December 23, 2021

Fortify Security Team
Dec 23, 2021

Title: Apache’s New Security Update for HTTP Server Fixes Two Flaws
Date Published: December 23, 2021

Excerpt: “The foundation has released version 2.4.52 of the Apache HTTP Server (web server) that addresses two flaws tracked as CVE-2021-44790 and CVE-2021-44224, which have respective CVSS severity scores of 9.8 (critical) and 8.2 (high) out of a possible 10. A score of 9.8 is very bad, and in recent weeks has only been topped by the Log4j vulnerability known as Log4Shell, which had a severity score of 10 out of 10. The first Apache web server flaw is a memory-related buffer overflow affecting Apache HTTP Server 2.4.51 and earlier. The Cybersecurity and Infrastructure Security Agency (CISA) warns it “may allow a remote attacker to take control of an affected system”. The less serious flaw allows for server side request forgery in Apache HTTP Server 2.4.7 up to 2.4.51.”

Title: Hacker Faces over 20 Years in Jail for Creating Fake Rideshare and Delivery Service Accounts
Date Published: December 23, 2021

Excerpt: “The hacker managed to collect victim names, dates of birth, driver’s license information, and social security numbers (SSNs) available for sale on dark web marketplaces and misused them to create fake documents. As explained by BleepingComputer, most of the time, the hackers were the ones to take the photos used to bypass the facial recognition verifications used as security measures in rideshare and delivery service provider systems. In order to exchange information with the victim, the fraudsters purposefully staged a small car accident or took pictures of the victim’s license while making an alcohol delivery via one of the services.”

Title: FBI Traces and Grabs Back $150 Million Theft That Was Turned into Bitcoins
Date Published: December 23, 2021

Excerpt: “Second, the FBI’s footprint internationally through our Legal Attaché offices and the pre-existing relationships we have established in foreign countries—in this instance with Japan—enabled law enforcement to coordinate and identify the subject. The FBI’s technical expertise was able to trace the money to the subject’s crypto wallet and seize those funds … Criminals should take note: You cannot rely on cryptocurrency to hide your ill-gotten gains from law enforcement.”

Title: Three Trivial Bugs in Microsoft Teams Software Remain Unpatched
Date Published: December 23, 2021

Excerpt: “When creating a link preview, the backend fetches the referenced preview thumbnail and makes it available from a Microsoft domain. This ensures that the IP address and user agent data is not leaked when the receiving client loads the thumbnail. However, by intercepting the sending of the message, it’s possible to point the thumbnail URL to a non-Microsoft domain.” reads the analysis. “The Android client does not check the domain/does not have a CSP restricting the allowed domains and loads the thumbnail image from any domain.”

Title: This New Ransomware Has Simple but Very Clever Tricks to Evade PC Defenses
Date Published: December 23, 2021

Excerpt: “One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target’s intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe.”

Title: Alibaba Suffers Government Crackdown Over Log4j
Date Published: December 23, 2021

Excerpt: “According to news site Protocol, a Chinese regulation dubbed Provisions on Security Loopholes of Network Products was in force as of September. It mandates vulnerabilities be reported immediately to the manufacturer and within two days to the Chinese authorities. As a result, Alibaba Cloud has reportedly been suspended from MIIT’s threat information sharing platform for six months. Alibaba Cloud researcher Chen Zhaojun is credited by Apache with finding the first bug in the popular logging utility, dubbed “Log4Shell”.”

Title: Logistics Giant Warns of Scams Following Ransomware Attack
Date Published: December 23, 2021

Excerpt: “German logistics giant Hellmann Worldwide Logistics has issued a warning that data was stolen from the company when it was hit with a ransomware attack on December 9, 2021. It is not entirely clear what type of data was extracted, but the company says it is warning partners and customers to double check their communications with it, as a precaution. Criminals could use the leaked data to make social engineering attacks more believable, so Hellmann is asking people that do business with it to look out for fraudulent mails and calls.”

Title: 3 Reasons Why You Should Fuzz Your Christmas Tree
Date Published: December 23, 2021

Excerpt: “Christmas trees (especially those put up by geeks) are often decorated with smart lights that are connected to Wi-Fi. Vulnerabilities in such hardware can be an entry point for attackers who want to hack Christmas. How easily such vulnerabilities can be exploited became clear in a 2018 study, in which security researchers managed to completely shut down Christmas decorations remotely. In other instances, IoT devices were hacked over the cloud and even set on fire*.”

Title: HackDHS Bug Bounty Program Accepts Reports of Log4J-Related Flaws in DHS Systems
Date Published: December 23, 2021

Excerpt: “The Department of Homeland Security (DHS) has launched the ‘Hack DHS’ bug bounty program last week to allow vetted white hat hackers to discover and report security vulnerabilities in external DHS systems. The Hack DHS bug bounty program will occur in three phases throughout Fiscal Year 2022. During the first phase, researchers will perform remote vulnerability assessments on certain DHS external systems. In the second phase, the experts will participate in a live, in-person hacking event, while in the third phase, DHS will identify and review lessons learned, and plan for future bug bounties.”

Title: The log4j Flaw Is the Latest Reminder That Quick Security Fixes Are Easier Said than Done
Date Published: December 23, 2021

Excerpt: “The researchers found nearly 36,000 Java software packages that depend on the affected Log4j code, most of which were indirect dependencies, which adds complexity and time for anybody responsible for fixing the problems. Even as organizations work to identify vulnerable assets and apply the appropriate patch, the problem may not be totally solved and may not become known for months or even years. Skilled hackers will find ways into systems using the vulnerability before everything can be patched, and then lay low, experts say.

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 Excerpt: “The duration of ransomware attacks in 2021...