OSN September 24, 2021

Fortify Security Team
Sep 24, 2021

Title: Financially Motivated Actor Breaks Certificate Parsing to Avoid Detection
Date Published: September 23, 2021

https://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/

Excerpt: “Attackers often rely on varying behaviors between different systems to gain access. For instance, attacker’s may bypass filtering by convincing a mail gateway that a document is benign so the computer treats it as an executable program. In the case of the attack outlined below, we see that attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products. We believe this is a technique the attacker is using to evade detection rules.”

Title: Karma Seeks Free Publicity to Fulfill Ransomware Destiny
Date Published: September 24, 2021

https://www.bankinfosecurity.com/blogs/karma-seeks-free-publicity-to-fulfill-ransomware-destiny-p-3124

Excerpt: “”We call each target as well as their partners and journalists; the pressure increases significantly,” Unknown, a core member of the REvil – aka Sodinokibi – operation, told threat intelligence firm Recorded Future early this year. “And after that, if you start publishing files, well, it is absolutely gorgeous. But to finish off with DDoS is to kill the company.” Since late 2019, many ransomware operations have engaged in double extortion, which refers to threatening to name and shame victims and leak their data. Some practice so-called triple extortion, which refers to hitting their target nonpaying victims with distributed denial-of-service attacks. Quadruple extortion, meanwhile, refers to attackers contacting a victim’s customers or business partners to tell them their data has been exposed, and yet the victim is refusing to pay the ransom required to safeguard their details.”

Title: ‘Anonymous’ Hackers Claim to Hit Website Hosting Firm Popular With Far-Right Groups
Date Published: September 24, 2021

https://www.infosecurity-magazine.com/news/anonymous-hackers-hosting-far-right/

Excerpt: “Last week, hacking group Anonymous claimed to have stolen and leaked data held by Epik, a website hosting firm popular with far-right organizations like the Proud Boys. The reams of data, amounting to 150 gigabytes, include information about those who tried to overturn the 2020 presidential election. Epik has historically provided web hosting services to a number of conspiracy theorists and conservative media networks. On Epik’s clientele list were several sites banned from other platforms for violating hate speech and misinformation policies. These include those associated with the Proud Boys, 8chan, Parler, and QAnon conspiracy groups.”

Title: Cisco Addresses 3 Critical Vulnerabilities in IoS XE Software
Date Published: September 24, 2021

https://securityaffairs.co/wordpress/122538/security/cisco-ios-xe-critical-flaws.html

Excerpt: “A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Software for Cisco Catalyst 9000 Family Wireless Controllers could allow an unauthenticated, remote attacker to execute arbitrary code with administrative privileges or cause a denial of service (DoS) condition on an affected device.” reads the advisory published by Cisco. The flaw is due to a logic error that occurs during the validation of CAPWAP packets. A remote, unauthenticated attacker can trigger the flaw by sending a specially crafted CAPWAP packet to a vulnerable device. Successful exploitation of the issue could allow the attacker to execute arbitrary code with administrative privileges or cause the device to crash and reload.”

Title: Researcher Drops Three IoS Zero-Days That Apple Refused to Fix
Date Published: September 24, 2021

https://www.bleepingcomputer.com/news/security/researcher-drops-three-ios-zero-days-that-apple-refused-to-fix/

Excerpt: “Proof-of-concept exploit code for three iOS zero-day vulnerabilities (and a fourth one patched in July) was published on GitHub after Apple delayed patching and failed to credit the researcher. The unknown researcher who found the four zero-days reported them to Apple between March 10 and May 4. However, the company silently patched one of them in July with the release of 14.7 without giving credit in the security advisory. “When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update,” the researcher said earlier today. “There were three releases since then and they broke their promise each time.”

Title: FBI Arrests 75-Year-Old for Allegedly Placing Pipe Bombs Outside Phone, Carrier Store
Date Published: September 24, 2021

https://www.zdnet.com/article/fbi-arrests-75-year-old-for-allegedly-placing-pipe-bombs-outside-phone-carrier-stores/

Excerpt: “According to the US Department of Justice (DoJ), a resident of Whittemore, Michigan, named as John Douglas Allen, was arrested on Wednesday in connection to homemade bombs being left outside stores in Cheboygan and Sault Ste Marie. The affidavit claims that on September 15, Allen placed a USPS box outside of an AT&T store, before moving on to place another USPS box outside of a Verizon outlet. The boxes, taped up and with wires coming out of them, were seized and checked out by the FBI’s laboratory Explosive Unit, which determined they were pipe bombs.”

