OSN October 6, 2021

Fortify Security Team
Oct 6, 2021

Title: Patch Apache HTTP Servers Now to Avoid Zero Day Exploit
Date Published: October 6, 2021

https://www.infosecurity-magazine.com/news/patch-apache-http-servers-now-zero/

Excerpt: “CVE-2021-41773 is described as a path traversal flaw in version 2.4.49, which was itself only released a few weeks ago. “An attacker could use a path traversal attack to map URLs to files outside the expected document root,” a description of the bug noted. “If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.” According to Sonatype senior security researcher, Ax Sharma, there are around 112,000 Apache servers across the globe running version 2.4.49, two-fifths of which are located in the US. He argued that the new zero-day exploit highlights that, even when a vendor releases patches, they may subsequently be bypassed.”

Title: Ransomware Law Would Require Victims to Disclose Ransom Payments Within 48 Hours
Date Published: October 6, 2021

https://www.zdnet.com/article/ransomware-law-would-require-victims-to-disclose-ransom-payments-within-48-hours/

Excerpt: “Ransomware attacks are becoming more common every year, threatening our national security, economy, and critical infrastructure. Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions,” said Congresswoman Ross. “The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation,” she added. Currently, the Ransomware Disclosure Act is just a proposal. In order become legislation it will have to be approved by both the House of Representatives and the Senate before it could be signed into law by President Biden.”

Title: Emerging Trends From a Year of Cybersecurity Threats
Date Published: October 6, 2021

https://blogs.cisco.com/security/emerging-trends-from-a-year-of-cybersecurity-threats

Excerpt: “Usernames and passwords have never been a particularly secure mechanism of verifying users’ identities. Users are prone to disclosing their usernames and passwords in response to the socially engineered cues of phishing attacks. Studies have shown that users will even willingly disclose their password in return for a chocolate treat. The continued use of legacy systems, poor choices in system implementation, or bad hashing algorithms has also allowed attackers to collect vast numbers of usernames and plaintext password pairs.”

Title: 150 Million Google User Accounts Will Automatically Be Enrolled Into 2FA
Date Published: October 5, 2021

https://heimdalsecurity.com/blog/150-million-google-user-accounts-will-automatically-be-enrolled-into-2fa/

Excerpt: “When 2SV is enabled on a Google Account and a user signs in with the proper username and password, they are prompted to provide an extra form of verification to confirm they are the account owner. A code from an authenticator app or SMS text, Google Prompt, a hardware security key, such as a Yubikey or Google Titan, or even an iOS device can be used for this extra verification. As reported by BleepingComputer, Google stated that by the end of the year, 150 million additional Google Accounts would be automatically enrolled in 2SV.”

Title: Atom Silo Uses DLL Side-Loading to Deploy Ransomware
Date Published: October 6, 2021

https://www.infosecurity-magazine.com/news/atom-silo-dll-ransomware/

Excerpt: “Security researchers have warned of a new ransomware variant leveraging a recently disclosed vulnerability for initial access and going to great lengths to evade detection. Atom Silo is almost identical to the LockFile ransomware spotted spreading earlier this year by exploiting PetitPotam and ProxyShell vulnerabilities in Microsoft products, according to Sophos. However, in Atom Silo’s case, the variant exploited a vulnerability in Atlassian’s Confluence collaboration software made public just three weeks before the attack. Interestingly, the researchers discovered that a separate threat actor had exploited the same bug to deploy a coinminer (also called a cryptocurrency miner) on the victim organization’s system.”

Title: Multiple Critical Flaws Discovered in Honeywell Experion PKS and ACE Controllers
Date Published: October 6, 2021

https://thehackernews.com/2021/10/multiple-critical-flaws-discovered-in.html

Excerpt: “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an advisory regarding multiple security vulnerabilities affecting all versions of Honeywell Experion Process Knowledge System C200, C200E, C300, and ACE controllers that could be exploited to achieve remote code execution and denial-of-service (DoS) conditions. “A Control Component Library (CCL) may be modified by a bad actor and loaded to a controller such that malicious code is executed by the controller,” Honeywell noted in an independent security notification published earlier this February. Credited with discovering and reporting the flaws are Rei Henigman and Nadav Erez of industrial cybersecurity firm Claroty.”

Title: UK Newspaper the Telegraph Exposed a 10tb Database With Subscriber Data
Date Published: October 6, 2021

https://securityaffairs.co/wordpress/123020/data-breach/the-telegraph-data-leak.html

Excerpt: “Evidence suggests the data was left unprotected for about three weeks, since September 1st. We do not know if any unauthorized parties accessed it during that time, but our honeypot experiments show attackers can find and steal data from unprotected databases in just a few hours after they’re exposed.” “The data was generated from an internal logging server for *The Telegraph*.co.uk website.” wrote Diachenko. “The instance was indexed on specialized search engines on September 1, 2021, so the period of exposure is at least three weeks. That’s plenty of time for attackers and automated scanners to find the exposed database and exfiltrate the contained data.”

Title: Lantenna Attack Allows Exfiltrating Data From Air-Gapped Systems via Ethernet Cables
Date Published: October 6, 2021

https://securityaffairs.co/wordpress/123008/hacking/lantenna-attack-exfiltration-technique.html

Excerpt: “LANTENNA – a new type of electromagnetic attack allowing adversaries to leak sensitive data from isolated, air-gapped networks. Malicious code in air gapped computers gathers sensitive data and then encodes it over radio waves emanating from the Ethernet cables, using them as antennas. A nearby receiving device can intercept the signals wirelessly, decode the data, and send it to the attacker.” reads the paper published by the researchers. “Notably, the malicious code can run in an ordinary user-mode process and successfully operate from within a virtual machine.”

Title: Mandiant Tackles Ransomware and Breaches With New Tools
Date Published: October 5, 2021

https://www.darkreading.com/dr-tech/mandiant-tackles-ransomware-and-breaches-with-new-tools

Excerpt: “Mandiant announced two new Mandiant Advantage services to fight ransomware and data breaches during the annual Cyber Defense Summit. The new software-as-a-service offerings — Active Breach & Intel Monitoring and Ransomware Defense Validation — allow enterprise security teams to detect the presence of active Indicators of Compromise in their environments and test their defenses against ransomware attacks.”

Title: Hong Kong Firm Becomes Latest Marketing Company Hit With Revil Ransomware
Date Published: October 5, 2021

https://www.zdnet.com/article/hong-kong-firm-becomes-latest-marketing-company-hit-with-revil-ransomware/

Excerpt: “Their website is currently down, and there was no response to ZDNet requests for comment. Matt Lane, CEO of UK-based cybersecurity firm X Cyber Group, said his team routinely “scrutinizes the activities of cybercriminals for evidence of their behaviors” as a way to protect clients and customers. On Tuesday, they discovered that REvil had breached Fimmick’s databases and claimed to have data from a number of global brands. Lane shared screenshots showing REvil’s threatening posts toward Fimmick that included information stolen from the company’s website.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...