OSN October 15, 2021

Fortify Security Team
Oct 15, 2021

Title: CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems

Date Published: October 15, 2021

https://thehackernews.com/2021/10/cisa-issues-warning-on-cyber-threats.html

Excerpt: “The advisory is notable in the wake of a February 2021 attack at a water treatment facility in Oldsmar where an intruder broke into a computer system and remotely changed a setting that drastically altered the levels of sodium hydroxide (NaOH) in the water supply, before it was spotted by a plant operator, who quickly took steps to reverse the remotely issued command.In addition to requiring multi-factor authentication for all remote access to the operational technology (OT) network, the agencies have urged WWS facilities to limit remote access to only relevant users, implement network segmentation between IT and OT networks to prevent lateral movement, and incorporate abilities to failover to alternate control systems in the event of an attack.”

Title: Russian Cybercrime Gang Targets Finance Firms With Stealthy Macros

Date Published: October 15, 2021

https://www.bleepingcomputer.com/news/security/russian-cybercrime-gang-targets-finance-firms-with-stealthy-macros/

Excerpt: “However, these optimized documents have drawbacks that the actors are apparently willing to accept as trade-offs. Most notably, the macro code can only be executed on a 32-bit version of Office. If the victim is tricked into opening the malicious document and “enable content” in Microsoft Office, the macro executes a JScript script which downloads and installs an MSI package.” Prior to that though, the macro performs a basic anti-sandboxing check on whether the computer name is equal to the user domain, and if the username is equal to ‘admin’ or ‘administrator’. According to researchers at Morphisec who analyzed several samples of the dropped MSI package, it comes in two variants, one written in REBOL and one in KiXtart.”

Title: In 2021, Google Issued Over 50,000 Warnings About State-sponsored Hacking Attacks

Date Published: October 15, 2021

https://heimdalsecurity.com/blog/in-2021-google-issued-over-50000-warnings-about-state-sponsored-hacking-attacks/

Excerpt: “In a spear-phishing campaign that is believed to have started around January this year, APT35 was looking to get sensitive information as it impersonated U.K. academics focused on Middle Eastern affairs. According to researchers at Proofpoint, it was one of the most sophisticated campaigns conducted by the ever-evolving APT Charming Kitten. The operation included impersonating British scholars working with the University of London’s School of Oriental and African Studies while engaging in conversations with victims and linking to the website of a legitimate, world-class, already compromised academic institution in order to collect credentials.”

Title: Boffins Devise a New Side-Channel Attack Affecting All AMD CPUs

Date Published: October 15, 2021

https://securityaffairs.co/wordpress/123401/hacking/side-channel-attack-amd-cpus.html

Excerpt: “The researchers demonstrated the first microarchitectural break of (fine-grained) the exploit mitigation technique KASLR on AMD CPUs. They monitored kernel activity (e.g. If audio is played over Bluetooth) and were able to establish a covert channel. The team also demonstrated also how to exfiltrate data from kernel memory using simple Spectre gadgets in the Linux kernel. The flaws were collectively tracked as CVE-2021-26318, according to AMD the medium severity flaws impacts all of its CHIPS. However the chip maker doesn’t recommend any mitigations because the the attack scenarios presented by the researchers do not directly leak data across address space boundaries.”

Title: Analyzing Email Services Abused for Business Email Compromise

Date Published: October 14, 2021

https://www.trendmicro.com/en_us/research/21/j/analyzing-email-services-abused-for-business-email-compromise.html

Excerpt: “The gradual increase throughout the year prompted us to pay attention to the campaigns being deployed, but the sudden increase in August caught our interest. Compared to campaigns from previous years in which BEC actors mostly impersonated executives or ranking management personnel, we observed a specific BEC campaign type spoofing general employees’ display names. We noticed a sudden upshot of dangerous emails impersonating and targeting ordinary employees for money transfers, bank payroll account changes, or various company-related information. We launched the “BEC Display Name Spoofing” detection solution for Trend Micro™ Cloud App Security in Q1 to address this issue. Following this, we also observed the highest volume of BEC detections in the Americas.”

