December 23, 2021

Fortify Security Team
Dec 23, 2021

Title: Apache’s New Security Update for HTTP Server Fixes Two Flaws
Date Published: December 23, 2021

Excerpt: “The foundation has released version 2.4.52 of the Apache HTTP Server (web server) that addresses two flaws tracked as CVE-2021-44790 and CVE-2021-44224, which have respective CVSS severity scores of 9.8 (critical) and 8.2 (high) out of a possible 10. A score of 9.8 is very bad, and in recent weeks has only been topped by the Log4j vulnerability known as Log4Shell, which had a severity score of 10 out of 10. The first Apache web server flaw is a memory-related buffer overflow affecting Apache HTTP Server 2.4.51 and earlier. The Cybersecurity and Infrastructure Security Agency (CISA) warns it “may allow a remote attacker to take control of an affected system”. The less serious flaw allows for server side request forgery in Apache HTTP Server 2.4.7 up to 2.4.51.”

Title: Hacker Faces over 20 Years in Jail for Creating Fake Rideshare and Delivery Service Accounts
Date Published: December 23, 2021

Excerpt: “The hacker managed to collect victim names, dates of birth, driver’s license information, and social security numbers (SSNs) available for sale on dark web marketplaces and misused them to create fake documents. As explained by BleepingComputer, most of the time, the hackers were the ones to take the photos used to bypass the facial recognition verifications used as security measures in rideshare and delivery service provider systems. In order to exchange information with the victim, the fraudsters purposefully staged a small car accident or took pictures of the victim’s license while making an alcohol delivery via one of the services.”

Title: FBI Traces and Grabs Back $150 Million Theft That Was Turned into Bitcoins
Date Published: December 23, 2021

Excerpt: “Second, the FBI’s footprint internationally through our Legal Attaché offices and the pre-existing relationships we have established in foreign countries—in this instance with Japan—enabled law enforcement to coordinate and identify the subject. The FBI’s technical expertise was able to trace the money to the subject’s crypto wallet and seize those funds … Criminals should take note: You cannot rely on cryptocurrency to hide your ill-gotten gains from law enforcement.”

Title: Three Trivial Bugs in Microsoft Teams Software Remain Unpatched
Date Published: December 23, 2021

Excerpt: “When creating a link preview, the backend fetches the referenced preview thumbnail and makes it available from a Microsoft domain. This ensures that the IP address and user agent data is not leaked when the receiving client loads the thumbnail. However, by intercepting the sending of the message, it’s possible to point the thumbnail URL to a non-Microsoft domain.” reads the analysis. “The Android client does not check the domain/does not have a CSP restricting the allowed domains and loads the thumbnail image from any domain.”

Title: This New Ransomware Has Simple but Very Clever Tricks to Evade PC Defenses
Date Published: December 23, 2021

Excerpt: “One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target’s intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe.”

Title: Alibaba Suffers Government Crackdown Over Log4j
Date Published: December 23, 2021

Excerpt: “According to news site Protocol, a Chinese regulation dubbed Provisions on Security Loopholes of Network Products was in force as of September. It mandates vulnerabilities be reported immediately to the manufacturer and within two days to the Chinese authorities. As a result, Alibaba Cloud has reportedly been suspended from MIIT’s threat information sharing platform for six months. Alibaba Cloud researcher Chen Zhaojun is credited by Apache with finding the first bug in the popular logging utility, dubbed “Log4Shell”.”

Title: Logistics Giant Warns of Scams Following Ransomware Attack
Date Published: December 23, 2021

Excerpt: “German logistics giant Hellmann Worldwide Logistics has issued a warning that data was stolen from the company when it was hit with a ransomware attack on December 9, 2021. It is not entirely clear what type of data was extracted, but the company says it is warning partners and customers to double check their communications with it, as a precaution. Criminals could use the leaked data to make social engineering attacks more believable, so Hellmann is asking people that do business with it to look out for fraudulent mails and calls.”

Title: 3 Reasons Why You Should Fuzz Your Christmas Tree
Date Published: December 23, 2021

Excerpt: “Christmas trees (especially those put up by geeks) are often decorated with smart lights that are connected to Wi-Fi. Vulnerabilities in such hardware can be an entry point for attackers who want to hack Christmas. How easily such vulnerabilities can be exploited became clear in a 2018 study, in which security researchers managed to completely shut down Christmas decorations remotely. In other instances, IoT devices were hacked over the cloud and even set on fire*.”

Title: HackDHS Bug Bounty Program Accepts Reports of Log4J-Related Flaws in DHS Systems
Date Published: December 23, 2021

Excerpt: “The Department of Homeland Security (DHS) has launched the ‘Hack DHS’ bug bounty program last week to allow vetted white hat hackers to discover and report security vulnerabilities in external DHS systems. The Hack DHS bug bounty program will occur in three phases throughout Fiscal Year 2022. During the first phase, researchers will perform remote vulnerability assessments on certain DHS external systems. In the second phase, the experts will participate in a live, in-person hacking event, while in the third phase, DHS will identify and review lessons learned, and plan for future bug bounties.”

Title: The log4j Flaw Is the Latest Reminder That Quick Security Fixes Are Easier Said than Done
Date Published: December 23, 2021

Excerpt: “The researchers found nearly 36,000 Java software packages that depend on the affected Log4j code, most of which were indirect dependencies, which adds complexity and time for anybody responsible for fixing the problems. Even as organizations work to identify vulnerable assets and apply the appropriate patch, the problem may not be totally solved and may not become known for months or even years. Skilled hackers will find ways into systems using the vulnerability before everything can be patched, and then lay low, experts say.

Recent Posts

July 17, 2023

Title: Thousands of Images on Docker Hub Leak Auth Secrets, Private Keys Date Published: July 16, 2023 Excerpt: “Researchers at the RWTH Aachen University...

July 14, 2023

Title: Indexing Over 15 Million WordPress Websites with PWNPress Date Published: July 14, 2023 Excerpt: “Sicuranex’s PWNPress platform indexed over 15 million WordPress websites, it collects data...

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 Excerpt: “Florida man Nicholas Truglia...