December 16, 2021

Fortify Security Team
Dec 16, 2021

Title: ‘DarkWatchman’ RAT Shows Evolution in Fileless Malware
Date Published: December 16, 2021

Excerpt: “Dubbed DarkWatchman, the RAT – discovered by researchers at Prevailion’s Adversarial Counterintelligence Team (PACT) – uses the registry on Windows systems for nearly all temporary storage on a machine and thus never writes anything to disk. This allows it “to operate beneath or around the detection threshold of most security tools,” PACT researchers Matt Stafford and Sherman Smith wrote in a report published late Tuesday.”

Title: Researchers Uncover New Coexistence Attacks On Wi-Fi and Bluetooth Chips
Date Published: December 16, 2021

Excerpt: “Dubbed”Spectra “,” the vulnerability class relies on the fact that transmissions happen in the same spectrum and wireless chips need to arbitrate the channel access. This breaks the separation between Wi-Fi and Bluetooth to result in denial-of-service on spectrum access, information disclosure, and even enable lateral privilege escalations from a Bluetooth chip to code execution on a Wi-Fi chip. “The Wi-Fi chip encrypts network traffic and holds the current Wi-Fi credentials, thereby providing the attacker with further information,” the researchers said. “Moreover, an attacker can execute code on a Wi-Fi chip even if it is not connected to a wireless network.””

Title: State-Sponsored Hackers Abuse Slack API to Steal Airline Data
Date Published: December 15, 2021

Excerpt: “Slack is an ideal platform for concealing malicious communications as the data can blend well with regular business traffic due to its widespread deployment in the enterprise. This type of abuse is a tactic that other actors have followed in the past, so it’s not a new trick. Also, Slack isn’t the only legitimate messaging platform to be abused for relaying data and commands covertly.

In this case, the Slack API is utilized by the Aclip backdoor to send system information, files, and screenshots to the C2, while receiving commands in return. IBM researchers spotted the threat actors abusing this communication channel in March 2021 and responsibly disclosed it to Slack.”

Title: Grindr Fined for Selling User Data to Advertisers Data to Advertisers
Date Published: December 16, 2021

Excerpt: “The Norwegian Data Protection Authority (Datatilsynet), ruled that the way in which Grindr collected user consent did not meet with the regulations stipulated in the EU GDPR. And, as such, the disclosure of personal data was in breach of the Privacy Ordinance. Users had to accept the privacy statement in its entirety to use the app, and they were not specifically asked if they would consent to disclosure to third parties for marketing purposes. In addition, information about the disclosure of personal information was not clear or accessible enough to users.”

Title: Variant of Phorpiex Botnet Used for Cryptocurrency Attacks in Ethiopia, Nigeria, India and More
Date Published: December 16, 2021

Excerpt: “Check Point Research has discovered new attacks targeting cryptocurrency users in Ethiopia, Nigeria, India and 93 other countries. The cybercriminals behind the attacks are using a variant of the Phorpiex botnet — which CheckPoint called “Twizt” — to steal cryptocurrency through a process called “crypto clipping.”  Because of the length of wallet addresses, most systems copy a wallet address and allow you to simply paste it in during transactions. With Twizt, cybercriminals have been able to substitute the intended wallet address with the threat actor’s wallet address.”

Title: New Fileless Malware Uses Windows Registry as Storage to Evade Detection
Date Published: December 16, 2021

Excerpt: “The RAT “utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation,” researchers Matt Stafford and Sherman Smith said, adding it “represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools.””

Title: A Deep Dive into an NSO Zero-Click Imessage Exploit: Remote Code Execution
Date Published: December 15, 2021

Excerpt: “The target was only hacked when they clicked the link, a technique known as a one-click exploit. Recently, however, it has been documented that NSO is offering their clients zero-click exploitation technology, where even very technically savvy targets who might not click a phishing link are completely unaware they are being targeted. In the zero-click scenario no user interaction is required. Meaning, the attacker doesn’t need to send phishing messages; the exploit just works silently in the background. Short of not using a device, there is no way to prevent exploitation by a zero-click exploit; it’s a weapon against which there is no defense.”

Title: Owowa, a Malicious IIS Server Module Used to Steal Microsoft Exchange Credentials
Date Published: December 16, 2021

Excerpt: “Owowa is a C#-developed .NET v4.0 assembly that is intended to be loaded as a module within an IIS web server that also exposes Exchange’s Outlook Web Access (OWA),” reads the analysis published by Kaspersky. “When loaded this way, Owowa will steal credentials that are entered by any user in the OWA login page, and will allow a remote operator to run commands on the underlying server.”

Title: Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges
Date Published: December 15, 2021

Excerpt: “Even more troublingly, researchers at security firm Praetorian warned of a third separate security weakness in Log4j version 2.15.0 that can “allow for exfiltration of sensitive data in certain circumstances.” Additional technical details of the flaw have been withheld to prevent further exploitation, but it’s not immediately clear if this has been already addressed in version 2.16.0.”

Title: Log4j: Making the Case for Structured Hunting
Date Published: December 16, 2021

Excerpt: “The Log4j vulnerability, without a doubt, is pretty bad. This is because, as a library, it isn’t as simple as compiling a list of affected applications or operating systems. It could be in almost anything. Similarly, it still isn’t known all the different methods of exploiting it. This means that the impact of this vulnerability will probably be felt by organizations for years to come. But, by taking a different approach and using threat hunting proactively, organizations can feel more confident in their ability to detect malicious activity regardless of the point of initial access.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 Excerpt: “The duration of ransomware attacks in 2021...