OSN October 19, 2021

Fortify Security Team
Oct 19, 2021

Title: Harvester: Nation-State-Backed Group Uses New Toolset to Target Victims in South Asia
Date Published: October 18, 2021


Excerpt: “The attackers deployed a custom backdoor called Backdoor.Graphon on victim machines alongside other downloaders and screenshot tools that provided the attackers with remote access and allowed them to spy on user activities and exfiltrate information. We do not know the initial infection vector that Harvester used to compromise victim networks, but the first evidence we found of Harvester activity on victim machines was a malicious URL. The group then started to deploy various tools, including its custom Graphon backdoor, to gain remote access to the network. The group also tried to blend its activity with legitimate network traffic by leveraging legitimate CloudFront and Microsoft infrastructure for its command and control (C&C) activity.”

Title: US Authorities Issue BlackMatter Ransomware Alert
Date Published: October 19, 2021


Excerpt: “BlackMatter is said to eschew healthcare, NGO, government, oil and gas and other critical infrastructure sectors. However, last month it targeted a US grain producer, which claimed to play a key role in the US food supply chain. New Cooperative was hit with a $5.9m ransom at that time. Demanding payments of up to $15m from its victims, BlackMatter has been observed using remote monitoring and desktop software to achieve persistence. It may also use previously compromised credentials embedded in LDAP and SMB to access Active Directory and discover all hosts on the network, the alert noted.”

Title: VPN Provider’s Misconfiguration Exposes One Million Users
Date Published: October 19, 2021


Excerpt: “Unfortunately, Quickfox owner Fuzhou Zixun Network Technology had not adequately configured its Elastic Stack security, leaving an Elasticsearch server exposed and accessible – with no password–protection or encryption enforced. The 100GB trove found by the researchers contained 500 million records, including PII on one million users and system data on 300,000 customers. WizCase told Infosecurity that the server has yet to be secure. The exposed PII included customers’ emails, IP addresses, phone numbers, details to identify device type, and MD5 hashed passwords. WizCase warned that MD5 is itself far from secure and can be cracked by modern technology.”

Title: Twitter Accounts Linked to Cyberattacks Against Security Researchers Suspended
Date Published: October 19, 2021


Excerpt: “Links are then sent to researchers to a blog that contains browser exploits including an Internet Explorer zero-day unmasked in January. Alternatively, they may also be sent a malicious Visual Studio project file containing a backdoor, granting the attackers entry into their victim’s machine — and the information contained therein. In March, the group created a fake Turkish offensive security company called SecuriElite, with a batch of profiles linked to this firm pretending to be made up of cybersecurity researchers and recruiters. Last week, Google TAG documented efforts to counter attacks from APT35, an Iranian group specializing in phishing campaigns against high-risk users of Google, including campaign staffers during the 2020 US election.”

Title: Whatta TA: TA505 Ramps Up Activity, Delivers New FlawedGrace Variant
Date Published: October 19, 2021


Excerpt: “In an analysis published on Tuesday, Proofpoint said that its researchers have been tracking renewed malware campaigns from TA505 that started out slowly at the beginning of September – with only several thousand emails per wave, distributing malicious Excel attachments – and then pumped up the volume later in the month, resulting in tens to hundreds of thousands of emails by the end of September. Many of the campaigns – particularly the heftier ones – “strongly resemble” what the gang was up to between 2019 and 2020, including similar domain naming conventions, email lures, Excel file lures, and the delivery of the FlawedGrace RAT, according to the writeup. In the early September waves of email attacks, TA505 used more specific lures that didn’t affect as many industries as the more recent October 2021 campaigns, Proofpoint researchers said.”

Title: South Korea Wants Help to Arrest Alleged Cyber-Criminals
Date Published: October 18, 2021


Excerpt: “It is alleged by the South Korean police that the detained suspects laundered virtual currency for a hacking organization. The crypto-currency was allegedly the proceeds of ransomware attacks and was later converted into cash. South Korean police charged three of the detainees earlier this month with violating South Korea’s laws on communication networks and information protection, extortion and concealing criminal proceeds. Choi Jongsang, chief of the South Korean police’s cybercrime investigation division, said that the two red notice suspects played leading roles in cyber-attacks carried out in 2019. The attacks deployed ransomware against a university and three companies in South Korea.”

Title: Ace Takes Down Electro TV SAT Pirate Streaming Service
Date Published: October 19, 2021


Excerpt: “ACE is a powerful rights-holders coalition consisting of CANAL+, Netflix, Amazon, Sony, ViacomCBS, Walt Disney, Apple TV+, and many more notable members. Electro TV Sat was infringing the copyrights of almost all of ACE’s 34 members, with the most affected being the France-focused CANAL+ Group. ACE has conducted an investigation on the ownership of Electro TV Sat, and found that it was operated by two individuals from the city of Oujda, in northeast Morocco. All four domains belonging to the pirate platform have been transferred to ACE and are now redirecting visitors to the “Watch Legally” section of its website.”

Title: Vulnerability Spotlight: Multiple vulnerabilities in ZTE MF971R LTE router
Date Published: October 18, 2021


Excerpt: “TALOS-2021-1320 and TALOS-2021-1321 are stack-based buffer overflow vulnerabilities. An attacker could exploit these issues to execute arbitrary remote code on the targeted device. As part of these exploits, the attacker needs to complete a referrer bypass, which is outlined in TALOS-2021-1317. TALOS-2021-1318 and TALOS-2021-1319 are cross-site scripting vulnerabilities that an attacker could use to execute arbitrary JavaScript in the victim’s browser. In this case, an attacker would need to trick the user into opening an attacker-controlled URL that hosts the malicious HTTP request.  An adversary could also exploit TALOS-2021-1316 to cause a configuration file entry overwrite. Lastly, there is TALOS-2021-1313, a CRLF injection vulnerability in the router. The victim does not need to be logged in for an adversary to exploit this vulnerability.”

Title: Accenture: Ransomware Attack Breached Proprietary Data
Date Published: October 18, 2021


Excerpt: “Accenture appears to have declined to pay its attackers anything, leading to all of the stolen data eventually getting dumped. On its leak site, LockBit now lists for download 2,384 directories – which security experts say included even more subdirectories – as having been stolen from Accenture. By Aug. 22, the group had finished leaking the stolen data for free download from its data-leak site. “If you’re interested in buying some databases, reach us,” the site reads. In August, a CNBC reporter said that a review of the leaked Accenture data found what appeared “to be PowerPoints, case studies, quotes and the like.” Accenture declined to comment about whether it directly notified any individuals or customers about the breach, for example, if their employees’ personal details might have been exposed, or other information stolen pertaining to business partners or customers. Instead, the company referred again to the statement it issued in August.”

Title: Suspected Chinese Hackers Behind Attacks on Ten Israeli Hospitals
Date Published: October 18, 2021


Excerpt: “According to local media reports, the attack is attributed to a Chinese group of actors using the ‘DeepBlueMagic’ ransomware strain, which first appeared in the wild in August this year. DeepBlueMagin is known to disable security solutions that usually detect and block file encryption attempts, allowing for successful attacks. Testing the IOCs shared by the authorities, BleepingComputer determined that the threat actors are using the ‘BestCrypt’ hard drive encryption tool to encrypt devices. Israel’s National Cyber Directorate has released indicators of compromise (IOCs) in the form of file hashes that have been seen in related attacks.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...