November 17, 2021

Fortify Security Team
Nov 17, 2021

Title: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities
Date Published: November 17, 2021

Excerpt: “The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess that the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion. This advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC, and NCSC assess are likely associated with this Iranian government-sponsored APT activity. The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.”

Title: An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software 
Date Published: November 17, 2021

Excerpt: “As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors. This vulnerability is not yet identified with a CVE number but can be located with the FatPipe Security Advisory number FPSA006. The vulnerability affects all FatPipe WARP®, MPVPN, and IPVPN® device software prior to the latest version releases 10.1.2r60p93 and 10.2.2r44p1.”

Title: How Triggers May Significantly Affect the Amount of Memory Allocated to Your MySQL Server
Date Published: November 17, 2021

Excerpt: “MySQL stores active table descriptors in a special memory buffer called the table open cache. This buffer is controlled by configuration variables table_open_cache that hold the maximum number of table descriptors that MySQL should store in the cache, and table_open_cache_instances that stores the number of the table cache instances. With default values of table_open_cache=4000 and table_open_cache_instances=16, MySQL will create 16 independent memory buffers that will store 250 table descriptors each. These table cache instances could be accessed concurrently, allowing DML to use cached table descriptors without locking each other.”

Title: Fake Ransomware Infection Spooks Website Owners
Date Published: November 15, 2021

Excerpt: “Starting at the beginning of 2016 we saw some examples of website files themselves being encrypted by attackers with a ransom being demanded, which we wrote about on our blog at the time. This was pretty short lived, however. Attackers always go after the money to maximise their profits. We can only presume that targeting websites wasn’t terribly profitable and was best for them to go after endpoints, businesses and organisations. It’s also much more common for website owners to have backups handy, rendering the entire attack moot.”

Title: Threat Actors Offer Millions for Zero-days, Developers Talk of Exploit-as-A-service
Date Published: November 17, 2021

Excerpt: “Completing a big sale, though, is not easy and may take a long time. If it takes too long, developers may lose the chance to make big money because competitors may come up with an exploit variant, dragging down the price. For this reason, cybercriminals are now discussing an “exploit-as-a-service” solution that would allow exploit developers to rent out a zero-day exploit to multiple parties. This alternative could generate huge profits to zero-day exploit developers, while they wait for a definitive buyer, the researchers say.”

Title: Space Cyber Wargame Exposes Satellite Industry Risks
Date Published: November 17, 2021

Excerpt: “The Space Information Sharing and Analysis Center (Space-ISAC) said the results of the event — which played out at the American Institute of Aeronautics and Astronautics’ ASCEND space technology conference — will shape how the group builds its 24-hour watch center slated to open next year. The wargame also helped to “practice and exercise the muscle movements that are required in order to execute this [information-sharing] mission,” said Space-ISAC executive director Erin Miller. The tabletop exercise highlighted vulnerabilities in critical space equipment as off-the-shelf enterprise software became the norm in an industry long dominated by boutique software and tailor-made installations.”

Title: Organizations More Susceptible to Ransomware Attacks During Weekends and Holidays
Date Published: November 17, 2021

Excerpt: “This lack of preparedness has a significant impact on the capabilities of security teams. For example, over two-fifths (43%) of respondents said they required more time to mount an effective response, and close to a third (31%) indicated they need more time to fully recover from an attack over weekend and holiday periods. This is despite 89% confirming they are concerned about attacks taking place during these times. In another worrying finding from the report, 71% of security professionals surveyed admitted they have been intoxicated while responding to a ransomware attack on a weekend or holiday. Additionally, over nine in 10 (91%) reported missing a holiday or weekend activity because of a ransomware attack.”

Title: Emotet Returns
Date Published: November 16, 2021

Excerpt: “Back in January 2021, law enforcement and judicial authorities worldwide took down the Emotet botnet.  Although some Emotet emails still went out in the weeks after that, those were remnants from the inactive botnet infrastructure.  We hadn’t seen any new Emotet since then. But on Monday 2021-11-15, we saw indicators that Emotet had returned.  This diary reviews activity from a recent Emotet infection. We found some emails from a newly-revived Emotet botnet on Monday 2021-11-15 that have one of three types of attachments: Microsoft Excel spreadsheet, Microsoft Word document Password-protected zip archive (password: BMIIVYHZ) containing a Word document.”

Title: DDoS Attacks Surge 35% in Q3 as VoIP is Targeted
Date Published: November 17, 2021

Excerpt: “Security experts have warned of a surge in distributed denial of service (DDoS) attacks in the third quarter, with quantity, size and complexity all increasing in the period. The findings come from Lumen’s Q3 DDoS Report, which revealed that the firm mitigated 35% more attacks in the quarter than Q2 2021. The vendor claimed that the largest bandwidth attack it tackled during the period was 612 Gbps — a 49% increase over Q2. The largest packet rate-based attack scrubber was 252 Mbps — a 91% increase. Lumen said the longest attack on a customer lasted two weeks, highlighting the potentially crippling impact DDoS can have on an organization. Among the 500 largest attacks, the most frequently attacked verticals were telecoms and software/technology, followed by retail.”

Title: Strategic Web Compromises in the Middle East With a Pinch of Candiru
Date Published: November 16, 2021

Excerpt: “Our curiosity was aroused by the nature of the targeted website and in the following weeks we noticed that other websites with connections to the Middle East started to be targeted. We traced the start of the campaign back to March 2020, when the piwiks[.]com domain was re-registered. We believe that the strategic web compromises only started in April 2020 when the website of the Middle East Eye (middleeasteye[.]net), a London-based digital news site covering the region, started to inject code from the piwiks[.]com domain.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 Excerpt: “The duration of ransomware attacks in 2021...