OSN October 21, 2021

Fortify Security Team
Oct 21, 2021

Title: Nine Arrested for Impersonating Bank Clerks To Steal From the Elderly

Date Published: October 21, 2021

https://www.bleepingcomputer.com/news/security/nine-arrested-for-impersonating-bank-clerks-to-steal-from-the-elderly/

Excerpt: “The Dutch Police have arrested nine people for targeting and stealing money from the elderly by impersonating bank employees. The group of bank help desk fraudsters, five men and four women between the ages of 20 and 27, were arrested between September 14 and October 19, 2021. The scammers now face criminal charges for defrauding multiple targets while posing as bank employees in phone calls where they used caller ID spoofing to make it appear as if they called from real financial institutions in the Netherlands.”

Title: Bug in Popular WinRAR Software Could Let Attackers Hack Your Computer

Date Published: October 21, 2021

https://thehackernews.com/2021/10/bug-in-free-winrar-software-could-let.html

Excerpt: “A new security weakness has been disclosed in the WinRAR trialware file archiver utility for Windows that could be abused by a remote attacker to execute arbitrary code on targeted systems, underscoring how vulnerabilities in such software could be?ome a gateway for a roster of attacks. Tracked as CVE-2021-35052, the bug impacts the trial version of the software running version 5.70. “This vulnerability allows an attacker to intercept and modify requests sent to the user of the application,” Positive Technologies’ Igor Sak-Sakovskiy said in a technical write-up. “This can be used to achieve remote code execution (RCE) on a victim’s computer”.”

Title: Palo Alto warns of BEC-as-a-service

Date Published: October 21, 2021

https://www.zdnet.com/article/palo-alto-warns-of-bec-as-a-service-finds-average-wire-fraud-attempted-is-567000-with-peak-of-6-million/

Excerpt: “The security team pored through hundreds of BEC cases, finding the average wire fraud attempted was $567,000, and the highest was $6 million. Among the hundreds of BEC cases Unit 42 tackled since the beginning of last year, researchers found that 89% of victims failed to turn on multi-factor authentication or follow best practices for its implementation. The FBI often cites BEC as one of the most lucrative cybercrimes, and the law enforcement agency reported last year that it led to $1.87 billion in losses. According to Palo Alto researchers, victims typically want to avoid reputational harm and often don’t go public, which has made BEC a relatively silent threat.”

Title: TeamTNT Deploys Malicious Docker Image on Docker Hub

Date Published: October 21, 2021

https://www.bankinfosecurity.com/teamtnt-deploys-malicious-docker-image-on-docker-hub-a-17766

Excerpt: “Docker containers have become an integral part of the organisations. A lot of services nowadays run in isolated Docker containers. The threat actors on the other side are also trying to deploy malicious components to escape Docker containers and target host machines and the other nodes connected in a subnet and its swarm. Hence, to maintain a robust security stance, it is crucial to be able to detect malicious images early in the CI/CD pipeline as well as monitor all the container activities in runtime. ”

Title: Proposed HTTPA Protocol Uses TEEs to Secure the Web

Date Published: October 20, 2021

https://www.darkreading.com/emerging-tech/proposed-httpa-protocol-uses-tees-to-secure-web

Excerpt: “A TEE refers to enclaves in memory where sensitive computations can be run on sensitive details. Both Intel and ARM offer hardware-based TEEs: the Intel Software Guard Extension (Intel SGX) and TrustZone. Wang and King note in the paper that SGX provides in-memory encryption to help protect the runtime computation and reduce risks of illegal leaking or modifying private information. “SGX also provides security assurances via remote attestation to the web client, including TCB identity, vendor identity and verification identity,” the paper says.”

Title: Malicious Campaign Uses a Barrage of Commodity Rats to Target Afghanistan and India

Date Published: October 19, 2021

https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html

Excerpt: “This threat actor, A.R., uses a front company to procure infrastructure for operationalizing their crimeware campaign. This campaign uses a variety of political and government-related themes in their icons and decoys. The infection chains utilized by the actor are simple and consist of delivering commodity RATs such as dcRAT, Quasar and AndroRAT to their victims. Their use of custom downloaders for delivery, file enumerators for reconnaissance, and infectors to weaponize benign documents indicates attempts at aggressive proliferation. These tools also indicate that the threat actor is actively pursuing creating bespoke tools to shift away from commodity malware.”

Title: Using Discord Infrastructure for Malicious Intent

Date Published: October 21, 2021

https://blog.checkpoint.com/2021/10/21/using-discord-infrastructure-for-malicious-intent/

Excerpt: “After uploading the file, the user can copy the file’s CDN URL, allowing anyone that reaches this URL to download that file. In this way, Discord essentially works as a file hosting server, but one that is much easier to establish with no setup at all. An attacker can upload a file to a newly created designated server in seconds, or send the file to another party. In addition, the attacker’s privacy is ensured. There is no link between the uploader of the file to the URL. Combined with other methods, for example sending the file each interval to change the CDN URL, makes the process of tracing back to the attacker or blocking the payload more difficult.”

Title: Malicious NPM Packages Caught Running Cryptominer On Windows, Linux, macOS Devices

Date Published: October 21, 2021

https://thehackernews.com/2021/10/malicious-npm-packages-caught-running.html

Excerpt: “Three JavaScript libraries uploaded to the official NPM package repository have been unmasked as crypto-mining malware, once again demonstrating how open-source software package repositories are becoming a lucrative target for executing an array of attacks on Windows, macOS, and Linux systems. The malicious packages in question — named okhsa, klow, and klown — were published by the same developer and falsely claimed to be JavaScript-based user-agent string parsers designed to extract hardware specifics from the “User-Agent” HTTP header. But unbeknownst to the victims who imported them, the author hid cryptocurrency mining malware inside the libraries.”

Title: Discord CDN Abuse Found to Deliver 27 Unique Malware Types

Date Published: October 21, 2021

https://www.riskiq.com/blog/external-threat-management/discord-cdn-abuse-malware/

Excerpt: “Files on the Discord CDN use a Discord domain with the link in the following format: hxxps://cdn.discordapp[.]com/attachments/{ChannelID}/{AttachmentID}/{filename} With RiskIQ’s deep and comprehensive view of the infrastructure across the web, our platform can detect these links and query Discord channel IDs used in these links. This process enables us to identify domains containing web pages that link out to a Discord CDN link with a specific channel ID.”

Title: As Vaccine Mandates Spread, So Too Do Vaccine Scams

Date Published: October 21, 2021

https://www.avanan.com/blog/as-vaccine-mandates-spread-so-too-do-vaccine-scams

Excerpt: “This scam thrives on urgency. Notice how it says, “If you ignore or reject this invitation you might have to wait up to 12 months until you receive another one.” For travel-hungry Brits, this may be enough of a lure to cause them to jump into action. It’s important to know that in England, the only way to get a hard-copy of vaccination status is by registering your home address with a general practitioner. The NHS gets your address from those records. Beyond that, there are no links to the site in the email, which allowed it to bypass many traditional phishing filters. The email itself is well-written, with no easily discoverable spelling or grammar errors.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...