OSN October 20, 2021

Fortify Security Team
Oct 20, 2021

Title: China-Linked Lightbasin Group Accessed Calling Records From Telcos Worldwide
Date Published: October 20, 2021

https://securityaffairs.co/wordpress/123588/apt/lightbasin-cyberspies.html

Excerpt: “Crowdstrike collected evidence of the use of password-spraying attempts using extremely weak third-party-focused passwords (i.e. huawei) for the initial compromise. Once on the eDNS servers, the attackers deployed a custom backdoor, tracked as SLAPSTICK, that allowed them to access the Solaris Pluggable Authentication Module (PAM). The implant was used by LightBasin to steal passwords to access other systems and deploy additional implants. Later, the hacking group accessed multiple eDNS servers from compromised telecommunications companies and used another implant tracked as PingPong.”

Title: Newer Purplefox Botnet Variants Leverage Websockets for Coms
Date Published: October 20, 2021

https://www.bleepingcomputer.com/news/security/newer-purplefox-botnet-variants-leverage-websockets-for-coms/

Excerpt: “A new .NET backdoor retrieved from recent campaigns was dropped days after the initial intrusion to leverage WebSockets for C2 communications. This component is responsible for setting up the communication configuration as well as for the initialization of cryptographic functions. The use of WebSockets for communications is something unusual in the malware space, but PurpleFox shows that it can be very effective nonetheless. The exchanged messages between the infected machine and the selected C2 server begin with negotiations for a session RSA encryption key, but even this first exchange is AES-encrypted using a default key.”

Title: New Linux Kernel Memory Corruption Bug Causes Full System Compromise
Date Published: October 20, 2021

https://www.hackread.com/linux-kernel-memory-corruption-bug-system-compromise/

Excerpt: “In 2017, MacAfee researchers discussed a memory corruption bug inside the Linux kernel’s UDP fragmentation offload (UFO) that allowed unauthorized individuals to gain local privilege escalation. The bug affected both IPv4 and IPv6 code paths running kernel version 4.8.0 of Ubuntu xenial and was fixed in Commit 85f1bd9. Now, Google’s Project Zero team has shared details of a similar yet much simpler bug that can cause complete system compromise. Researchers dubbed it a “straightforward Linux kernel locking bug” that they exploited against Debian Buster’s 4.19.0.13-amd64 kernel.”

Title: Zerodium Wants Zero-day Exploits for Windows VPN Clients
Date Published: October 19, 2021

https://www.bleepingcomputer.com/news/security/zerodium-wants-zero-day-exploits-for-windows-vpn-clients/

Excerpt: “Zerodium’s current interest is in vulnerabilities affecting Windows clients for NordVPN, ExpressVPN, and SurfShark VPN services. Together, they serve millions of users, the first two reportedly claiming at least 17 million users around the globe. According to data on their sites, the three companies manage more than 11,000 servers spread over tens of countries. The vulnerability broker’s announcement today called for bugs that could reveal information about users, their IP addresses, and vulnerabilities that can be used to achieve remote code execution. One type of flaw that the broker does not want is local privilege escalation.”

Title: $5.2 Billion Worth of Bitcoin Transactions Possibly Tied to Ransomware
Date Published: October 20, 2021

https://www.welivesecurity.com/2021/10/19/52-billion-bitcoin-transactions-possibly-tied-ransomware/

Excerpt: “As much as US$5.2 billion worth of outgoing Bitcoin transactions may be tied to ransomware payouts involving the top 10 most common ransomware variants alone, according to a report by the Financial Crimes Enforcement Network (FinCEN) of the United States’ Department of the Treasury. The report also looked at ransomware-related Suspicious Activity Reports (SARs), i.e. reports made by financial institutions about suspected ransomware payments, in the first half of this year. “The total value of suspicious activity reported in ransomware-related SARs during the first six months of 2021 was $590 million, which exceeds the value reported for the entirety of 2020 ($416 million),” said the agency. Not surprisingly, the analysis found that ransomware is an increasing threat to the government, businesses, and the public.”

Title: Squirrel Bug Lets Attackers Execute Code in Games, Cloud Services
Date Published: October 20, 2021

https://threatpost.com/squirrel-attackers-execute-code-games-cloud-services/175586/

Excerpt: “An out-of-bounds read vulnerability in the Squirrel programming language lets attackers break out of sandbox restrictions and execute arbitrary code within a Squirrel virtual machine (VM), thus giving a malicious actor complete access to the underlying machine. Given where Squirrel lives – in games and embedded in the internet of things (IoT) – the bug potentially endangers the millions of monthly gamers who play video games such as Counter-Strike: Global Offensive and Portal 2, as well as cloud services such as the Twilio Electric Imp IoT platform, with its ready-to-use open-source code library.”