Title: Sonicwall Fixes Critical Bug Allowing SMA 100 Device Takeover
Date Published: September 24, 2021

https://www.bleepingcomputer.com/news/security/sonicwall-fixes-critical-bug-allowing-sma-100-device-takeover/

Excerpt: “SonicWall has patched a critical security flaw impacting several Secure Mobile Access (SMA) 100 series products that can let unauthenticated attackers remotely gain admin access on targeted devices. The SMA 100 series appliances vulnerable to attacks targeting the improper access control vulnerability tracked as CVE-2021-20034 include SMA 200, 210, 400, 410, and 500v. There are no temporary mitigations to remove the attack vector, and SonicWall strongly urges impacted customers to deploy security updates that address the flaw as soon as possible.”

Title: REvil Affiliates Confirm: Leadership Were Cheating Dirtbags
Date Published: September 23, 2021

https://threatpost.com/revil-affiliates-leadership-cheated-ransom-payments/174972/

Excerpt: “A day after news broke about REvil having screwed their own affiliates out of ransomware payments – by using double chats and a backdoor that let REvil operators hijack ransom payments – those affiliates took to the top Russian-language hacking forum to renew their demands for REvil to fork over their pilfered share of ransom payments. Advanced Intelligence, the threat intelligence firm that disclosed the backdoor and double chats, told Threatpost on Thursday that a high-profile actor with an established reputation on the top Russian language hacking forum – Exploit – used AdvIntel’s report findings to revitalize a claim filed in May against REvil on the Russian underground.”

Title: Microsoft Exchange Autodiscover Flaw Reveals Users’ Passwords
Date Published: September 23, 2021

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/microsoft-exchange-autodiscover-flaw-reveals-users-passwords/

Excerpt: “From Microsoft’s site we learn that “the Autodiscover service minimizes user configuration and deployment steps by providing clients access to Exchange features. For Exchange Web Services (EWS) clients, Autodiscover is typically used to find the EWS endpoint URL. However, Autodiscover can also provide information to configure clients that use other protocols. Autodiscover works for client applications that are inside or outside firewalls and in resource forest and multiple forest scenarios. Which boils down to a feature of Exchange email servers that allows email clients to automatically discover email servers, provide credentials, and then receive proper configurations. Designed to make the user’s life easier while forgetting that such designs need to be done with security in mind. Because cybercriminals love such features and use them for their own purposes.”

Title: 100M IoT Devices Exposed By Zero-Day Bug
Date Published: September 23, 2021

https://threatpost.com/100m-iot-devices-zero-day-bug/174963/

Excerpt: “A flaw in a widely used internet-of-things (IoT) infrastructure code left more than 100 million devices across 10,000 enterprises vulnerable to attacks. Researchers at Guardara used their technology to find a zero-day vulnerability in NanoMQ, an open-source platform from EMQ that monitors IoT devices in real time, then acts as a “message broker” to deliver alerts that atypical activity has been detected. EMQ’s products are used to monitor the health of patients leaving a hospital, to detect fires, monitor car systems, in smartwatches, in smart-city applications and more. “Guardara used its technology to detect multiple issues…that caused EMQ’s NanoMQ product to crash during testing,” the company said in a press statement. “The existence of these vulnerabilities means that any NanoMQ reliant system could be brought down completely”.”

Recent Posts

May 6, 2022

Title: Google Docs Crashes on Seeing "And. And. And. And. And." Date Published: May 6, 2022 https://www.bleepingcomputer.com/news/technology/google-docs-crashes-on-seeing-and-and-and-and-and/ Excerpt: “A bug in Google Docs is causing it to crash when a series of words...

May 5, 2022

Title: Tor Project Upgrades Network Speed Performance with New System Date Published: May 5, 2022 https://www.bleepingcomputer.com/news/security/tor-project-upgrades-network-speed-performance-with-new-system/ Excerpt: “The Tor Project has published details about a...

May 3, 2022

Title: Aruba and Avaya Network Switches are Vulnerable to RCE Attacks Date Published: May 3, 2022 https://www.bleepingcomputer.com/news/security/aruba-and-avaya-network-switches-are-vulnerable-to-rce-attacks/ Excerpt: “Security researchers have discovered five...

May 2, 2022

Title: U.S. DoD Tricked into Paying $23.5 Million to Phishing Actor Date Published: May 2, 2022 https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/ Excerpt: “The U.S. Department of Justice (DoJ) has announced the...

April 29, 2022

Title: EmoCheck now Detects New 64-bit Versions of Emotet Malware Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/ Excerpt: “The Japan CERT has released a new version of their...

April 28, 2022

Title: New Bumblebee Malware Takes Over BazarLoader's Ransomware Delivery Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-takes-over-bazarloaders-ransomware-delivery/ Excerpt: “A newly discovered malware loader...

April 27, 2022

Title: Chinese State-Backed Hackers now Target Russian State Officers Date Published: April 27, 2022 https://www.bleepingcomputer.com/news/security/chinese-state-backed-hackers-now-target-russian-state-officers/ Excerpt: “Security researchers analyzing a phishing...