OSN October 25, 2021

Fortify Security Team
Oct 25, 2021

Title: New Activity From Russian Actor Nobelium
Date Published: October 24, 2021


Excerpt: “Microsoft recently released news regarding the Nobelium threat actors, the same ones responsible for the supply chain attack leveraging Solarwinds Orion products. Microsoft says the actors may replicate a similar approach by targeting organizations integral to the global IT supply chain. However, with this go-around, it’s possible that they may be targeting “supply-chain: resellers and other technology service providers that customize, deploy, and manage cloud services and other technologies on behalf of their customers, (Microsoft, 2021).” Rather than exploiting flaws and vulnerabilities, they use standard techniques as initial access vectors, such as password-spraying and phishing.”

Title: Hackers Used Billing Software Zero-day To Deploy Ransomware
Date Published: October 25, 2021


Excerpt: “A “potentially devastating and hard-to-detect threat” could be abused by attackers to collect users’ browser fingerprinting information with the goal of spoofing the victims without their knowledge, thus effectively compromising their privacy. Academics from Texas A&M University dubbed the attack system “Gummy Browsers,” likening it to a nearly 20-year-old “Gummy Fingers” technique that can impersonate a user’s fingerprint biometrics. “The idea is that the attacker ?? first makes the user ?? connect to his website (or to a well-known site the attacker controls) and transparently collects the information from ?? that is used for fingerprinting purposes (just like any fingerprinting website ?? collects this information),” the researchers outlined.”

Title: Microsoft No Longer Signs Windows Drivers for Process Hacker
Date Published: October 22, 2021


Excerpt: “I was around during the 90’s and they killed Netscape with this exact same behavior by changing APIs and blocking Netscape from those same APIs. Windows owns the market for the simple reason it’s not some locked down garbage controlled system so they need to start communicating these changes if they intend to kill off third party task managers or instead doing something about the numerous complaints and issues that I have complained about or they’ll end up getting prosecuted and charged by regulators again just like last time when they did this exact same bullshit with Netscape.”

Title: Blackmatter Ransomware Victims Quietly Helped Using Secret Decryptor
Date Published: October 24, 2021


Excerpt: “Cybersecurity firm Emsisoft has been secretly decrypting BlackMatter ransomware victims since this summer, saving victims millions of dollars. Emsisoft and its CTO Fabian Wosar have been helping ransomware victims recover their files since 2012, when an operation called ACCDFISA was launched as the first modern ransomware. Since then Wosar and others have been working tirelessly to find flaws in ransomware’s encryption algorithms that allow decryptors to be made. However, to prevent ransomware gangs from fixing these flaws, Emsisoft quietly works with trusted partners in law enforcement and incident response to share the news of these decryptors rather than making them publicly available.”

Title: Darkside Ransomware Rushes To Cash Out $7 Million in Bitcoin
Date Published: October 22, 2021


Excerpt: “Moving the funds this way is a typical money laundering technique that hinders tracing and helps cybercriminals convert the cryptocurrency to fiat money. Elliptic says that the process continues still and that small amounts of the money have already been transferred to known exchanges. Moving the money at this time may be a result of what happened to the REvil ransomware operation, which shut down for a second time this year after finding that its services had been compromised by a third-party. The hacking occurred after REvil attacked the Kaseya MSP platform that served more than 1,000 companies across the globe. While the FBI was on the verge of disrupting REvil, the cybercriminals shut down their operation.”

Title: NYT Journalist’s iPhone Infected Twice With Nso Group pegasus Spyware
Date Published: October 25, 2021


Excerpt: “The attacks were documented by the Citizen Lab research team from the University of Toronto, the infections took place while the journalist was working on a book about Saudi Crown Prince Mohammed bin Salman. “Notably, these infections occurred after Hubbard complained to NSO Group that he was targeted by the Saudi-linked KINGDOM Pegasus operator in June 2018.” reported Citizen Lab. “While we attribute the 2020 and 2021 infections to NSO Group’s Pegasus spyware with high confidence, we are not conclusively attributing this activity to a specific NSO Group customer at this time. However, we believe that the operator responsible for the 2021 hack is also responsible for the hacking of a Saudi activist in 2021”.”

