OSN October 15, 2021

Fortify Security Team
Oct 15, 2021

Title: CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems

Date Published: October 15, 2021


Excerpt: “The advisory is notable in the wake of a February 2021 attack at a water treatment facility in Oldsmar where an intruder broke into a computer system and remotely changed a setting that drastically altered the levels of sodium hydroxide (NaOH) in the water supply, before it was spotted by a plant operator, who quickly took steps to reverse the remotely issued command.In addition to requiring multi-factor authentication for all remote access to the operational technology (OT) network, the agencies have urged WWS facilities to limit remote access to only relevant users, implement network segmentation between IT and OT networks to prevent lateral movement, and incorporate abilities to failover to alternate control systems in the event of an attack.”

Title: Russian Cybercrime Gang Targets Finance Firms With Stealthy Macros

Date Published: October 15, 2021


Excerpt: “However, these optimized documents have drawbacks that the actors are apparently willing to accept as trade-offs. Most notably, the macro code can only be executed on a 32-bit version of Office. If the victim is tricked into opening the malicious document and “enable content” in Microsoft Office, the macro executes a JScript script which downloads and installs an MSI package.” Prior to that though, the macro performs a basic anti-sandboxing check on whether the computer name is equal to the user domain, and if the username is equal to ‘admin’ or ‘administrator’. According to researchers at Morphisec who analyzed several samples of the dropped MSI package, it comes in two variants, one written in REBOL and one in KiXtart.”

Title: In 2021, Google Issued Over 50,000 Warnings About State-sponsored Hacking Attacks

Date Published: October 15, 2021


Excerpt: “In a spear-phishing campaign that is believed to have started around January this year, APT35 was looking to get sensitive information as it impersonated U.K. academics focused on Middle Eastern affairs. According to researchers at Proofpoint, it was one of the most sophisticated campaigns conducted by the ever-evolving APT Charming Kitten. The operation included impersonating British scholars working with the University of London’s School of Oriental and African Studies while engaging in conversations with victims and linking to the website of a legitimate, world-class, already compromised academic institution in order to collect credentials.”

Title: Boffins Devise a New Side-Channel Attack Affecting All AMD CPUs

Date Published: October 15, 2021


Excerpt: “The researchers demonstrated the first microarchitectural break of (fine-grained) the exploit mitigation technique KASLR on AMD CPUs. They monitored kernel activity (e.g. If audio is played over Bluetooth) and were able to establish a covert channel. The team also demonstrated also how to exfiltrate data from kernel memory using simple Spectre gadgets in the Linux kernel. The flaws were collectively tracked as CVE-2021-26318, according to AMD the medium severity flaws impacts all of its CHIPS. However the chip maker doesn’t recommend any mitigations because the the attack scenarios presented by the researchers do not directly leak data across address space boundaries.”

Title: Analyzing Email Services Abused for Business Email Compromise

Date Published: October 14, 2021


Excerpt: “The gradual increase throughout the year prompted us to pay attention to the campaigns being deployed, but the sudden increase in August caught our interest. Compared to campaigns from previous years in which BEC actors mostly impersonated executives or ranking management personnel, we observed a specific BEC campaign type spoofing general employees’ display names. We noticed a sudden upshot of dangerous emails impersonating and targeting ordinary employees for money transfers, bank payroll account changes, or various company-related information. We launched the “BEC Display Name Spoofing” detection solution for Trend Micro™ Cloud App Security in Q1 to address this issue. Following this, we also observed the highest volume of BEC detections in the Americas.”

Title: BlackByte: Free Decryptor Released for Ransomware Strain

Date Published: October 15, 2021


Excerpt: “The latest victims posted to BlackByte’s site, respectively appearing on Friday and Thursday, were a U.S.-based fire alarm and sprinkler installation system firm, as well as a U.S.-based manufacturer of disposable infection control products for the healthcare sector. As of Friday, countdown timers for the victims respectively listed 28 days and 27 days as being left to pay an unspecified ransom amount. For both, a “download free” link led to the Anonfile anonymous file-downloading service, which hosted a file for each, of less than 5MB, containing allegedly stolen data. It’s not clear when the alleged victims were hit with ransomware, and if it might have been with a fresh version that fixed the encryption flaws spotted by Trustwave – and potentially others.”

Title: University of Sunderland Faced Operation Issues Following a Cyber-attack

Date Published: October 15, 2021


Excerpt: “The University of Sunderland faced extensive operational issues that took most of its IT systems down. It is believed that the issue was caused by a cyber-attack. Also, a new website called “uostoday.sunderland.ac.uk” has been set up to provide updates to concerned students, but it looks like no services will be supplied there. The University of Sunderland is a public research institute with around 20,000 students, thus the cyber-attack has an impact on a large number of individuals. This event has caught many students at a pivotal time in their studies, with some of them facing tight visa applications or other deadlines.”

Title: Acer Data Breach Impacts the Company’s Indian Systems

Date Published: October 15, 2021


Excerpt: “According to BleepingComputer, the company did not share any information related to the identity of the threat actor behind this Acer data breach. However, communication in this sense came from a hacker on a well-known forum (RAID), a very popular one in the past among hackers where they used to perform companies’ extortion and also put the stolen data for sale. The person claimed there the Acer data breach, confirming the compromise of the company’s servers and announcing that they managed to get 60GB of information, this meaning files, and databases. To vouch for this affirmation, the cybercriminal also shared a video that demonstrated the alleged data theft, from which it comes out that 10,000 customer records and 3,000 Indian Acer distributors and retailers’ credentials were stolen.”

Title: Missouri Refers Coordinated Bug Disclosure to Prosecutors

Date Published: October 15, 2021


Excerpt: “In a press release on Wednesday, Missouri’s Office of Administration Information Technology Services Division says it “has performed intense testing of all public facing web applications across all state agencies, and has not identified any other vulnerabilities. As an additional measure of precaution, third-party penetration testers were engaged to look for this specific vulnerability on state of Missouri websites.” The exact vulnerability isn’t specified in the Post-Dispatch’s report. But it’s possible that a misconfiguration led to data being inserted into the HTML that wasn’t intended to become public, says Troy Hunt, a data breach expert who founded the Have I Been Pwned data breach notification site.”

Title: Multiple threat actors, including a ransomware gang, exploiting Exchange ProxyShell vulnerabilities

Date Published: October 15, 2021


They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come. Additionally, during the ProxyLogon attacks in January-March, attackers needed to know an Exchange administrator mailbox, and hardcoded it to [email protected] in proof of concept code. This mailbox only existed if you installed Exchange as that account, and accessed email, which is a minority situation —?therefore most orgs got away with it. However, with ProxyShell this does not apply.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...