Title: Customer Services Firm Atento Hit by Cyberattack
Date Published: October 19, 2021

https://www.zdnet.com/article/customer-services-firm-atento-hit-by-cyberattack/

Excerpt: “Brazil is one of Atento’s main global markets. More than 45% of the company’s global workforce, which employs over 150,000 people, is concentrated in the Brazilian operation, which serves major telecommunications companies and banks such as Bradesco and Itaú. The BPO firm is the latest of a string of companies operating in Brazil that have suffered cyberattacks recently. Last week, one of Brazil’s largest insurance groups, Porto Seguro, suffered a cyberattack that resulted in instability to its service channels and some of its systems.”

Title: New Tricks of the Trickbot Trojan
Date Published: October 19, 2021

https://www.kaspersky.com/blog/trickbot-new-tricks/42622/

Excerpt: “What’s more, Trickbot is now popular with cybercriminal groups as a delivery vehicle for injecting third-party malware into corporate infrastructure. News outlets recently reported that Trickbot’s authors have hooked up with various new partners to use the malware to infect corporate infrastructure with all kinds of additional threats, such as the Conti ransomware. Such repurposing could pose an additional danger to employees of corporate security operation centers and other cybersec experts. Some security solutions still recognize Trickbot as a banking Trojan, as per its original specialty. Therefore, infosec officers who detect it might view it as a random home-user threat that accidentally slipped into the corporate network. In fact, its presence there could indicate something far more serious — a ransomware injection attempt or even part of a targeted cyberespionage operation.”

Title: Blackmatter Ransomware Gang Will Target Agriculture for Its Next Harvest – Uncle Sam
Date Published: October 19, 2021

https://www.theregister.com/2021/10/19/cisa_blackmatter_agricutlure/

Excerpt: “Well known in Western infosec circles for causing the shutdown of the US Colonial Pipeline, Darkside’s apparent rebranding as BlackMatter after promising to go away for good in the wake of the pipeline hack hasn’t slowed their criminal extortion down at all. “Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory,” said the agencies in an alert published on the CISA website.”

Title: Ransomware Attack Disrupts Production at Ferrara Candy, Maker of Brach’s Candy Corn
Date Published: October 19, 2021

https://www.chicagotribune.com/business/ct-biz-ferrara-candy-company-hack-halloween-20211019-zzkf5vz7kjdxbcepuvofxha3fy-story.html

Excerpt: “Chicago-based Ferrara Candy Co. was hit by a ransomware attack that disrupted production earlier this month, but the hack shouldn’t affect supplies of its Halloween treats. Ferrara, which makes Brach’s Candy Corn, as well as brands like Nerds, Laffy Taffy, Keebler and Famous Amos, said it discovered the hack, which encrypted some of its systems, on Oct. 9. The company is working with law enforcement and outside specialists to restore those systems and get back to operating at full capacity. “We have resumed production in select manufacturing facilities, and we are shipping from all of our distribution centers across the country, near to capacity. We are also now working to process all orders in our queue,” Ferrara said.”

Recent Posts

May 6, 2022

Title: Google Docs Crashes on Seeing "And. And. And. And. And." Date Published: May 6, 2022 https://www.bleepingcomputer.com/news/technology/google-docs-crashes-on-seeing-and-and-and-and-and/ Excerpt: “A bug in Google Docs is causing it to crash when a series of words...

May 5, 2022

Title: Tor Project Upgrades Network Speed Performance with New System Date Published: May 5, 2022 https://www.bleepingcomputer.com/news/security/tor-project-upgrades-network-speed-performance-with-new-system/ Excerpt: “The Tor Project has published details about a...

May 3, 2022

Title: Aruba and Avaya Network Switches are Vulnerable to RCE Attacks Date Published: May 3, 2022 https://www.bleepingcomputer.com/news/security/aruba-and-avaya-network-switches-are-vulnerable-to-rce-attacks/ Excerpt: “Security researchers have discovered five...

May 2, 2022

Title: U.S. DoD Tricked into Paying $23.5 Million to Phishing Actor Date Published: May 2, 2022 https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/ Excerpt: “The U.S. Department of Justice (DoJ) has announced the...

April 29, 2022

Title: EmoCheck now Detects New 64-bit Versions of Emotet Malware Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/ Excerpt: “The Japan CERT has released a new version of their...

April 28, 2022

Title: New Bumblebee Malware Takes Over BazarLoader's Ransomware Delivery Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-takes-over-bazarloaders-ransomware-delivery/ Excerpt: “A newly discovered malware loader...

April 27, 2022

Title: Chinese State-Backed Hackers now Target Russian State Officers Date Published: April 27, 2022 https://www.bleepingcomputer.com/news/security/chinese-state-backed-hackers-now-target-russian-state-officers/ Excerpt: “Security researchers analyzing a phishing...