December 20, 2021

Fortify Security Team
Dec 20, 2021

Title: Third Log4J Bug Can Trigger DoS; Apache Issues Patch
Date Published: December 20, 2021

Excerpt: “Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service (DoS) in Apache’s initial patch. It does have similarities, though: The new bug affects the same component as the Log4Shell bug. Both the Log4Shell, tracked as CVE-2021-44228 (criticality rating of CVSS 10.0) and the new bug, tracked as CVE-2021-45105 (CVSS score: 7.5) abuse attacker-controlled lookups in logged data.”

Title: Belgian Defense Ministry Hit by Cyberattack Exploiting log4shell Bug
Date Published: December 20, 2021

Excerpt: “The attack was uncovered on Thursday and today the government disclosed it, but according to local media, the security breach blocked the ministry’s activities for several days. “Hackers exploited a vulnerability in software called Log4j, which was discovered earlier in December, a ministry spokesperson told local media. The ministry uncovered the attack last Thursday.” reported Politico. At this time the Belgian defense ministry has yet to provide info regarding the attack. “The ministry’s teams have been working hard in the past to secure its networks,” said a spokesperson for Belgian Defense Minister Ludivine Dedonder. To prevent similar incidents in the future, the government will continue to invest in cybersecurity.”

Title: Alleged APT Implanted a Backdoor in the Network of a US Federal Agency
Date Published: December 20, 2021

Excerpt: “Experts spotted a backdoor in the network of an unnamed U.S. federal government commission associated with international rights. The backdoor allowed the threat actors to achieve complete control over the infected networks; experts described the compromise as a “classic APT-type operation.” “While we have no information on the impact of this attack or the actions taken by the attackers, based on our analysis of the files in question, we believe it’s reasonable to conclude that the attackers were able to intercept and possibly exfiltrate all local network traffic in this organization. This could include information exchanged with other US government agencies and other international governmental and nongovernmental organizations (NGOs) focused on international rights.” reads the analysis published by Avast. “We also have indications that the attackers could run code of their choosing in the operating system’s context on infected systems, giving them complete control”.”

Title: Backdoor Gives Hackers Complete Control over Federal Agency Network
Date Published: December 16, 2021

Excerpt: “The backdoor works by replacing a normal Windows file named oci.dll with two malicious ones—one early in the attack and the other later on. The first imposter file implements WinDivert, a legitimate tool for capturing, modifying, or dropping network packets sent to or from the Windows network stack. The file allows the attackers to download and run malicious code on the infected system. Avast suspects the main purpose of the downloader is to bypass firewalls and network monitoring.”

Title: New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G
Date Published: December 20, 2021

Excerpt: “Handover, also known as handoff, is a process in telecommunications in which a phone call or a data session is transferred from one cell site (aka base station) to another cell tower without losing connectivity during the transmission. This method is crucial to establishing cellular communications, especially in scenarios when the user is on the move. The routine typically works as follows: the user equipment (UE) sends signal strength measurements to the network to determine if a handover is necessary and, if so, facilitates the switch when a more suitable target station is discovered.”

Title: Fresh Phish: Phishers Impersonate Pfizer in Request for Quotation Scam
Date Published: December 20, 2021

Excerpt: “The phishers used newly created domains because they were able to pass standard email authentication (SPF, DKIM, and DMARC). Since they were brand new, the domains represented zero-day vulnerabilities; they had never been seen before and did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools. Some of these attacks originated from free-mail services (e.g., Gmail, Hotmail, iCloud), which have high sender reputations. This group was also able to pass email authentication checks. Finally, there were no malicious attachments or links for email security vendors to scrutinize. Instead, the phishers socially engineered a fake request for proposal PDF attachment and instructed recipients to contact them via look-alike domains that impersonated Pfizer.”

Title: A Deep Dive into an NSO Zero-Click Imessage Exploit: Remote Code Execution
Date Published: December 15, 2021

Excerpt: “JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.”

Title: The DarkWatchman Malware Was Found Hidden in Windows Registry
Date Published: December 17, 2021

Excerpt: “In terms of C2 communication and infrastructure, the DarkWatchman players produce up to 500 domains each day using DGA (domain generating algorithms) and a seeded list of ten things. This provides them with exceptional operational resilience while also making communication monitoring and analysis difficult. According to the researchers, DarkWatchman is capable of most basic RAT functionality, like executing EXE files (with or without the output returned), loading DLL files, executing commands on the command line, executing WSH commands, executing miscellaneous commands via WMI, executing PowerShell commands, evaluating JavaScript, uploading files to the C2 server from the victim machine, remotely stopping and uninstalling the RAT and Keylogger, remotely updating the C2 server address or call-home timeout.”

Title: Ukrainian War Games Test Electricity Grid
Date Published: December 20, 2021

Excerpt: “Hundreds of Ukrainian cyber experts have taken part in a large-scale incident response exercise against the country’s energy grid as geopolitical tensions with Russia continue to escalate. President Putin on Friday issued a series of security demands, including that NATO limits deployments of troops and weapons to Ukraine’s eastern border with Russia and that the country commits to never joining the military alliance. It warned of a military crisis in the region if its demands weren’t met. Russia has already massed 100,000 troops, alongside missiles and artillery, on its side of the border.”

Title: Ole Miss Students Charged with Cyber-Stalking
Date Published: December 17, 2021

Excerpt: “IT recruitment firm Finite Recruitment has confirmed it experienced a cyber incident in October, which resulted in a “small subset” of the company’s data being downloaded and published on the dark web. The Finite Group incident response team confirmed with ZDNet that when the incident occurred, business operations were not disrupted. “Our security monitoring systems identified and closed down the threat quickly,” they said. “Since then, remedial works have been undertaken and the business has been fully operational”.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...