OSN September 28, 2021

Fortify Security Team
Sep 28, 2021

Title: A Complete PoC Exploit for CVE-2021-22005 in VMware vCenter Is Available Online
Date Published: September 28, 2021

https://securityaffairs.co/wordpress/122686/hacking/cve-2021-22005-exploit-vmware-vcenter.html

Excerpt: “Researchers from BleepingComputer also reported that threat actors have started to exploit CVE-2021-22005 using code released by security researcher Jang. VMware confirmed it is aware of threat actors exploiting the flaw in the wild. “The VMSA outlines a number of issues that are resolved in this patch release. The most urgent addresses CVE-2021-22005, a file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.” reads a post published by VMWare.”

Title: Microsoft Warns: Active Directory Foggyweb Malware Being Actively Used by Nobelium Gang
Date Published: September 28, 2021

https://www.theregister.com/2021/09/28/active_directory_foggyweb_malware/

Excerpt: “Once Nobelium obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools,” Nafisi explained. “Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components.” Nobelium, which is believed to be linked to the Russian government, has been fingered for the 2020 attack on SolarWinds’ Orion IT monitoring platform, which was then used as a jumping-off point to infiltrate US government networks – including the US courts system.”

Title: Ethereum Dev Admits to Helping North Korea Evade Crypto Sanctions
Date Published: September 27, 2021

https://www.bleepingcomputer.com/news/security/ethereum-dev-admits-to-helping-north-korea-evade-crypto-sanctions/

Excerpt: “After his guilty plea, Griffith, a U.S. Citizen and a Singapore resident, faces a maximum sentence of 20 years in prison. He is scheduled to be sentenced next year, on January 18, 2022. “As he admitted in court today, Virgil Griffith agreed to help one of our nation’s most dangerous foreign adversaries, North Korea,” U.S. Attorney Audrey Strauss said today. “Griffith worked with others to provide cryptocurrency services to North Korea and assist North Korea in evading sanctions, and traveled to North Korea to do so. “In the process, Griffith jeopardized the national security of the United States by undermining the sanctions that both Congress and the President have enacted to place maximum pressure on the threat posed by North Korea’s treacherous regime”.”

Title: Credential Spear-Phishing Uses Spoofed Zix Encrypted Email
Date Published: September 28, 2021

https://threatpost.com/credential-spear-phishing-uses-spoofed-zix-encrypted-email/175044/

Excerpt: “God isn’t sending encrypted Zix messages: If hapless users click on the spoofed email’s link, it will try to download a presumably unholy HTML file onto their system. The attack is targeting a range of companies across sectors including state and local government, education, financial services, healthcare, and energy, selectively going after a mix of senior executives and cross-departmental employees. In fact, Armorblox’s research team found that the attacker is cherry-picking targets, being careful to select no more than one employee in any single department, probably to forestall the “Hey, did you get this weird email?” chat among officemates.”

Title: Google Releases Emergency Fix to Plug Zero-Day Hole in Chrome
Date Published: September 27, 2021

https://www.welivesecurity.com/2021/09/27/google-releases-emergency-fix-plug-zero-day-hole-chrome/

Excerpt: “The vulnerability was so severe that it necessitated its own official update for the Chrome browser. The release is especially notable, considering that it was rolled out mere days after Google pushed out a stable version of Chrome that fixed another 19 bugs. It took Google’s team just three days to release a fix after they were notified by Lecigne and his colleagues about the flaw being actively exploited in the wild. The United States’ Cybersecurity and Infrastructure Security Agency (CISA) also took note of the release and issued a security advisory urging both users and system administrators to update their browsers. “Google has released Chrome version 94.0.4606.61 for Windows, Mac, and Linux. This version addresses a vulnerability—CVE-2021-37973—that an attacker could exploit to take control of an affected system. An exploit for this vulnerability exists in the wild,” said the agency.”

Title: Convicted Scammer Who Had a Starring Role in Dispute Between Russia, Israel Is Unexpectedly Deported
Date Published: September 28, 2021

https://www.cyberscoop.com/aleksei-burkov-russia-israel-us-putin-issachar/

Excerpt: A convicted Russian scammer who was the focus of an international standoff was deported to his home country 14 months after receiving a long prison sentence in the U.S., Russian media reported. Officers from Russia’s Ministry of Internal Affairs detained Aleksei Burkov at Sheremetyevo Airport in Moscow following his deportation from the U.S., the state-owned media conglomerate RIA reported on Sept. 28. The move comes after an American court sentenced Burkov to nine years in a U.S. prison after he pleaded guilty to charges related to operating two illicit web forums that hackers used to trade stolen data and pool their resources.”

