November 18, 2021

Fortify Security Team
Nov 18, 2021

Title: The Art of PerSwaysion: Investigation of a Long-Lived Phishing Kit
Date Published: November 18, 2021

https://www.seclarity.io/resources/blog/the-art-of-perswaysion-phishing-kit/

Excerpt: “Concrete discussion about which vectors were used to deliver some malicious content at the beginning of an attack is something that rarely appears in threat intelligence reports. At SeclarityIO we believe that this is an underserved area that can be used to help all analysts understand tactics used repeatedly by adversaries. As we analyze more data going forward, we intend to eliminate this major blind spot. While we don’t know everything that we’d like for this report, we do still know some things about which vectors were used to deliver the kit.”

Title: China’s APT41 Manages Library of Breached Certificates
Date Published: November 18, 2021

https://www.infosecurity-magazine.com/news/chinas-apt41-manages-library/

Excerpt: “APT41 is reportedly managing a library of these certs and keys – some purchased from underground marketplaces, some obtained from other Chinese attack groups and some stolen by APT41 itself. This shared resource allows members of the group to select the appropriate certificate for their needs, “dramatically” improving success rates, according to Venafi. These attacks, conducted in support of China’s long-term economic, military and political goals – are often directed at the digital supply chain, allowing easy compromise of downstream customers.”

Title: Critical Root RCE Bug Affects Multiple Netgear SOHO Router Models
Date Published: November 18, 2021

https://kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168

Excerpt: “Networking equipment company Netgear has released yet another round of patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system. Tracked as CVE-2021-34991 (CVSS score: 8.8), the pre-authentication buffer overflow flaw in small office and home office (SOHO) routers can lead to code execution with the highest privileges by taking advantage of an issue residing in the Universal Plug and Play (UPnP) feature that allows devices to discover each other’s presence on the same local network and open ports needed to connect to the public Internet.”

Title: Russian Ransomware Gangs Start Collaborating With Chinese Hackers
Date Published: November 17, 2021

https://www.bleepingcomputer.com/news/security/russian-ransomware-gangs-start-collaborating-with-chinese-hackers/

Excerpt: “According to a new report by Flashpoint, high-ranking users and RAMP administrators are now actively attempting to communicate with new forum members in machine-translated Chinese. The forum has reportedly had at least thirty new user registrations that appear to come from China, so this could be the beginning of something notable. The researchers suggest that the most probable cause is that Russian ransomware gangs seek to build alliances with Chinese actors to launch cyber-attacks against U.S. targets, trade vulnerabilities, or even recruit new talent for their Ransomware-as-a-Service (RaaS) operations.”

Title: Redcurl Corporate Espionage Hackers Resume Attacks With Updated Tools
Date Published: November 18, 2021

https://www.bleepingcomputer.com/news/security/redcurl-corporate-espionage-hackers-resume-attacks-with-updated-tools/

Excerpt: “Researchers at cybersecurity company Group-IB noticed a seven-month gap in RedCurl’s activity, which the hackers used to add significant improvements to their set of custom tools and attack methods. Among the hacker’s latest victims is one of Russia’s largest wholesale companies, which supplies chain stores and other wholesalers with home, office, and leisure goods. For reasons that remain unknown, RedCurl attacked this company twice, gaining initial access via emails impersonating the company’s human resources department announcing bonuses and the government services portal.”

Title: Positive Technologies Discovers Vulnerability in Intel Processors used in Laptops, Cars and Other Devices
Date Published: November 15, 2021

https://www.ptsecurity.com/ww-en/about/news/positive-technologies-discovers-vulnerability-in-intel-processors-used-in-laptops-cars-and-other-devices/

Excerpt: “This problem has been discovered in the Pentium, Celeron and Atom processors of the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms, which are used in both mobile devices and embedded systems. The threat affects a wide range of ultra-mobile netbooks and a significant base of Intel-based Internet of Things (IoT) systems, from home appliances and smart home systems to cars and medical equipment. According to a study by Mordor Intelligence, Intel ranks fourth in the IoT chip market, while its Intel Atom E3900 series IoT processors, which also contain the CVE-2021-0146 vulnerability, are used by car manufacturers in more than 30 models, including, according to unofficial sources, in Tesla’s Model 3.”