Title: BlackByte: Free Decryptor Released for Ransomware Strain

Date Published: October 15, 2021

https://www.bankinfosecurity.com/blackbyte-free-decryptor-released-for-ransomware-strain-a-17738

Excerpt: “The latest victims posted to BlackByte’s site, respectively appearing on Friday and Thursday, were a U.S.-based fire alarm and sprinkler installation system firm, as well as a U.S.-based manufacturer of disposable infection control products for the healthcare sector. As of Friday, countdown timers for the victims respectively listed 28 days and 27 days as being left to pay an unspecified ransom amount. For both, a “download free” link led to the Anonfile anonymous file-downloading service, which hosted a file for each, of less than 5MB, containing allegedly stolen data. It’s not clear when the alleged victims were hit with ransomware, and if it might have been with a fresh version that fixed the encryption flaws spotted by Trustwave – and potentially others.”

Title: University of Sunderland Faced Operation Issues Following a Cyber-attack

Date Published: October 15, 2021

https://heimdalsecurity.com/blog/university-of-sunderland-faced-operation-issues-following-a-cyber-attack/

Excerpt: “The University of Sunderland faced extensive operational issues that took most of its IT systems down. It is believed that the issue was caused by a cyber-attack. Also, a new website called “uostoday.sunderland.ac.uk” has been set up to provide updates to concerned students, but it looks like no services will be supplied there. The University of Sunderland is a public research institute with around 20,000 students, thus the cyber-attack has an impact on a large number of individuals. This event has caught many students at a pivotal time in their studies, with some of them facing tight visa applications or other deadlines.”

Title: Acer Data Breach Impacts the Company’s Indian Systems

Date Published: October 15, 2021

https://heimdalsecurity.com/blog/acer-data-breach-compromises-systems-in-india/

Excerpt: “According to BleepingComputer, the company did not share any information related to the identity of the threat actor behind this Acer data breach. However, communication in this sense came from a hacker on a well-known forum (RAID), a very popular one in the past among hackers where they used to perform companies’ extortion and also put the stolen data for sale. The person claimed there the Acer data breach, confirming the compromise of the company’s servers and announcing that they managed to get 60GB of information, this meaning files, and databases. To vouch for this affirmation, the cybercriminal also shared a video that demonstrated the alleged data theft, from which it comes out that 10,000 customer records and 3,000 Indian Acer distributors and retailers’ credentials were stolen.”

Title: Missouri Refers Coordinated Bug Disclosure to Prosecutors

Date Published: October 15, 2021

https://www.bankinfosecurity.com/missouri-refers-coordinated-bug-disclosure-to-prosecutors-a-17737

Excerpt: “In a press release on Wednesday, Missouri’s Office of Administration Information Technology Services Division says it “has performed intense testing of all public facing web applications across all state agencies, and has not identified any other vulnerabilities. As an additional measure of precaution, third-party penetration testers were engaged to look for this specific vulnerability on state of Missouri websites.” The exact vulnerability isn’t specified in the Post-Dispatch’s report. But it’s possible that a misconfiguration led to data being inserted into the HTML that wasn’t intended to become public, says Troy Hunt, a data breach expert who founded the Have I Been Pwned data breach notification site.”

Title: Multiple threat actors, including a ransomware gang, exploiting Exchange ProxyShell vulnerabilities

Date Published: October 15, 2021

https://medium.com/@leviarsel/multiple-threat-actors-including-a-ransomware-gang-exploiting-exchange-proxyshell-vulnerabilities-f70b6f761d7e

They are pre-authenticated (no password required) remote code execution vulnerabilities, which is as serious as they come. Additionally, during the ProxyLogon attacks in January-March, attackers needed to know an Exchange administrator mailbox, and hardcoded it to [email protected] in proof of concept code. This mailbox only existed if you installed Exchange as that account, and accessed email, which is a minority situation —?therefore most orgs got away with it. However, with ProxyShell this does not apply.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...