OSN September 22, 2021

Fortify Security Team
Sep 22, 2021

Title: Microsoft Exchange Autodiscover Bugs Leak 100k Windows Credentials
Date Published: September 22, 2021

https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-autodiscover-bugs-leak-100k-windows-credentials/

Excerpt: “For Microsoft Outlook clients that sent credentials using NTLM and Oauth, Serper created an attack dubbed “The ol’ switcheroo” that would force the client to downgrade the request to a Basic authentication request. This would once again allow the researcher to access the cleartext passwords for the user. When conducting these tests between April 20th, 2021, and August 25th, 2021, Guardicore servers received a: 648,976 HTTP requests targeting their Autodiscover domains. 372,072 Basic authentication requests. 96,671 unique pre-authenticated requests. Guardicore says the domains that sent their credentials include: Publicly traded companies in the Chinese market, Food manufacturers, Investment banks, Power plants, Power delivery, Real estate, Shipping and logistics, Fashion and Jewelry.”

Title: High-Severity RCE Vulnerability Found in Several Netgear Routers
Date Published: September 22, 2021

https://cybersecuritylog.com/high-severity-rce-vulnerability-found-in-several-netgear-routers

Excerpt: “As explained by GRIMM security researcher Adam Nichols, the security vulnerability is in Circle, a third-party component that is included in the firmware with the Circle update daemon turned on by default. With this configuration, a Man-in-the-Middle (MitM) attack might grant attackers with network access the ability to acquire root-level code execution (RCE). With Circle, Netgear, and the update daemon Circled working together in this manner, an interloper can stage a MitM attack and respond to the request to download new database entries with a specially crafted compressed database file, which allows the attacker to gain the ability to replace active binaries with malicious code.”

Title: MN: Crystal Valley Computer Systems Infected By Ransomware Attack
Date Published: September 22, 2021

https://www.databreaches.net/mn-crystal-valley-computer-systems-infected-by-ransomware-attack/

Excerpt: “On Sunday, September 19, Crystal Valley was alerted we had been targeted in a ransomware attack. This attack has infected the computer systems at Crystal Valley and severely interrupted the daily operations of the company. Crystal Valley and cyber security experts are working diligently to re-establish safe and secure operating systems, which will be back online when we are confident the issue has been resolved. Because of this, we are unable to accept Visa, Mastercard, and Discover at our cardtrols until further notice. Local cards do work. We appreciate your patience and understanding as we work through this issue. Updates will be given as more information becomes available.”

Title: Vermont Radio Stations Dealing With Fallout From Cyberattack
Date Published: September 20, 2021

https://www.wcax.com/2021/09/21/vermont-radio-stations-victims-cyber-attack/

Excerpt: “Marketron is a national company that helps companies manage their advertisements using automation to make a once lengthy process much faster. But a cyberattack launched by the Russian outfit BlackMatter is impacting thousands of Marketron’s customers, including several stations in Vermont. Steve Cormier of the Radio Vermont group says their Morrisville station, WLVB, was impacted. The station manager there scrambled to get ads on the air. “All of a sudden it’s more manual than it is just inputting things in and letting things show up where they’re supposed to show up. You really have to do the hard work once again to make sure there’s separation of commercials or categories,” Cormier said. Commercial radio and TV stations are funded largely by commercial sales, making it imperative for stations to spend extra hours to make sure these ads air.”

Title: VMware Patch Bulletin Warns: “This Needs Your Immediate Attention.”
Date Published: September 22, 2021

https://nakedsecurity.sophos.com/2021/09/22/vmware-patch-bulletin-warns-this-needs-your-immediate-attention/

Excerpt: “VMware’s latest security update includes patches for 19 different CVE-numbered vulnerabilities affecting the company’s vCenter Server and Cloud Foundation products. All of the bugs can be considered serious – they wouldn’t be enumerated in an official security advisory if they weren’t – but VMware has identified one of them, dubbed CVE-2021-22005, as more critical than the rest. Indeed, VMware’s official FAQ for Security Advisory VMSA-2021-0020 urges that: The ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.”