Title: Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals
Date Published: November 18, 2021

https://www.proofpoint.com/us/blog/threat-insight/triple-threat-north-korea-aligned-ta406-scams-spies-and-steals

Excerpt: “This report also examines campaign timing and targeting by TA406, and it provides a look into how TA406 conducts phishing campaigns, including the tools and services used. TA406 employs both malware and credential harvesting in espionage and information-gathering campaigns. This report details several examples of each, including different types of credential collection and two implants used by TA406 that haven’t been discussed before in open-source reporting. And finally, like all other North Korean state-sponsored actors that Proofpoint tracks, we provide evidence that TA406 conducts financially motivated campaigns, including the targeting of cryptocurrency and sextortion.”

Title: Evolving Trends in Iranian Threat Actor Activity – MSTIC Presentation at Cyberwarcon 2021
Date Published: November 16, 2021

https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/

Excerpt: “PHOSPHORUS sends “interview requests” to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.”

Title: Tech CEO Pleads to Wire Fraud in IP Address Scheme
Date Published: November 17, 2021

https://krebsonsecurity.com/2021/11/tech-ceo-pleads-to-wire-fraud-in-ip-address-scheme/

Excerpt: “ARIN said they wanted the addresses back because the company and its owner — 38-year-old Amir Golestan — had obtained them under false pretenses. A global shortage of IPv4 addresses has massively driven up the price of these resources over the years: At the time of this dispute, a single IP address could fetch between $15 and $25 on the open market. Micfo responded by suing ARIN to try to stop the IP address seizure. Ultimately, ARIN and Micfo settled the dispute in arbitration, with Micfo returning most of the addresses that it hadn’t already sold. But the legal tussle caught the attention of South Carolina U.S. Attorney Sherri Lydon, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he’d orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same.”

Title: CISA Releases Incident and Vulnerability Response Playbooks to Strengthen Cybersecurity for Federal Civilian Agencies
Date Published: November 17, 2021

https://www.darkreading.com/attacks-breaches/cisa-releases-incident-and-vulnerability-response-playbooks-to-strengthen-cybersecurity-for-federal-civilian-agencies-

Excerpt: “WASHINGTON–Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Produced in accordance with Executive Order 14028,“Improving the Nation’s Cybersecurity,” the playbooks provide federal civilian agencies with a standard set of procedures to respond to vulnerabilities and incidents impacting Federal Civilian Executive Branch networks.”

Recent Posts

May 6, 2022

Title: Google Docs Crashes on Seeing "And. And. And. And. And." Date Published: May 6, 2022 https://www.bleepingcomputer.com/news/technology/google-docs-crashes-on-seeing-and-and-and-and-and/ Excerpt: “A bug in Google Docs is causing it to crash when a series of words...

May 5, 2022

Title: Tor Project Upgrades Network Speed Performance with New System Date Published: May 5, 2022 https://www.bleepingcomputer.com/news/security/tor-project-upgrades-network-speed-performance-with-new-system/ Excerpt: “The Tor Project has published details about a...

May 3, 2022

Title: Aruba and Avaya Network Switches are Vulnerable to RCE Attacks Date Published: May 3, 2022 https://www.bleepingcomputer.com/news/security/aruba-and-avaya-network-switches-are-vulnerable-to-rce-attacks/ Excerpt: “Security researchers have discovered five...

May 2, 2022

Title: U.S. DoD Tricked into Paying $23.5 Million to Phishing Actor Date Published: May 2, 2022 https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/ Excerpt: “The U.S. Department of Justice (DoJ) has announced the...

April 29, 2022

Title: EmoCheck now Detects New 64-bit Versions of Emotet Malware Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/ Excerpt: “The Japan CERT has released a new version of their...

April 28, 2022

Title: New Bumblebee Malware Takes Over BazarLoader's Ransomware Delivery Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-takes-over-bazarloaders-ransomware-delivery/ Excerpt: “A newly discovered malware loader...

April 27, 2022

Title: Chinese State-Backed Hackers now Target Russian State Officers Date Published: April 27, 2022 https://www.bleepingcomputer.com/news/security/chinese-state-backed-hackers-now-target-russian-state-officers/ Excerpt: “Security researchers analyzing a phishing...