OSN October 18, 2021

Fortify Security Team
Oct 18, 2021

Title: Sinclair TV Stations Crippled by Weekend Ransomware Attack
Date Published: October 18, 2021


Excerpt: “Sinclair Broadcast Group is a Fortune 500 media company (with annual revenues of $5.9 billion in 2020) and a leading local sports and news provider that owns multiple national networks. Its operations include 185 television stations affiliated with Fox, ABC, CBS, NBC, and The CW (including 21 regional sports network brands), with approximately 620 channels in 87 markets across the US (amounting to almost 40% of all US households). This is the second incident that impacted Sinclair’s TV stations in July 2021, when the company asked all Sinclair stations to change passwords “as quickly as possible” following a security breach.”

Title: Microsoft fixes Windows 10 auth issue impacting Remote Desktop
Date Published: October 18, 2021


Excerpt: “Microsoft has fixed a known Windows 10 issue causing smartcard authentication to fail when trying to connect using Remote Desktop after installing the cumulative updates released during last month’s Patch Tuesday. As explained by the company, devices attempting to make Remote Desktop connections to devices in untrusted domains might be unable to connect. “After installing KB5005611 or later updates, when connecting to devices in an untrusted domain using Remote Desktop, connections might fail to authenticate when using smart card authentication,” Microsoft explained.”

Title: Lyceum Group Reborn
Date Published: October 18, 2021


Excerpt: “According to older public accounts of the group’s activity, Lyceum conducted targeted operations against organizations in the energy and telecommunications sectors across the Middle East, during which the threat actor used various PowerShell scripts and a .NET-based remote administration tool referred to as “DanBot”. The latter supported communication with a C&C server via custom-designed protocols over DNS or HTTP. Our investigation into Lyceum has shown that the group has evolved its arsenal over the years and shifted its usage from the previously documented .NET malware to new versions, written in C++. We clustered those new pieces of malware under two different variants, which we dubbed “James” and “Kevin”, after recurring names that appeared in the PDB paths of the underlying samples.”

Title: MirrorBlast, the New Phishing Campaign Targeting Financial Organizations
Date Published: October 18, 2021


Excerpt: “Phishing remains still a very well-known type of social engineering attack, as hackers regard human liability as a certain path to reach their goal. Most people will often not pay enough attention when clicking on a malicious document in a phishing email. To protect your business, you must ensure that you have the best security solutions to keep employees far from cyber threats. Heimdal™ has invested in the best email protection, having two excellent solutions: Email Fraud Prevention and Email Security. The first uses 125 analysis vectors combined with threat intelligence focusing on Business Email Compromise or CEO fraud, the latter keeps mail-delivered threats and supply chain attacks away. Curious? What are you waiting for? They are one click away!”

Title: Thingiverse Breach: 50,000 3D Printers Faced Hijacking Risk
Date Published: October 18, 2021


Excerpt: “The breach likely affects more than 2 million people whose usernames at minimum were leaked, says TJ Horner, a software engineer and security aficionado who has analyzed the data. Horner worked at MakerBot until last year. Horner says the data also includes OAuth tokens that until recently could have been used to remotely access MakerBot 5th Generation printers and later models. Those printers have video cameras, so Horner found it was also possible to view the printers’ video feeds, including Horner’s own MakerBot Method X printer. Additional mischief may have been possible. A malicious attacker could have sent an erroneous schematic to a 3D printer that could, for example, have broken a printer’s stepper motors, Horner says. The tokens also granted access to a user’s Thingiverse account, with read and write access.”

Title: How Fraudsters Are Exploiting Buy Now, Pay Later Providers
Date Published: October 18, 2021


Excerpt: “BNPL providers also offer benefits like higher spending limits to regular users. This, and the fact many providers are accepted by so many merchants, puts such accounts in the firing line of account takeover (ATO) attacks. Crooks can use tools like known password lists and credential stuffing bots to brute force their way into BNPL accounts, before making big purchases on a variety of different retail sites or selling established accounts on. BNPL is also vulnerable to synthetic fraud, in which a criminal will use some real elements of a stolen identity — sometimes even using a child’s name — and fabricate the rest to pass the less stringent checks of BNPL providers. Once the deception is uncovered, it is very difficult for a BNPL provider to track the fraudster based on this faked information.”

Title: REvil Ransomware’s Tor Sites Were Hijacked
Date Published: October 18, 2021


Excerpt: “As BleepingComputer shows, REvil disclosed that they did not see any signs of compromise regarding their servers but will be shutting down the operation. Soon after the ransomware actor told the affiliates to contact him for campaign decryption keys via Tox. This means that the group will let affiliates continue extorting their victims by providing a decryptor only if a ransom is paid. An .onion domain – Tor hidden service –  can only be launched with a public and private generated key pair – both keys are needed to start the service. Because anyone with access to the private key might use it to establish the same .onion service on their own server, it must be kept safe and only available to trusted admins. Since a third party was able to hijack the domains, they now have access to the private keys for the secret service. It is yet unknown who has hacked into their servers.”

Title: The Data Breach Twitch Suffered Had Minimal Impact, the Company Says
Date Published: October 18, 2021


Excerpt: “It appears that the incident had minimal impact and only affected a “small fraction” of users who will be contacted directly by the organization. We’ve undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. We are contacting those who have been impacted directly. An update published on Friday by the streaming site made it clear that no passwords, login credentials, credit cards, or banking information were accessed or exposed following the massive hack they experienced last week. Twitch passwords have not been exposed. We are also confident that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information.”

Title: Joint Statement of the Ministers and Representatives from the Counter Ransomware Initiative Meeting October 2021
Date Published: October 14, 2021


Excerpt: “Taking action to disrupt the ransomware business model requires concerted efforts to address illicit finance risks posed by all value transfer systems, including virtual assets, the primary instrument criminals use for ransomware payments and subsequent money laundering. We acknowledge that uneven global implementation of the standards of the Financial Action Task Force (FATF) to virtual assets and virtual asset service providers (VASPs) creates an environment permissive to jurisdictional arbitrage by malicious actors seeking platforms to move illicit proceeds without being subject to appropriate anti-money laundering (AML) and other obligations. We also recognize the challenges some jurisdictions face in developing frameworks and investigative capabilities to address the constantly evolving and highly distributed business operations involving virtual assets.”

Title: Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site
Date Published: October 14, 2021


Excerpt: “Once the paper alerted the state government, the department fixed the bug on Tuesday, and the paper published its story on Wednesday, once there were no risks for the teachers whose SSNs were exposed. Parson’s comments are also a textbook example of government officials seemingly not having any clue how technology works, and vilifying people who do ethical security research as criminals, rather than simply thanking them for doing a public service that makes us all safer. “The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities,” the St. Louis Post-Dispatch wrote in its article.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...