OSN October 18, 2021

Fortify Security Team
Oct 18, 2021

Title: Sinclair TV Stations Crippled by Weekend Ransomware Attack
Date Published: October 18, 2021

https://www.bleepingcomputer.com/news/security/sinclair-tv-stations-crippled-by-weekend-ransomware-attack/

Excerpt: “Sinclair Broadcast Group is a Fortune 500 media company (with annual revenues of $5.9 billion in 2020) and a leading local sports and news provider that owns multiple national networks. Its operations include 185 television stations affiliated with Fox, ABC, CBS, NBC, and The CW (including 21 regional sports network brands), with approximately 620 channels in 87 markets across the US (amounting to almost 40% of all US households). This is the second incident that impacted Sinclair’s TV stations in July 2021, when the company asked all Sinclair stations to change passwords “as quickly as possible” following a security breach.”

Title: Microsoft fixes Windows 10 auth issue impacting Remote Desktop
Date Published: October 18, 2021

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-10-auth-issue-impacting-remote-desktop/

Excerpt: “Microsoft has fixed a known Windows 10 issue causing smartcard authentication to fail when trying to connect using Remote Desktop after installing the cumulative updates released during last month’s Patch Tuesday. As explained by the company, devices attempting to make Remote Desktop connections to devices in untrusted domains might be unable to connect. “After installing KB5005611 or later updates, when connecting to devices in an untrusted domain using Remote Desktop, connections might fail to authenticate when using smart card authentication,” Microsoft explained.”

Title: Lyceum Group Reborn
Date Published: October 18, 2021

https://securelist.com/lyceum-group-reborn/104586/

Excerpt: “According to older public accounts of the group’s activity, Lyceum conducted targeted operations against organizations in the energy and telecommunications sectors across the Middle East, during which the threat actor used various PowerShell scripts and a .NET-based remote administration tool referred to as “DanBot”. The latter supported communication with a C&C server via custom-designed protocols over DNS or HTTP. Our investigation into Lyceum has shown that the group has evolved its arsenal over the years and shifted its usage from the previously documented .NET malware to new versions, written in C++. We clustered those new pieces of malware under two different variants, which we dubbed “James” and “Kevin”, after recurring names that appeared in the PDB paths of the underlying samples.”

Title: MirrorBlast, the New Phishing Campaign Targeting Financial Organizations
Date Published: October 18, 2021

https://heimdalsecurity.com/blog/mirrorblast-the-new-phishing-campaign-targeting-financial-organizations/

Excerpt: “Phishing remains still a very well-known type of social engineering attack, as hackers regard human liability as a certain path to reach their goal. Most people will often not pay enough attention when clicking on a malicious document in a phishing email. To protect your business, you must ensure that you have the best security solutions to keep employees far from cyber threats. Heimdal™ has invested in the best email protection, having two excellent solutions: Email Fraud Prevention and Email Security. The first uses 125 analysis vectors combined with threat intelligence focusing on Business Email Compromise or CEO fraud, the latter keeps mail-delivered threats and supply chain attacks away. Curious? What are you waiting for? They are one click away!”

Title: Thingiverse Breach: 50,000 3D Printers Faced Hijacking Risk
Date Published: October 18, 2021

https://www.bankinfosecurity.com/thingiverse-breach-50000-3d-printers-faced-hijacking-risk-a-17749

Excerpt: “The breach likely affects more than 2 million people whose usernames at minimum were leaked, says TJ Horner, a software engineer and security aficionado who has analyzed the data. Horner worked at MakerBot until last year. Horner says the data also includes OAuth tokens that until recently could have been used to remotely access MakerBot 5th Generation printers and later models. Those printers have video cameras, so Horner found it was also possible to view the printers’ video feeds, including Horner’s own MakerBot Method X printer. Additional mischief may have been possible. A malicious attacker could have sent an erroneous schematic to a 3D printer that could, for example, have broken a printer’s stepper motors, Horner says. The tokens also granted access to a user’s Thingiverse account, with read and write access.”

Title: How Fraudsters Are Exploiting Buy Now, Pay Later Providers
Date Published: October 18, 2021

https://medium.com/netacea/how-fraudsters-are-exploiting-buy-now-pay-later-providers-9975edb2c4a

Excerpt: “BNPL providers also offer benefits like higher spending limits to regular users. This, and the fact many providers are accepted by so many merchants, puts such accounts in the firing line of account takeover (ATO) attacks. Crooks can use tools like known password lists and credential stuffing bots to brute force their way into BNPL accounts, before making big purchases on a variety of different retail sites or selling established accounts on. BNPL is also vulnerable to synthetic fraud, in which a criminal will use some real elements of a stolen identity — sometimes even using a child’s name — and fabricate the rest to pass the less stringent checks of BNPL providers. Once the deception is uncovered, it is very difficult for a BNPL provider to track the fraudster based on this faked information.”

