December 20, 2021

Fortify Security Team
Dec 20, 2021

Title: Third Log4J Bug Can Trigger DoS; Apache Issues Patch
Date Published: December 20, 2021

https://threatpost.com/third-log4j-bug-dos-apache-patch/177159/

Excerpt: “Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service (DoS) in Apache’s initial patch. It does have similarities, though: The new bug affects the same component as the Log4Shell bug. Both the Log4Shell, tracked as CVE-2021-44228 (criticality rating of CVSS 10.0) and the new bug, tracked as CVE-2021-45105 (CVSS score: 7.5) abuse attacker-controlled lookups in logged data.”

Title: Belgian Defense Ministry Hit by Cyberattack Exploiting log4shell Bug
Date Published: December 20, 2021

https://securityaffairs.co/wordpress/125813/cyber-warfare-2/belgian-defense-ministry-hit-cyberattack.html

Excerpt: “The attack was uncovered on Thursday and today the government disclosed it, but according to local media, the security breach blocked the ministry’s activities for several days. “Hackers exploited a vulnerability in software called Log4j, which was discovered earlier in December, a ministry spokesperson told local media. The ministry uncovered the attack last Thursday.” reported Politico. At this time the Belgian defense ministry has yet to provide info regarding the attack. “The ministry’s teams have been working hard in the past to secure its networks,” said a spokesperson for Belgian Defense Minister Ludivine Dedonder. To prevent similar incidents in the future, the government will continue to invest in cybersecurity.”

Title: Alleged APT Implanted a Backdoor in the Network of a US Federal Agency
Date Published: December 20, 2021

https://securityaffairs.co/wordpress/125807/apt/backdoor-implanted-on-us-federal-agency-network.html

Excerpt: “Experts spotted a backdoor in the network of an unnamed U.S. federal government commission associated with international rights. The backdoor allowed the threat actors to achieve complete control over the infected networks; experts described the compromise as a “classic APT-type operation.” “While we have no information on the impact of this attack or the actions taken by the attackers, based on our analysis of the files in question, we believe it’s reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all local network traffic in this organization. This could include information exchanged with other US government agencies and other international governmental and nongovernmental organizations (NGOs) focused on international rights.” reads the analysis published by Avast. “We also have indications that the attackers could run code of their choosing in the operating system’s context on infected systems, giving them complete control”.”

Title: Backdoor Gives Hackers Complete Control over Federal Agency Network
Date Published: December 16, 2021

https://arstechnica.com/information-technology/2021/12/us-federal-agency-fails-to-respond-to-reports-it-has-been-backdoored/

Excerpt: “The backdoor works by replacing a normal Windows file named oci.dll with two malicious ones—one early in the attack and the other later on. The first imposter file implements WinDivert, a legitimate tool for capturing, modifying, or dropping network packets sent to or from the Windows network stack. The file allows the attackers to download and run malicious code on the infected system. Avast suspects the main purpose of the downloader is to bypass firewalls and network monitoring.”

Title: New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G
Date Published: December 20, 2021

https://thehackernews.com/2021/12/new-mobile-network-vulnerabilities.html

Excerpt: “Handover, also known as handoff, is a process in telecommunications in which a phone call or a data session is transferred from one cell site (aka base station) to another cell tower without losing connectivity during the transmission. This method is crucial to establishing cellular communications, especially in scenarios when the user is on the move. The routine typically works as follows: the user equipment (UE) sends signal strength measurements to the network to determine if a handover is necessary and, if so, facilitates the switch when a more suitable target station is discovered.”

Title: Fresh Phish: Phishers Impersonate Pfizer in Request for Quotation Scam
Date Published: December 20, 2021

https://www.inky.com/blog/fresh-phish-phishers-impersonate-pfizer-in-request-for-quotation-scam

Excerpt: “The phishers used newly created domains because they were able to pass standard email authentication (SPF, DKIM, and DMARC). Since they were brand new, the domains represented zero-day vulnerabilities; they had never been seen before and did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools. Some of these attacks originated from free-mail services (e.g., Gmail, Hotmail, iCloud), which have high sender reputations. This group was also able to pass email authentication checks. Finally, there were no malicious attachments or links for email security vendors to scrutinize. Instead, the phishers socially engineered a fake request for proposal PDF attachment and instructed recipients to contact them via look-alike domains that impersonated Pfizer.”

Title: A Deep Dive into an NSO Zero-Click Imessage Exploit: Remote Code Execution
Date Published: December 15, 2021

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

Excerpt: “JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.”

Title: The DarkWatchman Malware Was Found Hidden in Windows Registry
Date Published: December 17, 2021

https://heimdalsecurity.com/blog/the-darkwatchman-malware-was-found-hidden-in-windows-registry/

Excerpt: “In terms of C2 communication and infrastructure, the DarkWatchman players produce up to 500 domains each day using DGA (domain generating algorithms) and a seeded list of ten things. This provides them with exceptional operational resilience while also making communication monitoring and analysis difficult. According to the researchers, DarkWatchman is capable of most basic RAT functionality, like executing EXE files (with or without the output returned), loading DLL files, executing commands on the command line, executing WSH commands, executing miscellaneous commands via WMI, executing PowerShell commands, evaluating JavaScript, uploading files to the C2 server from the victim machine, remotely stopping and uninstalling the RAT and Keylogger, remotely updating the C2 server address or call-home timeout.”

Title: Ukrainian War Games Test Electricity Grid
Date Published: December 20, 2021

https://www.infosecurity-magazine.com/news/ukrainian-war-games-electricity/

Excerpt: “Hundreds of Ukrainian cyber experts have taken part in a large-scale incident response exercise against the country’s energy grid as geopolitical tensions with Russia continue to escalate. President Putin on Friday issued a series of security demands, including that NATO limits deployments of troops and weapons to Ukraine’s eastern border with Russia and that the country commits to never joining the military alliance. It warned of a military crisis in the region if its demands weren’t met. Russia has already massed 100,000 troops, alongside missiles and artillery, on its side of the border.”

Title: Ole Miss Students Charged with Cyber-Stalking
Date Published: December 17, 2021

https://www.infosecurity-magazine.com/news/ole-miss-charged-cyber-stalking/

Excerpt: “IT recruitment firm Finite Recruitment has confirmed it experienced a cyber incident in October, which resulted in a “small subset” of the company’s data being downloaded and published on the dark web. The Finite Group incident response team confirmed with ZDNet that when the incident occurred, business operations were not disrupted. “Our security monitoring systems identified and closed down the threat quickly,” they said. “Since then, remedial works have been undertaken and the business has been fully operational”.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

September 12, 2022

Title: Cisco confirms Yanluowang ransomware leaked stolen company data Date Published: September 12, 2022 https://www.bleepingcomputer.com/news/security/cisco-confirms-yanluowang-ransomware-leaked-stolen-company-data/ Excerpt: “Cisco has confirmed that the data leaked...

September 9, 2022

Title: Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-exploitation-tool-for-stealthy-infections/ Excerpt: “A new version of the...

September 8, 2022

Title: North Korean Lazarus Hackers Take Aim at U.S. Energy Providers Date Published: September 8, 2022 https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-take-aim-at-us-energy-providers/ Excerpt: “The North Korean APT group 'Lazarus' (APT38)...