OSN October 20, 2021

Fortify Security Team
Oct 20, 2021

Title: China-Linked Lightbasin Group Accessed Calling Records From Telcos Worldwide
Date Published: October 20, 2021


Excerpt: “Crowdstrike collected evidence of the use of password-spraying attempts using extremely weak third-party-focused passwords (i.e. huawei) for the initial compromise. Once on the eDNS servers, the attackers deployed a custom backdoor, tracked as SLAPSTICK, that allowed them to access the Solaris Pluggable Authentication Module (PAM). The implant was used by LightBasin to steal passwords to access other systems and deploy additional implants. Later, the hacking group accessed multiple eDNS servers from compromised telecommunications companies and used another implant tracked as PingPong.”

Title: Newer Purplefox Botnet Variants Leverage Websockets for Coms
Date Published: October 20, 2021


Excerpt: “A new .NET backdoor retrieved from recent campaigns was dropped days after the initial intrusion to leverage WebSockets for C2 communications. This component is responsible for setting up the communication configuration as well as for the initialization of cryptographic functions. The use of WebSockets for communications is something unusual in the malware space, but PurpleFox shows that it can be very effective nonetheless. The exchanged messages between the infected machine and the selected C2 server begin with negotiations for a session RSA encryption key, but even this first exchange is AES-encrypted using a default key.”

Title: New Linux Kernel Memory Corruption Bug Causes Full System Compromise
Date Published: October 20, 2021


Excerpt: “In 2017, MacAfee researchers discussed a memory corruption bug inside the Linux kernel’s UDP fragmentation offload (UFO) that allowed unauthorized individuals to gain local privilege escalation. The bug affected both IPv4 and IPv6 code paths running kernel version 4.8.0 of Ubuntu xenial and was fixed in Commit 85f1bd9. Now, Google’s Project Zero team has shared details of a similar yet much simpler bug that can cause complete system compromise. Researchers dubbed it a “straightforward Linux kernel locking bug” that they exploited against Debian Buster’s kernel.”

Title: Zerodium Wants Zero-day Exploits for Windows VPN Clients
Date Published: October 19, 2021


Excerpt: “Zerodium’s current interest is in vulnerabilities affecting Windows clients for NordVPN, ExpressVPN, and SurfShark VPN services. Together, they serve millions of users, the first two reportedly claiming at least 17 million users around the globe. According to data on their sites, the three companies manage more than 11,000 servers spread over tens of countries. The vulnerability broker’s announcement today called for bugs that could reveal information about users, their IP addresses, and vulnerabilities that can be used to achieve remote code execution. One type of flaw that the broker does not want is local privilege escalation.”

Title: $5.2 Billion Worth of Bitcoin Transactions Possibly Tied to Ransomware
Date Published: October 20, 2021


Excerpt: “As much as US$5.2 billion worth of outgoing Bitcoin transactions may be tied to ransomware payouts involving the top 10 most common ransomware variants alone, according to a report by the Financial Crimes Enforcement Network (FinCEN) of the United States’ Department of the Treasury. The report also looked at ransomware-related Suspicious Activity Reports (SARs), i.e. reports made by financial institutions about suspected ransomware payments, in the first half of this year. “The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million),” said the agency. Not surprisingly, the analysis found that ransomware is an increasing threat to the government, businesses, and the public.”

Title: Squirrel Bug Lets Attackers Execute Code in Games, Cloud Services
Date Published: October 20, 2021


Excerpt: “An out-of-bounds read vulnerability in the Squirrel programming language lets attackers break out of sandbox restrictions and execute arbitrary code within a Squirrel virtual machine (VM), thus giving a malicious actor complete access to the underlying machine. Given where Squirrel lives – in games and embedded in the internet of things (IoT) – the bug potentially endangers the millions of monthly gamers who play video games such as Counter-Strike: Global Offensive and Portal 2, as well as cloud services such as the Twilio Electric Imp IoT platform, with its ready-to-use open-source code library.”

Title: Customer Services Firm Atento Hit by Cyberattack
Date Published: October 19, 2021


Excerpt: “Brazil is one of Atento’s main global markets. More than 45% of the company’s global workforce, which employs over 150,000 people, is concentrated in the Brazilian operation, which serves major telecommunications companies and banks such as Bradesco and Itaú. The BPO firm is the latest of a string of companies operating in Brazil that have suffered cyberattacks recently. Last week, one of Brazil’s largest insurance groups, Porto Seguro, suffered a cyberattack that resulted in instability to its service channels and some of its systems.”

Title: New Tricks of the Trickbot Trojan
Date Published: October 19, 2021


Excerpt: “What’s more, Trickbot is now popular with cybercriminal groups as a delivery vehicle for injecting third-party malware into corporate infrastructure. News outlets recently reported that Trickbot’s authors have hooked up with various new partners to use the malware to infect corporate infrastructure with all kinds of additional threats, such as the Conti ransomware. Such repurposing could pose an additional danger to employees of corporate security operation centers and other cybersec experts. Some security solutions still recognize Trickbot as a banking Trojan, as per its original specialty. Therefore, infosec officers who detect it might view it as a random home-user threat that accidentally slipped into the corporate network. In fact, its presence there could indicate something far more serious — a ransomware injection attempt or even part of a targeted cyberespionage operation.”

Title: Blackmatter Ransomware Gang Will Target Agriculture for Its Next Harvest – Uncle Sam
Date Published: October 19, 2021


Excerpt: “Well known in Western infosec circles for causing the shutdown of the US Colonial Pipeline, Darkside’s apparent rebranding as BlackMatter after promising to go away for good in the wake of the pipeline hack hasn’t slowed their criminal extortion down at all. “Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory,” said the agencies in an alert published on the CISA website.”

Title: Ransomware Attack Disrupts Production at Ferrara Candy, Maker of Brach’s Candy Corn
Date Published: October 19, 2021


Excerpt: “Chicago-based Ferrara Candy Co. was hit by a ransomware attack that disrupted production earlier this month, but the hack shouldn’t affect supplies of its Halloween treats. Ferrara, which makes Brach’s Candy Corn, as well as brands like Nerds, Laffy Taffy, Keebler and Famous Amos, said it discovered the hack, which encrypted some of its systems, on Oct. 9. The company is working with law enforcement and outside specialists to restore those systems and get back to operating at full capacity. “We have resumed production in select manufacturing facilities, and we are shipping from all of our distribution centers across the country, near to capacity. We are also now working to process all orders in our queue,” Ferrara said.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...