Title: Bandwidth[.]com Is Latest Victim of DDoS Attacks against VoIP Providers
Date Published: September 27, 2021

https://www.bleepingcomputer.com/news/security/bandwidthcom-is-latest-victim-of-ddos-attacks-against-voip-providers/

Excerpt: “Earlier this month, VoIP provider VoIP.ms suffered a catastrophic week-long DDoS attack that took down almost all of their services and portals, leaving their customers without voice services. The VoIP.ms attack was an extortion DDoS attack where threat actors impersonating the ransomware group ‘REvil’ initially demanded one bitcoin ($45,000) to halt their attacks but later increased it to 100 bitcoins ($4.5 million). At this time, Bandwidth is reporting that their services are restored, and it is not clear if the threat actors stopped their attacks or were paid an extortion demand. Unfortunately, it is common for threat actors to briefly halt attacks while they push extortion attempts, so we will not know for sure if the DDoS attack is over until tomorrow. When we hear back from Bandwidth, we will update our story.”

Title: Microsoft Adds Emergency Threat Mitigation to Its Exchange Server Software
Date Published: September 27, 2021

https://www.darkreading.com/endpoint/microsoft-adds-emergency-mitigation-tool-for-exchange-server

Excerpt: “Microsoft has baked a new threat mitigation feature into Exchange Server that will roll out this week as part of its September 2021 cumulative update to the software platform.  The new Emergency Mitigation (EM) software component allows Microsoft to create and execute vulnerability mitigations for its customers’ Exchange Servers automatically. The EM service checks for mitigations hourly via Microsoft’s cloud-based Office Config Service. “If Microsoft learns about a security threat and we create a mitigation for the issue, that mitigation can be sent directly to the Exchange server, which would automatically implement the pre-configured settings,”  the Microsoft Exchange Server team wrote in a community blog post announcing the new feature.”

Title: 7 Ways to Thwart Malicious Insiders
Date Published: September 27, 2021

https://www.darkreading.com/edge-slideshows/7-ways-to-prevent-malicious-insider-risks-at-your-company-

Excerpt: “Malicious insider activity is less common than the inadvertent missteps by insiders — but they are expensive. While malicious activity comprises just 23% of all insider incidents, according to a 2020 Ponemon survey, these attacks typically are more costly for the organization — averaging $755,760 per incident and $4.08 million per year. Overall, malicious and non-malicious insider incidents can account for the loss of up to 20% of annual revenue, according to research from Code42 and Aberdeen. “Data today is digital and portable, so it’s never been easier to take,” says Jadee Hanson, CISO and CIO at Code42. “There are countless ways for employees and contractors to move proprietary documents to a removable USB drive, personal Dropbox, or G-Drive and take it with them to benefit them in their next role or give a competitor a strategic advantage”.”

Title: Federal Lawsuit Filed Against Paxton Media Group Over Data Breach
Date Published: September 25, 2021

https://www.wkdzradio.com/2021/09/25/federal-lawsuit-filed-against-paxton-media-group-targets-data-breach/news-edge/

Excerpt: “A federal lawsuit has been filed against Paxton Media Group, claiming the company had a cyber attack and massive data breach earlier this year, yet waited three or more months to tell more than 20,000 current and former employees that their private information was hacked — many of whom reside in west Kentucky. PMG owns more than 100 news outlets nationwide — but locally handles the Paducah Sun, the Kentucky New Era, the Times Leader in Princeton, the Cadiz Record, WPSD Local 6 and several other organizations in west Kentucky. Jason Riley, a criminal justice reporter for WDRB in Louisville, first broke the news Friday evening.”

Recent Posts

May 6, 2022

Title: Google Docs Crashes on Seeing "And. And. And. And. And." Date Published: May 6, 2022 https://www.bleepingcomputer.com/news/technology/google-docs-crashes-on-seeing-and-and-and-and-and/ Excerpt: “A bug in Google Docs is causing it to crash when a series of words...

May 5, 2022

Title: Tor Project Upgrades Network Speed Performance with New System Date Published: May 5, 2022 https://www.bleepingcomputer.com/news/security/tor-project-upgrades-network-speed-performance-with-new-system/ Excerpt: “The Tor Project has published details about a...

May 3, 2022

Title: Aruba and Avaya Network Switches are Vulnerable to RCE Attacks Date Published: May 3, 2022 https://www.bleepingcomputer.com/news/security/aruba-and-avaya-network-switches-are-vulnerable-to-rce-attacks/ Excerpt: “Security researchers have discovered five...

May 2, 2022

Title: U.S. DoD Tricked into Paying $23.5 Million to Phishing Actor Date Published: May 2, 2022 https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/ Excerpt: “The U.S. Department of Justice (DoJ) has announced the...

May 3, 2022

Title: Aruba and Avaya Network Switches are Vulnerable to RCE Attacks Date Published: May 3, 2022 https://www.bleepingcomputer.com/news/security/aruba-and-avaya-network-switches-are-vulnerable-to-rce-attacks/ Excerpt: “Security researchers have discovered five...

May 2, 2022

Title: U.S. DoD Tricked into Paying $23.5 Million to Phishing Actor Date Published: May 2, 2022 https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/ Excerpt: “The U.S. Department of Justice (DoJ) has announced the...

April 29, 2022

Title: EmoCheck now Detects New 64-bit Versions of Emotet Malware Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/ Excerpt: “The Japan CERT has released a new version of their...