OSN October 5, 2021

Fortify Security Team
Oct 5, 2021

Title: Misconfigured, Old Airflow Instances Leak Slack, AWS Credentials

Date Published: October 5, 2021


Excerpt: “Apache Airflow instances that have not been properly secured are exposing everything from Slack to AWS credentials online. On Monday, Intezer malware analyst Nicole Fishbein and cybersecurity researcher Ryan Robinson said the instances, vulnerable to data theft, belong to industries including IT, cybersecurity, health, energy, finance, and manufacturing, among other sectors. Apache Airflow, available on GitHub, is an open source platform designed for scheduling, managing, and monitoring workflows. The modular software is also used to process data in real-time, with work pipelines configured as code.  Apache Airflow version 2.0.0 was released in December 2020 and implemented a number of security enhancements including a new REST API that enforced operational authentication, as well as a shift to explicit value settings, rather than default options.”

Title: Telco Service Provider Giant Syniverse Had Unauthorized Access Since 2016

Date Published: October 5, 2021


Excerpt: “In a filing with the U.S. Securities and Exchange Commission (SEC) the company states that an unauthorized party accessed on several occasions databases on its network. The security breach was only discovered in May 2021, five years after the alleged first intrusion. The company has launched an internal investigation to determine the extent of the security breach. “The results of the investigation revealed that the unauthorized access began in May 2016. Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (“EDT”) environment was compromised for approximately 235 of its customers.” states the SEC filing”.”

Title: New UEFI Bootkit Used to Backdoor Windows Devices Since 2012

Date Published: October 5, 2021


Excerpt: “The bootkit, dubbed ESPecter by ESET researchers who found it, achieves persistence on the EFI System Partition (ESP) of compromised devices by loading its own unsigned driver to bypass Windows Driver Signature Enforcement. “ESPecter was encountered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why we believe ESPecter is mainly used for espionage. Interestingly, we traced the roots of this threat back to at least 2012, previously operating as a bootkit for systems with legacy BIOSes (ESET, 2021)”.”

Title: New Python Ransomware Targets Virtual Machines, ESXi Hypervisors to Encrypt Disks

Date Published: October 5, 2021


Excerpt: “A new strain of Python-based malware has been used in a “sniper” campaign to achieve encryption on a corporate system in less than three hours. The attack, one of the fastest recorded by Sophos researchers, was achieved by operators who “precision-targeted the ESXi platform” in order to encrypt the virtual machines of the victim. On Tuesday, Sophos said the malware, a new variant written in Python, was deployed ten minutes after threat actors managed to break into a TeamViewer account belonging to the victim organization. TeamViewer is a control and access platform that can be used by the general public and businesses alike to manage and control PCs and mobile devices remotely.”

Title: New Study Links Seemingly Disparate Malware Attacks to Chinese Hackers

Date Published: October 5, 2021


Excerpt: “Chinese cyber espionage group APT41 has been linked to seemingly disparate malware campaigns, according to fresh research that has mapped together additional parts of the group’s network infrastructure to hit upon a state-sponsored campaign that takes advantage of COVID-themed phishing lures to target victims in India. “The image we uncovered was that of a state-sponsored campaign that plays on people’s hopes for a swift end to the pandemic as a lure to entrap its victims,” the BlackBerry Research and Intelligence team said in a report shared with The Hacker News. “And once on a user’s machine, the threat blends into the digital woodwork by using its own customized profile to hide its network traffic”.”

Title: Challenges to Accessing Mission-Critical Data in Afghanistan Reinforces Need for Cross Domain Solutions as a Part of JADC2 Strategy

Date Published: October 5, 2021


Excerpt: “The success of each agency’s unique mission and its role in the overall JADC2 program depends on securely sharing sensitive data with trusted organizations and coalition partners. One way agencies can more quickly achieve JADC2 is with Cross Domain Solutions (CDS) that secure access and data transfers across “any-to-any” security levels and multiple networks. Our nation’s warfighters need data wherever their mission takes them, and it’s incumbent on the cybersecurity industry to remove roadblocks. Forcepoint can support JADC2 efforts with Raise the Bar-compliant Cross Domain Solutions that enable remote mission-critical access and collaboration, anywhere, anytime.”

Title: This New Android Malware Gets Full Control of Your Phone to Steal Passwords and Info

Date Published: October 5, 2021


Excerpt: “Another new form of Android malware is being spread via text messages with the aim of luring victims into clicking a malicious link, and inadvertently allowing cyber criminals to gain full control of the device to steal personal information and bank details. Dubbed TangleBot, the malware first appeared in September and once installed gains access to many different permissions required for eavesdropping on communications and stealing sensitive data, including the ability to monitor all user activity, use the camera, listen to audio, monitor the location of the device, and more. Currently, it’s targeting users in the US and Canada. The campaign has been detailed by cybersecurity researchers at Proofpoint who note that while the initial lures came in the form of SMS messages masquerading as information about Covid-19 vaccination appointments and regulations, more recent efforts have falsely claimed local power outages are about to occur.”

Title: English High Court Clarifies Appropriate Causes of Action in Data Claim Where Defendant Was a Victim of Third-Party Cyber-Attack

Date Published: October 4, 2021


Excerpt: “In the recent and significant Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) decision the High Court in England clarified the limited circumstances in which claims for breach of confidence, misuse of private information and the tort of negligence might be advanced by individuals for compensation for distress relating to a cyber-security breach where the proposed defendant was itself a victim of a third-party cyber-attack. The decision has made it harder to bring free standing/non-statutory cyber-security breach claims in England and Wales where the proposed defendant has not positively caused the breach, and has also brought into question how such claims may be funded going forward (particularly, via “After-the-Event insurance” (“ATE insurance”)).”

Title: The Same Flaw That Took Down Facebook Can Threaten the United States — Or Your Business

Date Published: October 5, 2021


Excerpt: “Here is where it IS NOT like Google Maps: anyone can publish new maps and directions at any time. There are no built-in security controls. On Monday Facebook told the internet via BGP that there were no routes to Facebook. No way to get there whatsoever. For Facebook, this took down their email, their internal chat and communications, even their ability to badge into their buildings. They eventually got it fixed, of course, after burning up several billion dollars of value. But this can happen to your organization — or the United States. In fact, it has.”

Title: Windows 11 Is Out. Is It Any Good for Security?

Date Published: October 5, 2021


Excerpt: “Decisions about whether to adopt Windows 11 will doubtless be impacted by the fact it won’t run on a lot of otherwise perfectly good computers. We expect this to have a chilling effect on organizations’ willingness to migrate away from Windows 10. And there are other headwinds too. These days, new Windows operating systems are rarely greeted with great enthusiasm unless they’re putting right the wrongs of a particularly disliked predecessor. The bottom line is that Windows 10 works and OS upgrades are painful, so it is difficult to imagine that anyone will conclude they need Windows 11.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/ Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 https://securityaffairs.com/148465/hacking/pwnpress-platform.html Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...