November 18, 2021

Fortify Security Team
Nov 18, 2021

Title: Revealed: The 200 Most used and Worst Passwords of 2021
Date Published: November 19, 2021

https://www.hackread.com/most-used-worst-passwords-of-2021/

Excerpt: “According to a report from NordPass, people haven’t yet stopped relying on done-to-death passwords such as ”123456,” ”12345,” ”password,” and ”qwerty,” while research reveals that these three are the weakest passwords nowadays and can easily make you vulnerable to hacking. The password 123456 appeared over 103 million times in NordPass’s research. The study involved around fifty countries, and researchers conducted gender comparisons to reach a fair conclusion. As many as 222,287 females used ”iloveyou” as their password in the US, while 96,785 men used the same.”

Title: Uncovering Brandjacking with VirusTotal
Date Published: November 18, 2021

https://blog.virustotal.com/2021/11/uncovering-brandjacking-with-virustotal.html

Excerpt: “Malicious activity comes in all kinds of colors and flavors, sometimes abusing users’ trust by impersonating well known brands to get their private data, install malware or any other form of scam. At VirusTotal we analyze more than 3 million distinct URLs daily obtaining not only AV verdicts from more than 70 different vendors but also extracting as much data as possible including headers, cookies and HTML meta tags. This data is indexed and related to other observables we keep in our database, which is an excellent way to track malware infrastructure but also to find other forms of fraudulent activity. Indeed, many of our customers use VirusTotal daily to monitor brand abuse and fraudulent impersonation.”

Title: FBI: FatPipe VPN Zero-Day Exploited by APT for 6 Months
Date Published: November 18, 2021

https://threatpost.com/fbi-fatpipe-vpn-zero-day-exploited-apt/176453/

Excerpt: “As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software going back to at least May 2021,” the bureau said in a flash alert (PDF) on Tuesday. The bug — patched this week — is found in the device software for FatPipe’s WARP WAN redundancy product, its MPVPN router clustering device, and its IPVPN load-balancing and reliability device for VPNs. The products are all types of  servers that are installed at network perimeters and used to give employees remote access to internal apps via the internet, serving as part network gateways, part firewalls..”

Title: Russian Ransomware Gangs Start Collaborating With Chinese Hackers
Date Published: November 17, 2021

https://www.bleepingcomputer.com/news/security/russian-ransomware-gangs-start-collaborating-with-chinese-hackers/

Excerpt: “According to a new report by Flashpoint, high-ranking users and RAMP administrators are now actively attempting to communicate with new forum members in machine-translated Chinese. The forum has reportedly had at least thirty new user registrations that appear to come from China, so this could be the beginning of something notable. The researchers suggest that the most probable cause is that Russian ransomware gangs seek to build alliances with Chinese actors to launch cyber-attacks against U.S. targets, trade vulnerabilities, or even recruit new talent for their Ransomware-as-a-Service (RaaS) operations.”

Title: Conti Ransomware Group In-Depth Analysis
Date Published: November 18, 2021

https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf

Excerpt: “Ransomware attacks work by encrypting the victim’s business-critical data, rendering it
inaccessible. After triggering the attack, cybercriminals will offer to sell a decryption key to
the victim. If the victim doesn’t comply, they simply have to accept the catastrophic loss of
their most valuable data. Some ransomware attacks use a two-pronged strategy. Attackers will demand a ransom payment for decrypting data, and threaten to publicly publish sensitive data if the ransom
is not paid by a certain deadline. (”Double Extortion”).”

Title: New Ransomware Actor Uses Password-protected Archives To Bypass Encryption Protection
Date Published: November 18, 2021

https://www.bleepingcomputer.com/news/security/new-memento-ransomware-switches-to-winrar-after-failing-at-encryption/

Excerpt: “A new ransomware group called Memento takes the unusual approach of locking files inside password-protected archives after their encryption method kept being detected by security software. Last month, the group became active when they began exploiting a VMware vCenter Server web client flaw for the initial access to victims’ networks. The vCenter vulnerability is tracked as ‘CVE-2021-21971’ and is an unauthenticated, remote code execution bug with a 9.8 (critical) severity rating.”

Title: Corporate Espionage Hackers Redcurl Return After Hiatus With Improved Tools
Date Published: November 18, 2021

https://www.cyberscoop.com/corporate-espionage-hackers-redcurl-group-ib/

Excerpt: “Red Curl’s tactical improvements after a seven-month absence include upgrades to most of its tools, such as more effective data encryption for its malware. “Corporate cyber espionage is still a relatively rare and, in many ways, unique occurrence,” Group-IB’s report reads. “However, it is possible that the group’s success could lead to a new trend in cybercrime. Despite the rarity of corporate cyber espionage, Group-IB’s report on the RedCurl revival is the second tranche of research to be published this month alone about such groups. Trend Micro recently revealed an espionage outfit it named Void Balaur, which advertises its services under the name “Rockethack”.”

Title: CISA Publishes Cybersecurity Playbooks for FCEB Agencies
Date Published: November 18, 2021

https://heimdalsecurity.com/blog/cisa-publishes-cybersecurity-playbooks-for-fceb-agencies/

Excerpt: “On November 16, 2021, The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published the Cybersecurity Incident & Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems. The new guidance is created to help Federal Civilian Executive Branch (FCEB) Information Systems agencies in adopting a standard set of incident and vulnerability response procedures. The playbooks are intended to minimize threats across the federal government, private, and public areas.”

Title: This USPS Spoof Shows Us That Phishmas is Upon Us
Date Published: November 18, 2021

https://www.avanan.com/blog/this-usps-spoof-shows-us-that-phishmas-is-upon-us

Excerpt: “The holidays are approaching, and there appears to be a shipping crunch. Due to supply chain concerns, many are worried that they won’t get their holiday gifts in time. In response to people anxiously checking tracking numbers and refreshing their emails to see the status of their goods, hackers are spoofing shipping and missed goods notification emails. Starting in November 2021, Avanan observed a credential harvesting attack in which attackers spoof the United States Postal Service to notify users of an undelivered package. In this attack brief, Avanan will analyze the company’s most recent discovery of this new spoof.”

Title: Update Now! Netgear Vulnerability Patched
Date Published: November 18, 2021

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-netgear-routers-upnp-daemon-vulnerability-patched/

Excerpt: “The specific flaw exists within the UPnP service, which listens on TCP port 5000 by default. When parsing the universally unique identifier (uuid) request header, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. The vulnerability received a CVSS score of 8.8 out of 10 because of some limiting factors. One consolation in the above is that the attacker already has to be inside the LAN to perform this attack. But once they are, the attacker can send a specially crafted header to the UPnP daemon and can remotely run code with root privileges on the affected device.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...