the victim into opening a specially crafted .dbf file. Lim told El Reg the CVE-2021-33035 “is a buffer overflow by a .dbf
file which overrides a return pointer with a DEP [data execution prevention] and ASLR [address space layout randomization] bypass to finally execute arbitrary commands by the attacker”.”

Title: Mafia Works Remotely, Too, It Seems: 100+ People Suspected of Phishing, SIM Swapping, Email Fraud Cuffed
Date Published: September 21, 2021


Excerpt: “Police arrested 106 people suspected of carrying out online fraud for an organized crime gang linked to the Italian Mafia, Europol said on Monday. Most of those detained were cuffed in Spain, and the rest in Italy, by Spanish National Police, Italian National Police, Europol, and Eurojust, we’re told. It’s claimed the suspects scammed hundreds of victims using phishing; SIM swapping attacks, in which crooks typically take control of people’s cellphone numbers to get account login tokens texted to them; and so-called business email compromise, in which fraudsters typically use bogus invoices and the like to trick company staff into transferring money to the thieves.”

Title: Chinese APT Data-Harvesting Campaign Analyzed
Date Published: September 20, 2021


Excerpt: “The threat actor, according to the report, gained initial access by compromising a victim’s web server by exploiting public-facing vulnerabilities for initial access. The threat actor used Winnti malware, known to be used in DNS tunneling by several adversaries – but it is also reportedly used with distinctive new backdoors or variants of existing malware families. The attackers then installed software to help collect information about the victim’s network, move laterally through the system and execute malicious files and help store tools.”

Title: Microsoft Investigates Outlook Issues With Security Keys, Search
Date Published: September 20, 2021


Excerpt: “Redmond is also looking for a fix to address reports of search results for Outlook Suggested Searches being inaccurate, incomplete, or missing. This issue is triggered by suggested search encoding that doesn’t match what Outlook for Microsoft 365 expects. Microsoft says that this bug mainly impacts Japanese, Russian, Hebrew, or Greek versions of Outlook but may also affect customers using other languages. Some Outlook customers also see sent messages incorrectly displaying follow-up flag status, leading to the flag not being applied for the recipient or being cleared without user interaction.”

Title: Hacker Makes Off With $12 Million in Latest DeFi Breach
Date Published: September 20, 2021


Excerpt: “In a series of tweets announcing the incident, pNetwork said, “We’re sorry to inform the community that an attacker was able to leverage a bug in our codebase and attack pBTC on BSC, stealing 277 BTC (most of its collateral). The other bridges were not affected. All other funds in the pNetwork are safe.” “The bridges will run with extra security measures in place for the first few days,” pNetwork said in a follow-up post. “This means slower transactions processing in exchange for higher security.” The platform says it will provide a $1.5 million bug bounty to the hacker, should they return the funds.”

Title: Multi-Party Breaches Cause 26-Times the Financial Damage of the Worst Single-Party Breach: Report
Date Published: September 21, 2021


Excerpt: “Using that as a filter, the incident base totaled 897 incidents from 2008 to 2020. More than half of the newly identified ripples were in 2019 and 2020, and the report postulated that there is a two-year delay between when an incident takes place and when the ripple effects fully unfold, with some taking as long as five years. A median multi-party breach causes 10 times the financial damage of a traditional single-party breach. In comparison, the worst of the multi-party breach events causes 26 times the financial damage of the worst single-party breach. It typically takes 379 days for a ripple event to impact 75% of its downstream victims, and the median number of organizations impacted by ripple events across the data set was 4.”

Title: Google to Auto-Reset Inactive Android App Permissions for Billions of Devices
Date Published: September 21, 2021


Excerpt: “Google intends to begin the gradual rollout in December to “billions of more devices,” running Android 6 and above with Google Play services. However, users having older Android versions can have this feature by manually enabling it for apps targeting API levels 23 to 29, Google explains in the blog post. While you might be tempted to allow a new image-filtering app access to your storage, there’s a good chance you will forget its existence after a few months. This security-enhancing feature will step in to reset the permissions once it is clear that the app has remained inactive for months. The aim is to bring more control over privacy-sensitive app permissions for Android users, especially those having dozens of apps on their devices, many of which are no longer in their regular use. The feature targets an app’s “runtime permissions,” or “dangerous permissions” for accessing contact details, location, messages, and other sensitive user data.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...