Title: CISA Urges Admins To Patch Critical Discourse Code Execution Bug
Date Published: October 25, 2021


Excerpt: “According to official stats, Discourse was used to publish 3.5 million posts viewed by 405 million users in September 2021 alone. Because of Discourse’s widespread use, CISA also published an alert about the flaw, urging forum admins to update to the latest available version or apply the necessary workarounds. The exploit is triggered by sending a maliciously crafted request to the vulnerable software, taking advantage of a lack of validation in the ‘subscribe-url’ values. Calls to `open()` with user supplied input allows to invoke OS commands with whatever rights the web app runs on, which is typically ‘www-data’ (admin).”

Title: Facebook Sues Scraper Who Sold 178 Million Phone Numbers and User IDs
Date Published: October 25, 2021


Excerpt: “Facebook has sued a Ukrainian national for allegedly harvesting and selling personal data describing 178 million of the Social NetworkTM’s users – actions it says violates the service’s terms of service. The suit alleges that Alexander Alexandrovich Solonchenko created millions of virtual Android devices, each with a different phone number, and used them to deliver automated requests to Facebook systems using the Messenger app. Over 21 months between January 2018 and September 2019, Solonchenko purportedly took advantage of Facebook Messenger’s now-defunct Contact Importer feature. The feature allowed users to synchronize their phone address books and see which contacts had an account with The Social NetworkTM, presumably so they could contact them on Messenger rather than through other means.”

Title: Ransomware: Industrial Services Top the Hit List – But Cyber Criminals Are Diversifying
Date Published: October 25, 2021


Excerpt: “In a significant number of cases, the victim will give in to the demands and pay the ransom. This might be because they don’t have back-ups, because the criminals threaten to leak stolen data if they’re not paid, or simply because the victim perceives paying the ransom to be the quickest means of restoring the network. Yet in reality, even with the correct decryption key, services can remain disrupted for a long time after the event. In an analysis of over 3,000 reported ransomware attacks between July and September this year, cybersecurity researchers at Digital Shadows found that industrial goods and services was the most commonly reported sector, accounting for almost double the number of incidents that affected the second most affected industry – technology.”

Title: Red Tim Research Found Two Rare Flaws in Ericsson Oss-rc Component
Date Published: October 25, 2021


Excerpt: “Ethics in the search for vulnerabilities, in this historical period, is something very important and once identified, these vulnerabilities are not documented (c.d. zeroday) must be immediately reported to the vendor to provide public information that allows their active exploitation by Threat Actors (TA) on systems without patches. The TIM RTR laboratory has already discovered over 60 zero-day issues in the last two years; 4 of these vulnerabilities received a CSSV score of 9.8. TIM is a leading company in the research of zero-day vulnerabilities and the results demonstrate the success of the RTR project.”

Recent Posts

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...

May 31, 2022

Title: Microsoft Shares Mitigation for Office Zero-Day Exploited in Attacks DatePublished: May 31, 2022 https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/ Excerpt: “Microsoft has shared mitigation...

May 31, 2022

Title: Microsoft Shares Mitigation for Office Zero-Day Exploited in Attacks DatePublished: May 31, 2022 https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-office-zero-day-exploited-in-attacks/ Excerpt: “Microsoft has shared mitigation...

May 6, 2022

Title: Google Docs Crashes on Seeing "And. And. And. And. And." Date Published: May 6, 2022 https://www.bleepingcomputer.com/news/technology/google-docs-crashes-on-seeing-and-and-and-and-and/ Excerpt: “A bug in Google Docs is causing it to crash when a series of words...

May 5, 2022

Title: Tor Project Upgrades Network Speed Performance with New System Date Published: May 5, 2022 https://www.bleepingcomputer.com/news/security/tor-project-upgrades-network-speed-performance-with-new-system/ Excerpt: “The Tor Project has published details about a...