September 8, 2021

Fortify Security Team
Sep 8, 2021

Title: REvil Ransomware’s Servers Mysteriously Come Back Online
Date Published:  September 7, 2021

https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/

Excerpt:  “The dark web servers for the REvil ransomware operation have suddenly turned back on after an almost two-month absence. It is unclear if this marks their ransomware gang’s return or the servers being turned on by law enforcement.  On July 2nd, the REvil ransomware gang, aka Sodinokibi, used a zero-day vulnerability in the Kaseya VSA remote management software to encrypt approximately 60 managed service providers (MSPs) and over 1,500 of their business customers.”

Title: Microsoft Shares Temp Fix for Ongoing Office 365 Zero-day Attacks
Date Published:  September 7, 2021

https://www.bleepingcomputer.com/news/security/microsoft-shares-temp-fix-for-ongoing-office-365-zero-day-attacks/

Excerpt:  “Microsoft today shared mitigation for a remote code execution vulnerability in Windows that is being exploited in targeted attacks against Office 365 and Office 2019 on Windows 10.  The flaw is in MSHTML, the browser rendering engine that is also used by Microsoft Office documents.  Identified as CVE-2021-40444, the security issue affects Windows Server 2008 through 2019 and Windows 8.1 through 10 and has a severity level of 8.8 out of the maximum 10.”

Title: Researchers Pinpoint Ransomware Gangs’ Ideal Enterprise Victims
Date Published:  September 8, 2021

https://www.helpnetsecurity.com/2021/09/08/ransomware-victims/

Excerpt:  “Researchers with threat intelligence company KELA have recently analyzed 48 active threads on underground (dark web) marketplaces made by threat actors looking to buy access to organizations’ systems, assets and networks, and have found that at least 40% of the postings were by active participants in the ransomware-as-a-service (RaaS) supply chain (operators, or affiliates, or middlemen).  The analyzed threads have provided interesting insights into how these threat actors choose their next victims.”

Title: Germany Protests to Russia Over Attacks Ahead of the Upcoming Election
Date Published:  September 8, 2021

https://securityaffairs.co/wordpress/121958/intelligence/germany-protests-to-russia-attacks.html

Excerpt:  “Germany has formally protested to Russia over a series of cyber attacks aimed at stealing data from lawmakers that could be used to arrange disinformation campaigns before the upcoming German election.  The spokeswoman for the Foreign Ministry, Andrea Sasse, said that the threat actor tracked as Ghostwriter has been “combining conventional cyberattacks with disinformation and influence operations.” in attacks against Germany.  The alleged state-sponsored hackers conducted phishing attacks against federal and state lawmakers to steal their personal login details.”

Title: Operation Chimaera: TeamTNT Hacking Group Strikes Thousands of Victims Worldwide
Date Published:  September 8, 2021

https://www.zdnet.com/article/operation-chimaera-teamtnt-hacking-group-strikes-thousands-of-victims-worldwide/

Excerpt:  “The TeamTNT hacking group has upped its game with a set of tools allowing it to indiscriminately target multiple operating systems.  On Wednesday, cybersecurity researchers from AT&T Alien Labs published a report on a new campaign, dubbed Chimaera, that is thought to have begun on July 25, 2021 — based on command-and-control (C2) server logs — and one that has revealed an increased reliance on open source tools by the threat group.  TeamTNT was first spotted last year and was connected to the installation of cryptocurrency mining malware on vulnerable Docker containers. Trend Micro has also found that the group attempts to steal AWS credentials to propagate on more servers, and Cado Security contributed the more recent discovery of TeamTNT targeting Kubernetes installations.”

Title: BladeHawk Attackers Spy on Kurds with Fake Android Apps
Date Published:  September 8, 2021

https://www.zdnet.com/article/bladehawk-attackers-spy-on-kurds-with-fake-android-apps/

Excerpt:  “Fake Android apps are being deployed on the handsets of Kurds in a surveillance campaign promoted across social media.  On Tuesday, researchers from ESET said an attack wave conducted by the BladeHawk hacking group is focused on targeting the Kurdish ethnic group through their Android handsets.  Thought to have been active since at least March last year, the campaign is abusing Facebook and using the social media platform as a springboard for the distribution of fake mobile apps.  The researchers have identified six Facebook profiles connected to BladeHawk at the time of writing, all of which have now been taken down.”

