OSN October 12, 2021

Fortify Security Team
Oct 12, 2021

Title: CISA Names 3 ‘Exceptionally Dangerous’ Behaviors to Avoid

Date Published: October 12, 2021

https://securityintelligence.com/articles/cisa-three-exceptionally-dangerous-behaviors-to-avoid/

Excerpt: “As per CISA, “The presence of these Bad Practices in organizations that support Critical Infrastructure… is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability and life, health and safety of the public.” Even for those outside of national cybersecurity, these behaviors should be top of mind for any vulnerability assessment. While they may seem simple, each one involves complex cyber crime that cannot be ignored.”

Title: Oracle Joins Multi-Cloud Security Notification Project

Date Published: October 12, 2021

https://www.zdnet.com/article/oracle-joins-multi-cloud-security-notification-project/

Excerpt: “Oracle is joining the Cloud Security Notification Framework project (CSNF), an initiative looking to develop a standardized framework for dealing with cloud security issues in enterprise environments, which often use a variety of different cloud services. That reliance on multiple providers can make keeping up with and reacting to security notifications and alerts difficult, because many cloud service providers have their own systems set up for security reporting. The disparate nature can make managing cloud security difficult for businesses – particularly following the growth in the use of cloud services over the past 18 months.”

Title: Microsoft Revokes Insecure SSH Keys for Azure DevOps Customers

Date Published: October 12, 2021

https://www.bleepingcomputer.com/news/microsoft/microsoft-revokes-insecure-ssh-keys-for-azure-devops-customers/

Excerpt: “While Azure DevOps customers who haven’t already been informed their SSH keys were revoked are likely unaffected by this vulnerability, Microsoft still advises them to add new SSH public keys to Azure DevOps Services/TFS. Detailed information on removing your SSH public keys and adding new ones is available on Microsoft’s support website. Yesterday, GitHub also announced that it revoked weak SSH authentication keys generated with GitKraken versions using the faulty library, which created duplicate keypairs incorrectly. The library flaw was discovered by Axosoft engineer Dan Suceava “who noticed that keypair was regularly generating duplicate RSA keys,” and GitHub senior security engineer Kevin Jones identified the cause.”

Title: Microsoft Warns Over Password Attacks Against These Office 365 Customers

Date Published: October 12, 2021

https://www.zdnet.com/article/microsoft-warns-over-password-attacks-against-250-office-365-customers/

Excerpt: “Microsoft says 250 Office 365 customers in the US and Israeli defense technology sector have bee targeted with ‘password-spraying’ attacks, where attackers try to access many accounts with commonly used passwords. The technique relies on people using variations of common passwords. The password attacks focussed on critical infrastructure companies operating in the Persian Gulf and were carried out by a group Microsoft is tracking as DEV-0343 – most likely a new group from Iran.”

Title: Ransomware: No Decline in Victims Posted to Data Leak Sites

Date Published: October 12, 2021

https://www.bankinfosecurity.com/ransomware-no-decline-in-victims-posted-to-data-leak-sites-a-17719

Excerpt: “Unfortunately, despite the White House declaring war on ransomware, including initiatives to improve the cyber resiliency of U.S. businesses, at least so far the number of victims being listed on such sites hasn’t been declining, reports Allan Liska, an intelligence analyst at threat intelligence firm Recorded Future. “The number of victims posted to ransomware extortion sites remained near an all-time high in September,” Liska tweets. “As always, remember that only a small fraction of ransomware victims make it to extortion sites so these numbers aren’t representative of all attacks”.”

Title: DDoS Operator Arrested by the Ukrainian Police

Date Published: October 12, 2021

https://heimdalsecurity.com/blog/ddos-operator-arrested-by-the-ukrainian-police/

Excerpt: “The threat actor was apprehended at his Prykarpattya residence, where he was reportedly utilizing the botnet to launch DDoS assaults or support other criminal behavior for his clients. Brute-forcing login passwords on websites, spamming activities, and penetration testing on remote devices to find and exploit vulnerabilities were all part of this activity. According to a statement provided by SSU, the hacker wasn’t only utilizing his botnet’s sheer force to bring down websites. Instead, he conducted reconnaissance and penetration testing on the target websites in order to find and exploit weaknesses.”

Title: Over 90% of Firms Suffered Supply Chain Breaches Last Year

Date Published: October 12, 2021

https://www.infosecurity-magazine.com/news/90-firms-supply-chain-breaches/

Excerpt: “Budget increases demonstrate that firms are recognizing the need to invest in cybersecurity and vendor risk management. However, the wide yet consistent array of pain points suggests that this investment is not as effective as it needs to be,” argued BlueVoyant global head of third-party cyber-risk management, Adam Bixler. This, tied to the lack of visibility, monitoring and senior-level reporting, underscores a need for further improvement when approaching third-party cyber risk, in order to reduce the exposure of data before attackers take advantage of this.”

Title: AWS IAM and Cross Account Attacks

Date Published: October 12, 2021

https://medium.com/airwalk/aws-iam-and-cross-account-attacks-2d1fe55f61aa

Excerpt: “The recommended way of giving a supplier access to your AWS account is via a cross account trust, on an AWS Role. You don’t have to manage credentials and you can explicitly allow access to another AWS IAM identity. In the AWS documentation this is referred to as an Assume Role Policy Document or a trust policy. Technically this is a single API call to the AWS Security Token Service (STS), which returns a pair of time bound credentials, for the target role. For those curious on how the AWS STS AssumeRole works, this is what an example request looks like.”

Title: How MITRES Att&CK Framework Helps Security Teams Map Adversary Behavior

Date Published: October 6, 2021

https://www.scmagazine.com/perspective/threat-modeling/how-mitres-attck-framework-helps-security-teams-map-adversary-behavior

Excerpt: “The Mitre ATT&CK knowledge base contains a solid foundation of adversary tactics and techniques that have been observed and documented. The latest update, Mitre ATT&CK version 9, published in April 2021, introduces 16 new Groups, 67 new pieces of software, with updates to 36 Groups and 51 software entries. The Mitre ATT&CK framework originated from MITRE’s Fort Meade eXperiment (FMX) research focused on the investigation into using endpoint telemetry to improve post-compromise detection. It’s helpful to explore Mitre ATT&CK framework use cases, common pitfalls, and recommendations for use.”

Title: Microsoft Mitigated a Record 2.4 Tbps Ddos Attack in August

Date Published: October 12, 2021

https://securityaffairs.co/wordpress/123245/hacking/azure-record-ddos-attack.html

Excerpt: “The last week of August, we observed a 2.4 Tbps DDoS attack targeting an Azure customer in Europe. This is 140 percent higher than 2020’s 1 Tbps attack and higher than any network volumetric event previously detected on Azure.” reads the post published by Microsoft. “The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes. In total, we monitored three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...