November 18, 2021

Fortify Security Team
Nov 18, 2021

Title: The Art of PerSwaysion: Investigation of a Long-Lived Phishing Kit
Date Published: November 18, 2021

Excerpt: “Concrete discussion about which vectors were used to deliver some malicious content at the beginning of an attack is something that rarely appears in threat intelligence reports. At SeclarityIO we believe that this is an underserved area that can be used to help all analysts understand tactics used repeatedly by adversaries. As we analyze more data going forward, we intend to eliminate this major blind spot. While we don’t know everything that we’d like for this report, we do still know some things about which vectors were used to deliver the kit.”

Title: China’s APT41 Manages Library of Breached Certificates
Date Published: November 18, 2021

Excerpt: “APT41 is reportedly managing a library of these certs and keys – some purchased from underground marketplaces, some obtained from other Chinese attack groups and some stolen by APT41 itself. This shared resource allows members of the group to select the appropriate certificate for their needs, “dramatically” improving success rates, according to Venafi. These attacks, conducted in support of China’s long-term economic, military and political goals – are often directed at the digital supply chain, allowing easy compromise of downstream customers.”

Title: Critical Root RCE Bug Affects Multiple Netgear SOHO Router Models
Date Published: November 18, 2021

Excerpt: “Networking equipment company Netgear has released yet another round of patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system. Tracked as CVE-2021-34991 (CVSS score: 8.8), the pre-authentication buffer overflow flaw in small office and home office (SOHO) routers can lead to code execution with the highest privileges by taking advantage of an issue residing in the Universal Plug and Play (UPnP) feature that allows devices to discover each other’s presence on the same local network and open ports needed to connect to the public Internet.”

Title: Russian Ransomware Gangs Start Collaborating With Chinese Hackers
Date Published: November 17, 2021

Excerpt: “According to a new report by Flashpoint, high-ranking users and RAMP administrators are now actively attempting to communicate with new forum members in machine-translated Chinese. The forum has reportedly had at least thirty new user registrations that appear to come from China, so this could be the beginning of something notable. The researchers suggest that the most probable cause is that Russian ransomware gangs seek to build alliances with Chinese actors to launch cyber-attacks against U.S. targets, trade vulnerabilities, or even recruit new talent for their Ransomware-as-a-Service (RaaS) operations.”

Title: Redcurl Corporate Espionage Hackers Resume Attacks With Updated Tools
Date Published: November 18, 2021

Excerpt: “Researchers at cybersecurity company Group-IB noticed a seven-month gap in RedCurl’s activity, which the hackers used to add significant improvements to their set of custom tools and attack methods. Among the hacker’s latest victims is one of Russia’s largest wholesale companies, which supplies chain stores and other wholesalers with home, office, and leisure goods. For reasons that remain unknown, RedCurl attacked this company twice, gaining initial access via emails impersonating the company’s human resources department announcing bonuses and the government services portal.”

Title: Positive Technologies Discovers Vulnerability in Intel Processors used in Laptops, Cars and Other Devices
Date Published: November 15, 2021

Excerpt: “This problem has been discovered in the Pentium, Celeron and Atom processors of the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms, which are used in both mobile devices and embedded systems. The threat affects a wide range of ultra-mobile netbooks and a significant base of Intel-based Internet of Things (IoT) systems, from home appliances and smart home systems to cars and medical equipment. According to a study by Mordor Intelligence, Intel ranks fourth in the IoT chip market, while its Intel Atom E3900 series IoT processors, which also contain the CVE-2021-0146 vulnerability, are used by car manufacturers in more than 30 models, including, according to unofficial sources, in Tesla’s Model 3.”

Title: Triple Threat: North Korea-Aligned TA406 Scams, Spies, and Steals
Date Published: November 18, 2021

Excerpt: “This report also examines campaign timing and targeting by TA406, and it provides a look into how TA406 conducts phishing campaigns, including the tools and services used. TA406 employs both malware and credential harvesting in espionage and information-gathering campaigns. This report details several examples of each, including different types of credential collection and two implants used by TA406 that haven’t been discussed before in open-source reporting. And finally, like all other North Korean state-sponsored actors that Proofpoint tracks, we provide evidence that TA406 conducts financially motivated campaigns, including the targeting of cryptocurrency and sextortion.”

Title: Evolving Trends in Iranian Threat Actor Activity – MSTIC Presentation at Cyberwarcon 2021
Date Published: November 16, 2021

Excerpt: “PHOSPHORUS sends “interview requests” to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.”

Title: Tech CEO Pleads to Wire Fraud in IP Address Scheme
Date Published: November 17, 2021

Excerpt: “ARIN said they wanted the addresses back because the company and its owner — 38-year-old Amir Golestan — had obtained them under false pretenses. A global shortage of IPv4 addresses has massively driven up the price of these resources over the years: At the time of this dispute, a single IP address could fetch between $15 and $25 on the open market. Micfo responded by suing ARIN to try to stop the IP address seizure. Ultimately, ARIN and Micfo settled the dispute in arbitration, with Micfo returning most of the addresses that it hadn’t already sold. But the legal tussle caught the attention of South Carolina U.S. Attorney Sherri Lydon, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he’d orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same.”

Title: CISA Releases Incident and Vulnerability Response Playbooks to Strengthen Cybersecurity for Federal Civilian Agencies
Date Published: November 17, 2021

Excerpt: “WASHINGTON–Today, the Cybersecurity and Infrastructure Security Agency (CISA) released the Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Produced in accordance with Executive Order 14028,“Improving the Nation’s Cybersecurity,” the playbooks provide federal civilian agencies with a standard set of procedures to respond to vulnerabilities and incidents impacting Federal Civilian Executive Branch networks.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 Excerpt: “The duration of ransomware attacks in 2021...