December 16, 2021

Fortify Security Team
Dec 16, 2021

Title: ‘DarkWatchman’ RAT Shows Evolution in Fileless Malware
Date Published: December 16, 2021

Excerpt: “Dubbed DarkWatchman, the RAT – discovered by researchers at Prevailion’s Adversarial Counterintelligence Team (PACT) – uses the registry on Windows systems for nearly all temporary storage on a machine and thus never writes anything to disk. This allows it “to operate beneath or around the detection threshold of most security tools,” PACT researchers Matt Stafford and Sherman Smith wrote in a report published late Tuesday.”

Title: Researchers Uncover New Coexistence Attacks On Wi-Fi and Bluetooth Chips
Date Published: December 16, 2021

Excerpt: “Dubbed”Spectra “,” the vulnerability class relies on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. This breaks the separation between Wi-Fi and Bluetooth to result in denial-of-service on spectrum access, information disclosure, and even enable lateral privilege escalations from a Bluetooth chip to code execution on a Wi-Fi chip. “The Wi-Fi chip encrypts network traffic and holds the current Wi-Fi credentials, thereby providing the attacker with further information,” the researchers said. “Moreover, an attacker can execute code on a Wi-Fi chip even if it is not connected to a wireless network.””

Title: State-Sponsored Hackers Abuse Slack API to Steal Airline Data
Date Published: December 15, 2021

Excerpt: “Slack is an ideal platform for concealing malicious communications as the data can blend well with regular business traffic due to its widespread deployment in the enterprise. This type of abuse is a tactic that other actors have followed in the past, so it’s not a new trick. Also, Slack isn’t the only legitimate messaging platform to be abused for relaying data and commands covertly.

In this case, the Slack API is utilized by the Aclip backdoor to send system information, files, and screenshots to the C2, while receiving commands in return. IBM researchers spotted the threat actors abusing this communication channel in March 2021 and responsibly disclosed it to Slack.”

Title: Grindr Fined for Selling User Data to Advertisers Data to Advertisers
Date Published: December 16, 2021

Excerpt: “The Norwegian Data Protection Authority (Datatilsynet), ruled that the way in which Grindr collected user consent did not meet with the regulations stipulated in the EU GDPR. And, as such, the disclosure of personal data was in breach of the Privacy Ordinance. Users had to accept the privacy statement in its entirety to use the app, and they were not specifically asked if they would consent to disclosure to third parties for marketing purposes. In addition, information about the disclosure of personal information was not clear or accessible enough to users.”

Title: Variant of Phorpiex Botnet Used for Cryptocurrency Attacks in Ethiopia, Nigeria, India and More
Date Published: December 16, 2021

Excerpt: “Check Point Research has discovered new attacks targeting cryptocurrency users in Ethiopia, Nigeria, India and 93 other countries. The cybercriminals behind the attacks are using a variant of the Phorpiex botnet — which CheckPoint called “Twizt” — to steal cryptocurrency through a process called “crypto clipping.”  Because of the length of wallet addresses, most systems copy a wallet address and allow you to simply paste it in during transactions. With Twizt, cybercriminals have been able to substitute the intended wallet address with the threat actor’s wallet address.”

Title: New Fileless Malware Uses Windows Registry as Storage to Evade Detection
Date Published: December 16, 2021

Excerpt: “The RAT “utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation,” researchers Matt Stafford and Sherman Smith said, adding it “represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.””

Title: A Deep Dive into an NSO Zero-Click Imessage Exploit: Remote Code Execution
Date Published: December 15, 2021

Excerpt: “The target was only hacked when they clicked the link, a technique known as a one-click exploit. Recently, however, it has been documented that NSO is offering their clients zero-click exploitation technology, where even very technically savvy targets who might not click a phishing link are completely unaware they are being targeted. In the zero-click scenario no user interaction is required. Meaning, the attacker doesn’t need to send phishing messages; the exploit just works silently in the background. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it’s a weapon against which there is no defense.”

Title: Owowa, a Malicious IIS Server Module Used to Steal Microsoft Exchange Credentials
Date Published: December 16, 2021

Excerpt: “Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA),” reads the analysis published by Kaspersky. “When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server.”

Title: Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges
Date Published: December 15, 2021

Excerpt: “Even more troublingly, researchers at security firm Praetorian warned of a third separate security weakness in Log4j version 2.15.0 that can “allow for exfiltration of sensitive data in certain circumstances.” Additional technical details of the flaw have been withheld to prevent further exploitation, but it’s not immediately clear if this has been already addressed in version 2.16.0.”

Title: Log4j: Making the Case for Structured Hunting
Date Published: December 16, 2021

Excerpt: “The Log4j vulnerability, without a doubt, is pretty bad. This is because, as a library, it isn’t as simple as compiling a list of affected applications or operating systems. It could be in almost anything. Similarly, it still isn’t known all the different methods of exploiting it. This means that the impact of this vulnerability will probably be felt by organizations for years to come. But, by taking a different approach and using threat hunting proactively, organizations can feel more confident in their ability to detect malicious activity regardless of the point of initial access.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...