OSN September 22, 2021

Fortify Security Team
Sep 22, 2021

Title: Microsoft Exchange Autodiscover Bugs Leak 100k Windows Credentials
Date Published: September 22, 2021


Excerpt: “For Microsoft Outlook clients that sent credentials using NTLM and Oauth, Serper created an attack dubbed “The ol’ switcheroo” that would force the client to downgrade the request to a Basic authentication request. This would once again allow the researcher to access the cleartext passwords for the user. When conducting these tests between April 20th, 2021, and August 25th, 2021, Guardicore servers received a: 648,976 HTTP requests targeting their Autodiscover domains. 372,072 Basic authentication requests. 96,671 unique pre-authenticated requests. Guardicore says the domains that sent their credentials include: Publicly traded companies in the Chinese market, Food manufacturers, Investment banks, Power plants, Power delivery, Real estate, Shipping and logistics, Fashion and Jewelry.”

Title: High-Severity RCE Vulnerability Found in Several Netgear Routers
Date Published: September 22, 2021


Excerpt: “As explained by GRIMM security researcher Adam Nichols, the security vulnerability is in Circle, a third-party component that is included in the firmware with the Circle update daemon turned on by default. With this configuration, a Man-in-the-Middle (MitM) attack might grant attackers with network access the ability to acquire root-level code execution (RCE). With Circle, Netgear, and the update daemon Circled working together in this manner, an interloper can stage a MitM attack and respond to the request to download new database entries with a specially crafted compressed database file, which allows the attacker to gain the ability to replace active binaries with malicious code.”

Title: MN: Crystal Valley Computer Systems Infected By Ransomware Attack
Date Published: September 22, 2021


Excerpt: “On Sunday, September 19, Crystal Valley was alerted we had been targeted in a ransomware attack. This attack has infected the computer systems at Crystal Valley and severely interrupted the daily operations of the company. Crystal Valley and cyber security experts are working diligently to re-establish safe and secure operating systems, which will be back online when we are confident the issue has been resolved. Because of this, we are unable to accept Visa, Mastercard, and Discover at our cardtrols until further notice. Local cards do work. We appreciate your patience and understanding as we work through this issue. Updates will be given as more information becomes available.”

Title: Vermont Radio Stations Dealing With Fallout From Cyberattack
Date Published: September 20, 2021


Excerpt: “Marketron is a national company that helps companies manage their advertisements using automation to make a once lengthy process much faster. But a cyberattack launched by the Russian outfit BlackMatter is impacting thousands of Marketron’s customers, including several stations in Vermont. Steve Cormier of the Radio Vermont group says their Morrisville station, WLVB, was impacted. The station manager there scrambled to get ads on the air. “All of a sudden it’s more manual than it is just inputting things in and letting things show up where they’re supposed to show up. You really have to do the hard work once again to make sure there’s separation of commercials or categories,” Cormier said. Commercial radio and TV stations are funded largely by commercial sales, making it imperative for stations to spend extra hours to make sure these ads air.”

Title: VMware Patch Bulletin Warns: “This Needs Your Immediate Attention.”
Date Published: September 22, 2021


Excerpt: “VMware’s latest security update includes patches for 19 different CVE-numbered vulnerabilities affecting the company’s vCenter Server and Cloud Foundation products. All of the bugs can be considered serious – they wouldn’t be enumerated in an official security advisory if they weren’t – but VMware has identified one of them, dubbed CVE-2021-22005, as more critical than the rest. Indeed, VMware’s official FAQ for Security Advisory VMSA-2021-0020 urges that: The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.”

Title: Catching the Big Fish: Analyzing a Large-Scale Phishing-as-a-Service Operation
Date Published: September 21, 2021


Excerpt: “The operators maintain multiple sites under their aliases, BulletProftLink, BulletProofLink, and Anthrax, including YouTube and Vimeo pages with instructional advertisements as well as promotional materials on forums and other sites. In many of these cases, and in ICQ chat logs posted by the operator, customers refer to the group as the aliases interchangeably. BulletProofLink additionally hosts multiple sites, including an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions. Over the course of monitoring this operation, their online store had undergone multiple revisions. The source code for the site’s pages contained references to artifacts elsewhere on the site, which included ICQ chat messages and advertisements.”

Title: New Nagios Software Bugs Could Let Hackers Take Over IT Infrastructures
Date Published: September 22, 2021


Excerpt: “As many as 11 security vulnerabilities have been disclosed in Nagios network management systems, some of which could be chained to achieve pre-authenticated remote code execution with the highest privileges, as well as lead to credential theft and phishing attacks. Industrial cybersecurity firm Claroty, which discovered the flaws, said flaws in tools such as Nagios make them an attractive target owing to their “oversight of core servers, devices, and other critical components in the enterprise network.” The issues have since been fixed in updates released in August with Nagios XI 5.8.5 or above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above, and Nagios XI WatchGuard 1.4.8 or above.”

Title: New Macos Zero-Day Bug Lets Attackers Run Commands Remotely
Date Published: September 21, 2021


Excerpt: “While Apple silently fixed the issue without assigning a CVE identification number, as Minchan later discovered, Apple’s patch only partially addressed the flaw as it can still be exploited by changing the protocol used to execute the embedded commands from file:// to FiLe://. “Newer versions of macOS (from Big Sur) have blocked the file:// prefix (in the com.apple.generic-internet-location) however they did a case matching causing File:// or fIle:// to bypass the check,” the advisory adds. “We have notified Apple that FiLe:// (just mangling the value) doesn’t appear to be blocked, but have not received any response from them since the report has been made. As far as we know, at the moment, the vulnerability has not been patched”.”

Title: OWASP Top 10 Vulnerabilities
Date Published: September 22, 2021


Excerpt: “Open Web Security Project is a non-profit charitable organization. It is a global reference for large types of vulnerabilities. OWASP Top 10 addresses the most impactful application security risks based on a larger number of data sets and opinions surveyed from a plethora of industry professionals. There have been three released in this decade — 2010, 2013, and 2017. Let’s see the top 10 OWASP vulnerabilities: A1- Injection, A2- Broken Authentication, A3- Sensitive Data Exposure…”

Title: US Sanctions Cryptocurrency Exchange SUEX for Aiding Ransomware Gangs
Date Published: September 21, 2021


Excerpt: “The U.S. Treasury Department on Tuesday imposed sanctions on Russian cryptocurrency exchange Suex for helping facilitate and launder transactions from at least eight ransomware variants as part of the government’s efforts to crack down on a surge in ransomware incidents and make it difficult for bad actors to profit from such attacks using digital currencies. “Virtual currency exchanges such as SUEX are critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity,” the department said in a press release. “Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors. SUEX is being designated pursuant to Executive Order 13694, as amended, for providing material support to the threat posed by criminal ransomware actors.””

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...