Title: REvil Ransomware’s Tor Sites Were Hijacked
Date Published: October 18, 2021

https://heimdalsecurity.com/blog/revil-ransomwares-tor-sites-were-hijacked/

Excerpt: “As BleepingComputer shows, REvil disclosed that they did not see any signs of compromise regarding their servers but will be shutting down the operation. Soon after the ransomware actor told the affiliates to contact him for campaign decryption keys via Tox. This means that the group will let affiliates continue extorting their victims by providing a decryptor only if a ransom is paid. An .onion domain – Tor hidden service –  can only be launched with a public and private generated key pair – both keys are needed to start the service. Because anyone with access to the private key might use it to establish the same .onion service on their own server, it must be kept safe and only available to trusted admins. Since a third party was able to hijack the domains, they now have access to the private keys for the secret service. It is yet unknown who has hacked into their servers.”

Title: The Data Breach Twitch Suffered Had Minimal Impact, the Company Says
Date Published: October 18, 2021

https://heimdalsecurity.com/blog/the-data-breach-twitch-suffered-had-minimal-impact-the-company-says/

Excerpt: “It appears that the incident had minimal impact and only affected a “small fraction” of users who will be contacted directly by the organization. We’ve undergone a thorough review of the information included in the files exposed and are confident that it only affected a small fraction of users and the customer impact is minimal. We are contacting those who have been impacted directly. An update published on Friday by the streaming site made it clear that no passwords, login credentials, credit cards, or banking information were accessed or exposed following the massive hack they experienced last week. Twitch passwords have not been exposed. We are also confident that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information.”

Title: Joint Statement of the Ministers and Representatives from the Counter Ransomware Initiative Meeting October 2021
Date Published: October 14, 2021

https://www.whitehouse.gov/briefing-room/statements-releases/2021/10/14/joint-statement-of-the-ministers-and-representatives-from-the-counter-ransomware-initiative-meeting-october-2021/

Excerpt: “Taking action to disrupt the ransomware business model requires concerted efforts to address illicit finance risks posed by all value transfer systems, including virtual assets, the primary instrument criminals use for ransomware payments and subsequent money laundering. We acknowledge that uneven global implementation of the standards of the Financial Action Task Force (FATF) to virtual assets and virtual asset service providers (VASPs) creates an environment permissive to jurisdictional arbitrage by malicious actors seeking platforms to move illicit proceeds without being subject to appropriate anti-money laundering (AML) and other obligations. We also recognize the challenges some jurisdictions face in developing frameworks and investigative capabilities to address the constantly evolving and highly distributed business operations involving virtual assets.”

Title: Governor Wants to Prosecute Journalist Who Clicked ‘View Source’ on Government Site
Date Published: October 14, 2021

https://www.vice.com/en/article/jg8ynp/governor-wants-to-prosecute-journalist-who-clicked-view-source-on-government-site

Excerpt: “Once the paper alerted the state government, the department fixed the bug on Tuesday, and the paper published its story on Wednesday, once there were no risks for the teachers whose SSNs were exposed. Parson’s comments are also a textbook example of government officials seemingly not having any clue how technology works, and vilifying people who do ethical security research as criminals, rather than simply thanking them for doing a public service that makes us all safer. “The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities,” the St. Louis Post-Dispatch wrote in its article.”

Recent Posts

May 6, 2022

Title: Google Docs Crashes on Seeing "And. And. And. And. And." Date Published: May 6, 2022 https://www.bleepingcomputer.com/news/technology/google-docs-crashes-on-seeing-and-and-and-and-and/ Excerpt: “A bug in Google Docs is causing it to crash when a series of words...

May 5, 2022

Title: Tor Project Upgrades Network Speed Performance with New System Date Published: May 5, 2022 https://www.bleepingcomputer.com/news/security/tor-project-upgrades-network-speed-performance-with-new-system/ Excerpt: “The Tor Project has published details about a...

May 3, 2022

Title: Aruba and Avaya Network Switches are Vulnerable to RCE Attacks Date Published: May 3, 2022 https://www.bleepingcomputer.com/news/security/aruba-and-avaya-network-switches-are-vulnerable-to-rce-attacks/ Excerpt: “Security researchers have discovered five...

May 2, 2022

Title: U.S. DoD Tricked into Paying $23.5 Million to Phishing Actor Date Published: May 2, 2022 https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/ Excerpt: “The U.S. Department of Justice (DoJ) has announced the...

April 29, 2022

Title: EmoCheck now Detects New 64-bit Versions of Emotet Malware Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/ Excerpt: “The Japan CERT has released a new version of their...

April 28, 2022

Title: New Bumblebee Malware Takes Over BazarLoader's Ransomware Delivery Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-takes-over-bazarloaders-ransomware-delivery/ Excerpt: “A newly discovered malware loader...

April 27, 2022

Title: Chinese State-Backed Hackers now Target Russian State Officers Date Published: April 27, 2022 https://www.bleepingcomputer.com/news/security/chinese-state-backed-hackers-now-target-russian-state-officers/ Excerpt: “Security researchers analyzing a phishing...