December 20, 2021

Fortify Security Team
Dec 20, 2021

Title: Third Log4J Bug Can Trigger DoS; Apache Issues Patch
Date Published: December 20, 2021

Excerpt: “Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service (DoS) in Apache’s initial patch. It does have similarities, though: The new bug affects the same component as the Log4Shell bug. Both the Log4Shell, tracked as CVE-2021-44228 (criticality rating of CVSS 10.0) and the new bug, tracked as CVE-2021-45105 (CVSS score: 7.5) abuse attacker-controlled lookups in logged data.”

Title: Belgian Defense Ministry Hit by Cyberattack Exploiting log4shell Bug
Date Published: December 20, 2021

Excerpt: “The attack was uncovered on Thursday and today the government disclosed it, but according to local media, the security breach blocked the ministry’s activities for several days. “Hackers exploited a vulnerability in software called Log4j, which was discovered earlier in December, a ministry spokesperson told local media. The ministry uncovered the attack last Thursday.” reported Politico. At this time the Belgian defense ministry has yet to provide info regarding the attack. “The ministry’s teams have been working hard in the past to secure its networks,” said a spokesperson for Belgian Defense Minister Ludivine Dedonder. To prevent similar incidents in the future, the government will continue to invest in cybersecurity.”

Title: Alleged APT Implanted a Backdoor in the Network of a US Federal Agency
Date Published: December 20, 2021

Excerpt: “Experts spotted a backdoor in the network of an unnamed U.S. federal government commission associated with international rights. The backdoor allowed the threat actors to achieve complete control over the infected networks; experts described the compromise as a “classic APT-type operation.” “While we have no information on the impact of this attack or the actions taken by the attackers, based on our analysis of the files in question, we believe it’s reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all local network traffic in this organization. This could include information exchanged with other US government agencies and other international governmental and nongovernmental organizations (NGOs) focused on international rights.” reads the analysis published by Avast. “We also have indications that the attackers could run code of their choosing in the operating system’s context on infected systems, giving them complete control”.”

Title: Backdoor Gives Hackers Complete Control over Federal Agency Network
Date Published: December 16, 2021

Excerpt: “The backdoor works by replacing a normal Windows file named oci.dll with two malicious ones—one early in the attack and the other later on. The first imposter file implements WinDivert, a legitimate tool for capturing, modifying, or dropping network packets sent to or from the Windows network stack. The file allows the attackers to download and run malicious code on the infected system. Avast suspects the main purpose of the downloader is to bypass firewalls and network monitoring.”

Title: New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G
Date Published: December 20, 2021

Excerpt: “Handover, also known as handoff, is a process in telecommunications in which a phone call or a data session is transferred from one cell site (aka base station) to another cell tower without losing connectivity during the transmission. This method is crucial to establishing cellular communications, especially in scenarios when the user is on the move. The routine typically works as follows: the user equipment (UE) sends signal strength measurements to the network to determine if a handover is necessary and, if so, facilitates the switch when a more suitable target station is discovered.”

Title: Fresh Phish: Phishers Impersonate Pfizer in Request for Quotation Scam
Date Published: December 20, 2021

Excerpt: “The phishers used newly created domains because they were able to pass standard email authentication (SPF, DKIM, and DMARC). Since they were brand new, the domains represented zero-day vulnerabilities; they had never been seen before and did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools. Some of these attacks originated from free-mail services (e.g., Gmail, Hotmail, iCloud), which have high sender reputations. This group was also able to pass email authentication checks. Finally, there were no malicious attachments or links for email security vendors to scrutinize. Instead, the phishers socially engineered a fake request for proposal PDF attachment and instructed recipients to contact them via look-alike domains that impersonated Pfizer.”

Title: A Deep Dive into an NSO Zero-Click Imessage Exploit: Remote Code Execution
Date Published: December 15, 2021

Excerpt: “JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.”

Title: The DarkWatchman Malware Was Found Hidden in Windows Registry
Date Published: December 17, 2021

Excerpt: “In terms of C2 communication and infrastructure, the DarkWatchman players produce up to 500 domains each day using DGA (domain generating algorithms) and a seeded list of ten things. This provides them with exceptional operational resilience while also making communication monitoring and analysis difficult. According to the researchers, DarkWatchman is capable of most basic RAT functionality, like executing EXE files (with or without the output returned), loading DLL files, executing commands on the command line, executing WSH commands, executing miscellaneous commands via WMI, executing PowerShell commands, evaluating JavaScript, uploading files to the C2 server from the victim machine, remotely stopping and uninstalling the RAT and Keylogger, remotely updating the C2 server address or call-home timeout.”

Title: Ukrainian War Games Test Electricity Grid
Date Published: December 20, 2021

Excerpt: “Hundreds of Ukrainian cyber experts have taken part in a large-scale incident response exercise against the country’s energy grid as geopolitical tensions with Russia continue to escalate. President Putin on Friday issued a series of security demands, including that NATO limits deployments of troops and weapons to Ukraine’s eastern border with Russia and that the country commits to never joining the military alliance. It warned of a military crisis in the region if its demands weren’t met. Russia has already massed 100,000 troops, alongside missiles and artillery, on its side of the border.”

Title: Ole Miss Students Charged with Cyber-Stalking
Date Published: December 17, 2021

Excerpt: “IT recruitment firm Finite Recruitment has confirmed it experienced a cyber incident in October, which resulted in a “small subset” of the company’s data being downloaded and published on the dark web. The Finite Group incident response team confirmed with ZDNet that when the incident occurred, business operations were not disrupted. “Our security monitoring systems identified and closed down the threat quickly,” they said. “Since then, remedial works have been undertaken and the business has been fully operational”.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 Excerpt: “The duration of ransomware attacks in 2021...