Title: Catching the Big Fish: Analyzing a Large-Scale Phishing-as-a-Service Operation
Date Published: September 21, 2021

https://www.microsoft.com/security/blog/2021/09/21/catching-the-big-fish-analyzing-a-large-scale-phishing-as-a-service-operation/

Excerpt: “The operators maintain multiple sites under their aliases, BulletProftLink, BulletProofLink, and Anthrax, including YouTube and Vimeo pages with instructional advertisements as well as promotional materials on forums and other sites. In many of these cases, and in ICQ chat logs posted by the operator, customers refer to the group as the aliases interchangeably. BulletProofLink additionally hosts multiple sites, including an online store where they allow their customers to register, sign in, and advertise their hosted service for monthly subscriptions. Over the course of monitoring this operation, their online store had undergone multiple revisions. The source code for the site’s pages contained references to artifacts elsewhere on the site, which included ICQ chat messages and advertisements.”

Title: New Nagios Software Bugs Could Let Hackers Take Over IT Infrastructures
Date Published: September 22, 2021

https://thehackernews.com/2021/09/new-nagios-software-bugs-could-let.htmlhttps://thehackernews.com/2021/09/new-nagios-software-bugs-could-let.html

Excerpt: “As many as 11 security vulnerabilities have been disclosed in Nagios network management systems, some of which could be chained to achieve pre-authenticated remote code execution with the highest privileges, as well as lead to credential theft and phishing attacks. Industrial cybersecurity firm Claroty, which discovered the flaws, said flaws in tools such as Nagios make them an attractive target owing to their “oversight of core servers, devices, and other critical components in the enterprise network.” The issues have since been fixed in updates released in August with Nagios XI 5.8.5 or above, Nagios XI Switch Wizard 2.5.7 or above, Nagios XI Docker Wizard 1.13 or above, and Nagios XI WatchGuard 1.4.8 or above.”

Title: New Macos Zero-Day Bug Lets Attackers Run Commands Remotely
Date Published: September 21, 2021

https://www.bleepingcomputer.com/news/apple/new-macos-zero-day-bug-lets-attackers-run-commands-remotely/

Excerpt: “While Apple silently fixed the issue without assigning a CVE identification number, as Minchan later discovered, Apple’s patch only partially addressed the flaw as it can still be exploited by changing the protocol used to execute the embedded commands from file:// to FiLe://. “Newer versions of macOS (from Big Sur) have blocked the file:// prefix (in the com.apple.generic-internet-location) however they did a case matching causing File:// or fIle:// to bypass the check,” the advisory adds. “We have notified Apple that FiLe:// (just mangling the value) doesn’t appear to be blocked, but have not received any response from them since the report has been made. As far as we know, at the moment, the vulnerability has not been patched”.”

Title: OWASP Top 10 Vulnerabilities
Date Published: September 22, 2021

https://bpbonline.medium.com/owasp-top-10-vulnerabilities-7e77f6446dc4

Excerpt: “Open Web Security Project is a non-profit charitable organization. It is a global reference for large types of vulnerabilities. OWASP Top 10 addresses the most impactful application security risks based on a larger number of data sets and opinions surveyed from a plethora of industry professionals. There have been three released in this decade — 2010, 2013, and 2017. Let’s see the top 10 OWASP vulnerabilities: A1- Injection, A2- Broken Authentication, A3- Sensitive Data Exposure…”

Title: US Sanctions Cryptocurrency Exchange SUEX for Aiding Ransomware Gangs
Date Published: September 21, 2021

https://thehackernews.com/2021/09/us-sanctions-cryptocurrency-exchange.html

Excerpt: “The U.S. Treasury Department on Tuesday imposed sanctions on Russian cryptocurrency exchange Suex for helping facilitate and launder transactions from at least eight ransomware variants as part of the government’s efforts to crack down on a surge in ransomware incidents and make it difficult for bad actors to profit from such attacks using digital currencies. “Virtual currency exchanges such as SUEX are critical to the profitability of ransomware attacks, which help fund additional cybercriminal activity,” the department said in a press release. “Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors. SUEX is being designated pursuant to Executive Order 13694, as amended, for providing material support to the threat posed by criminal ransomware actors.””

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...