December 22, 2021

Fortify Security Team
Dec 22, 2021

Title: Four Bugs in Microsoft Teams Left Platform Vulnerable Since March

Date Published: December 22, 2021

Excerpt: “Two of the four bugs discovered affected Microsoft Teams being used on any device and allow for server-side request forgery (SSRF) and spoofing, researchers said. The other two—dubbed “IP Address Leak” and “Denial of Service aka Message of Death” by researchers—affect only Android users. The SSRF vulnerability allowed researchers to leak information from Microsoft’s local network and was discovered when Bräunlein tested the /urlp/v1/url/info endpoint for SSRF, he said.”

Title: 2easy Now a Significant Dark Web Marketplace for Stolen Data

Date Published: December 21, 2021

Excerpt: “A dark web marketplace named ‘2easy’ is becoming a significant player in the sale of stolen data “Logs” harvested from roughly 600,000 devices infected with information-stealing malware. “Logs” are archives of data stolen from compromised web browsers or systems using malware, and their most important aspect is that they commonly include account credentials, cookies, and saved credit cards. 2easy launched in 2018 and has experienced rapid growth since last year when it only sold data from 28,000 infected devices and was considered a minor player.”

Title: Major Services Including Slack, AWS, Hulu, Imgur Facing Outages

Date Published: December 22, 2021

Excerpt: “Users are receiving errors when sending or editing messages on Slack, such as:  “Couldn’t send message. Your message, along with any files and attachments, has been saved to your drafts,” or “Sorry, something went wrong with editing your message. Try again in a moment.” currently investigating the issue and will provide a status update once we have more information,” Slack has confirmed, with its status page continuing to show further disruptions.”

Title: Ghana Govt Agency Exposed 700k Citizens’ Data in a Database Mess Up

Date Published: December 22, 2021

Excerpt: “NSS is basically a government program that manages a compulsory year of public service for Ghana-based graduates from specific educational institutions. Thousands of students join this program every year to work in different public sectors such as healthcare. Data of at least 700,000 individuals was exposed in this breach, making the individuals vulnerable to fraud, identity theft, and hacking scams. Moreover, those working at the government agency have also become vulnerable to various attacks.”

Title: China Suspends Deal With Alibaba for Not Sharing log4j 0-Day First with the Government

Date Published: December 22, 2021

Excerpt: “China’s internet regulator, the Ministry of Industry and Information Technology (MIIT), has suspended a partnership with Alibaba Cloud, the cloud computing subsidiary of e-commerce giant Alibaba Group, for six months for failing to promptly report a critical security vulnerability affecting the broadly used Log4j logging library. Alibaba Cloud did not immediately report vulnerabilities in the popular, open-source logging framework Apache Log4j2 to China’s telecommunications regulator,” Reuters said. “In response, MIIT suspended a cooperative partnership with the cloud unit regarding cybersecurity threats and information-sharing platforms.”

Title: Ubisoft Reveals Player Data Breach Came from User Error

Date Published: December 22, 2021

Excerpt: “Ubisoft has admitted that data on some players may have been taken after a breach of its IT systems stemming from human error. The French gaming giant explained in a brief post that the misconfiguration of its IT infrastructure was quickly identified, but not before unauthorized individuals were able to access and perform a “possible copy” of the information. Data stolen related to players of the wildly popular Just Dance game. “The data in question was limited to ‘technical identifiers’ which include GamerTags, profile IDs, and Device IDs as well as Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and/or on your social media profiles,” the firm explained.”

Title: US Returns $150m to Sony After Employee BEC Attack

Date Published: December 22, 2021

Excerpt: “Although Sony had a double authentication process set up for international money transfers, requiring both Ishii and his supervisor to sign them off, the former is said to have instructed the company’s bank to change the contact email address for his boss. That enabled him to initiate and sign-off money transfers to an account under his control totaling $154m, which he later converted into Bitcoin, according to court documents. Ishii is even said to have emailed several executives, including his supervisor with a ransom note claiming that the money would be returned if they paid a fee. The end goal appears to have been to dissuade them from filing criminal charges.”

Title: Attackers Test “Cab-Less 40444” Exploit in a Dry Run

Date Published: December 21, 2021

Excerpt: “In the initial versions of CVE-2021-40444 exploits, malicious Office documents retrieved a malware payload packaged into a Microsoft Cabinet (or .CAB) file. When Microsoft’s patch closed that loophole, attackers discovered they could use a different attack chain altogether by enclosing the maldoc in a specially-crafted RAR archive. Because it doesn’t actually use the CAB-style attack method, we’ve called it the CAB-less 40444 exploit. The attachments represent an escalation of the attacker’s abuse of the -40444 bug and demonstrate that even a patch can’t always mitigate the actions of a motivated and sufficiently skilled attacker.”

Title: Of Course a Bluetooth-Using Home COVID Test Was Cracked to Fake Results

Date Published: December 22, 2021

Excerpt: “The firm tested the Ellume COVID-19 Home Test, a device selected specifically because it uses a “Bluetooth connected analyzer for use with an app on your phone.” It gets worse: faked data produced by the Ellume unit was happily ingested by an outfit named Azova that certifies the results of COVID tests so that travelers can enter the USA. F-Secure’s post details a test in which one of its staff used the Ellume device to test for COVID, produced a negative result, but used the methods above to falsify the results.”

Title: The log4j Flaw Is the Latest Reminder That Quick Security Fixes Are Easier Said than Done

Date Published: December 21, 2021

Excerpt: “The researchers found nearly 36,000 Java software packages that depend on the affected Log4j code, most of which were indirect dependencies, which adds complexity and time for anybody responsible for fixing the problems. Even as organizations work to identify vulnerable assets and apply the appropriate patch, the problem may not be totally solved and may not become known for months or even years. Skilled hackers will find ways into systems using the vulnerability before everything can be patched, and then lay low, experts say.”

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...