Title: Cybersecurity Student Scams Senior Out of $55K
Date Published:  September 7, 2021

https://www.infosecurity-magazine.com/news/cybersecurity-student-scams-senior/

Excerpt:  “A British cybersecurity student has scammed an elderly woman out of thousands of dollars by pretending to be a member of Amazon’s technical support team.  Twenty-four-year-old Ramesh Karaturi contacted his victim over the phone and persuaded her to believe that cyber-attackers had compromised her Amazon account.  Karaturi’s victim, who Cleveland Police said was a Scottish resident in her 60s, was then manipulated into installing what she thought was “protective anti-virus software” onto her computer.  What the woman installed was a program that gave Karaturi remote access to her machine.  Police said the victim suspected she had been tricked after Karaturi instructed her to leave the downloaded program running on her computer.  After ending the phone call and unplugging her computer, the suspicious victim contacted her bank. She discovered that two sums totaling nearly £40,000 (around $55,000) had been stolen from her account.”

Title: Attacks on IoT Devices Double Over Past Year
Date Published:  September 8, 2021

https://www.infosecurity-magazine.com/news/attacks-iot-devices-double-past/

Excerpt:  “The number of attacks targeting IoT devices has almost doubled from the second half of 2020 to the first six months of this year, according to Kaspersky.  The Russian cybersecurity firm collected data from a network of honeypots to mimic vulnerable devices and invite attacks.  Although these honeypots were on the receiving end of around 639 million cyber-attacks in the final six months of 2020, the figure had soared to over 1.5 billion by the first half of 2021.  So far this year, most of these attacks have been attempted using the telnet protocol, which is typically used to access and manage devices remotely. Over 872 million, or nearly 58%, of the total was accounted for this way. The rest used SSH (34%) and web (8%) channels.  Once compromised, IoT devices can be conscripted into botnets and used to mine illegally for crypto-currencies, launch DDoS attacks, steal personal data and more.”

Title: Poisoned Proxy PACs! The NPM Package with a Network-wide Security Hole
Date Published:  September 8, 2021

https://nakedsecurity.sophos.com/2021/09/06/poisoned-proxy-pacs-the-npm-package-with-a-network-wide-security-hole/

Excerpt:  “The NPM registry runs from basic text formatting to full-on facial recognition, and almost everything in between.  Instead of writing all, of the code in your project yourself, or even most of it, you simply reference the add-on packages you want to use, and NPM will fetch them for you, along with any additional packages that your chosen package needs.  As you can imagine, this is a potential security nightmare.  Adding just one package to your own project may required a slew of additional packages, each of which may have been written by a different person whom you don’t know, have never met, and probably never will.”

Title: Major New OpenSSL Released
Date Published:  September 7, 2021

https://www.darkreading.com/application-security/major-new-openssl-released

Excerpt:  “The OpenSSL Software Foundation today released  a completely refreshed version of the software, OpenSSL, that handles much of the encrypted communications for the Internet.  The latest version, OpenSSL 3.0, adds compliance with the Federal Information Processing Standards (FIPS), deprecates — with a plan to remove — a slew of low-level API functions that could cases security issues, and has added much more testing to the development processes. Reducing the number of low-level API functions means reducing the number of ways that developers could misuse or mistakenly use those functions, says Chris Eng, chief research officer at application security firm Veracode.  The major version upgrade “includes a number of architectural changes that will help developers reduce attack surface while still retaining the functionality they may have come to rely on,” he says, adding that deprecating the low-level API functions will “discourage developers from tweaking the internals of individual cryptographic algorithms and steering them toward ‘high level’ APIs that are less prone to developer error.””

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...