OSN September 7, 2021

Fortify Security Team
Sep 7, 2021

Title: Trickbot Gang Developer Arrested When Trying to Leave Korea
Date Published: September 6, 2021

https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/

Excerpt: “After waiting for over a year for his passport to be renewed, the individual attempted to depart South Korea again but was arrested at the airport due to an extradition request by the USA. It is alleged that the man worked as a web browser developer for the TrickBot operation while he lived in Russia in 2016. However, the Russian man claims that he did not know he worked for a cybercrime gang after getting hired from an employment site. “When developing the software, the operation manual did not fall under malicious software,” the man told the Seoul High Court. The Russian individual’s attorney is currently fighting the USA extradition attempt, claiming that the USA will prosecute the individual unfairly.”

Title: Ragnar Locker: ‘Talk to Cops or Feds and We Leak Your Data’
Date Published: September 7, 2021

https://www.bankinfosecurity.com/blogs/ragnar-locker-talk-to-cops-or-feds-we-leak-your-data-p-3111

Excerpt: “But the other one is that a lot of these negotiating services like Coveware, for example, they have vast experience when it comes to handling these cases,” he says. “They have large databases that allow them to give you an idea how long it’s going to take, whether or not the threat actor will just take your money and run. And they will also have valuable insight into whether or not the decryptor that you will get back when you pay the ransom is actually working. Because not all these decryptors actually perform reasonably well; a lot of them kind of have issues.”

Title: Personal Details of 8,700 French VISA Applicants Exposed by Cyber Attack
Date Published: September 7, 2021

https://www.infosecurity-magazine.com/news/french-visa-applicants-cyber-attack/

Excerpt: “In response to this news, Ronnen Brunner, VP of EMEA at ExtraHop, said: “The recent cyber-attack in France, which has compromised the data of around 8700 people applying for visas to live and work in France, has resulted in personal details being leaked, including passport numbers and addresses. The public sector’s responsibility for personal data is a vital part of the public services to continue to build credibility and trust for its citizens and improve the level of service while the security is maintained. “This is exactly the reason we see organizations like the Met Police in the UK emphasize network visibility in their cybersecurity strategy”.”

Title: Latest Atlassian Confluence Flaw Exploited to Breach Jenkins Project Server
Date Published: September 7, 2021

https://thehackernews.com/2021/09/latest-atlassian-confluence-flaw.html

Excerpt: “At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected,” the company said in a statement published over the weekend. The disclosure comes as the U.S. Cyber Command warned of ongoing mass exploitation attempts in the wild targeting a now-patched critical security vulnerability affecting Atlassian Confluence deployments.Tracked as CVE-2021-26084 (CVSS score: 9.8), the flaw concerns an OGNL (Object-Graph Navigation Language) injection flaw that, in specific instances, could be exploited to execute arbitrary code on a Confluence Server or Data Center instance.”

Title: North Korean Hackers Breach Prominent Defector’s Accounts in Targeted Attack
Date Published: September 7, 2021

https://www.nknews.org/2021/09/north-korean-hackers-breach-prominent-defectors-accounts-in-targeted-attack/

Excerpt: “One target of the campaign, NKnet executive director Eun Kyoung Kwon, said the hackers congratulated her on a new job and tried to flatter her into opening a document she was asked to provide feedback on — but odd word choices tipped her off that something was wrong. “The language the hacker used was not explicitly awkward from a South Korean point of view, but there was definitely a subtle North Korean nuance in the phrases,” Kwon told NK News.  “From the messages Kang’s account sent to me, phrases such as ‘how is your business going (??? ? ?????)’ and ‘where shall I send the email to (??? ?? ??????)’ are used by North Korean defectors or North Koreans,” she explained. Kwon said that she grew suspicious of the messages because she knew that her contact Kang did not use these terms anymore.”

Title: Ransomware Gang Threatens to Leak Data if Victim Contacts FBI, Police
Date Published: September 7, 2021

https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-leak-data-if-victim-contacts-fbi-police/

Excerpt: “Ragnar Locker actors are known for manually deploying the ransomware payloads to encrypted the victims’ systems. They spend time conducting reconnaissance to discover network resources, company backups, and other sensitive files they can steal before the data encryption stage. As reported by BleepingComputer, Ragnar Locker’s past victims have included Japanese game maker Capcom, computer chip manufacturer ADATA, and aviation giant Dassault Falcon. In Capcom’s case, the group had reportedly encrypted 2,000 devices on the organization’s network and demanded an $11,000,000 ransom in exchange for a decryptor.”

Title: Protonmail Said Swiss Court Order Left No Choice but to Log Activist’s IP Address
Date Published: September 7, 2021

https://www.cyberscoop.com/protonmail-swiss-court-ip-france/

Excerpt: “A French police report published on Sept. 2 appears to show that police used ProtonMail to collect the IP address, a specific number that pertains to an individual computer, of an unnamed French activist who was demonstrating against real estate gentrification in Paris. The case appears to undercut ProtonMail’s assurance that it does not log the IP addresses of unique users. While the exact circumstances of the case remain murky, ProtonMail founder and CEO Andy Yen said in a series of tweets that the email firm was the subject of a legal order from a Swiss court. ProtonMail does not collect user IP addresses by default, Yen said, but “only if Proton gets a legal order for a specific account,” the company wrote in a Sept. 6 statement.”

Title: Netgear Tackles Severe Security Vulnerabilities Impacting Several of Its Smart Switches
Date Published: September 7, 2021

https://heimdalsecurity.com/blog/netgear-tackles-severe-security-vulnerabilities-impacting-several-of-its-smart-switches/

Excerpt: “According to the advisory, the second vulnerability reported by the expert was dubbed Draconian Fear and is an authentication hijacking issue. This bug enables a cybercriminal with the same IP as a logging-in admin to hijack the session bootstrapping information, giving the attacker complete admin access to the device web UI and resulting in a full compromise of the device. On September 13th, we will also have details about the third Vulnerability dubbed Seventh Inferno.”

Title: Traffic Exchange Networks Distributing Malware Disguised as Cracked Software
Date Published: September 6, 2021

https://thehackernews.com/2021/09/traffic-exchange-networks-distributing.html

Excerpt: “These malware included an assortment of click fraud bots, other information stealers, and even ransomware,” researchers from cybersecurity firm Sophos said in a report published last week. The attacks work by taking advantage of a number of bait pages hosted on WordPress that contain “download” links to software packages, which, when clicked, redirect the victims to a different website that delivers potentially unwanted browser plug-ins and malware, such as installers for Raccoon Stealer, Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners that masquerade as antivirus solutions.”

Title: Fed up With Constant Cyberattacks, One Country Is About to Make Some Big Changes
Date Published: September 3, 2021

https://www.inoreader.com/article/3a9c6e7b404baccc-fed-up-with-constant-cyberattacks-one-country-is-about-to-make-some-big-changes

Excerpt: “Italy has faced a barrage of cyberattacks in recent weeks. On August 1, the main datacenter of the Lazio region was hit by a ransomware attack, which made many of its online services, including the COVID-19 vaccination-booking platform, inaccessible. All data was encrypted, and attackers requested a bitcoin ransom to allow authorities to recover them. Luckily, technicians were able to restore the stolen data from a backup copy. Less than three weeks later, on August 18, the healthcare agency of the Tuscany region was also targeted by criminals who were able to penetrate its online defenses and destroy some statistical and epidemiological data.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...