December 8, 2021

Fortify Security Team
Dec 8, 2021

Title: Was Threat Actor KAX17 De-anonymizing the Tor Network?
Date Published: December 8, 2021

Excerpt: “Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report. This policy, however, is not policed very strictly, mainly to ensure there’s always a sufficiently large number of nodes. But a security researcher and Tor node operator going by Nusenu told The Record this week that they observed a pattern in some of these Tor relays with no contact information, which they first noticed in 2019 and have traced back as far as 2017.”

Title: Emotet’s Comeback Is Getting a Boost from Fellow Botnet Trickbot
Date Published: December 8, 2021

Excerpt: “The samples of the Emotet malware are being delivered via servers that TrickBot infected in mid-November. A number of other researchers have confirmed Emotet’s return and have observed TrickBot distributing the malware. Emotet received a series of debilitating blows last year at the hands of law enforcement. In January, U.S. and European authorities took control of the botnet’s network of infected computers and arrested several of its operators. Authorities followed that January takedown with an operation to corrupt the malware in April. Emotet essentially disappeared off the map at that point.”

Title: Sonicwall ‘Strongly Urges’ Customers to Patch Critical SMA 100 Bugs
Date Published: December 8, 2021

Excerpt: “SonicWall ‘strongly urges’ organizations using SMA 100 series appliances to immediately patch them against multiple security flaws rated with CVSS scores ranging from medium to critical. The bugs (reported by Rapid7’s Jake Baines and NCC Group’s Richard Warren) impact SMA 200, 210, 400, 410, and 500v appliances even when the web application firewall (WAF) is enabled. The highest severity flaws patched by SonicWall this week are CVE-2021-20038 and CVE-2021-20045, two critical Stack-based buffer overflow vulnerabilities that can let remote unauthenticated attackers execute as the ‘nobody’ user in compromised appliances.”

Title: Google Disrupts Blockchain-based Glupteba Botnet; Sues Russian Hackers
Date Published: December 8, 2021

Excerpt: “As part of the efforts, Google’s Threat Analysis Group (TAG) said it partnered with the CyberCrime Investigation Group over the past year to terminate around 63 million Google Docs that were observed to have distributed the malware, alongside 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts that were associated with its distribution. Google TAG said it worked with internet infrastructure providers and hosting providers, such as CloudFlare, to dismantle the malware by taking down servers and placing interstitial warning pages in front of the malicious domains.”

Title: Line Pay Leaks Data from Approximately 133,000 Users to Github of All Places
Date Published: December 8, 2021

Excerpt: “LINE Pay, a smartphone payment provider, announced yesterday that between September and November of this year, approximately 133,000 users’ payment details were inadvertently published on GitHub. A research group employee accidentally uploaded files detailing participants in a LINE Pay promotional programme staged between late December 2020 and April 2021 to the collaborative coding crèche.”

Title: 18 Fake Birth Certificates Generated in Hisar after Health Dept Site Hacked
Date Published: December 5, 2021

Excerpt: “In the complaint to the police, ADR said that the chief registrar of birth and death certificates and the director general of health department informed through a letter on July 30 that around 18 fake birth certificates have been generated by some unknown person after stealing the password of the CRS (combined reporting system) IDs of and the CHC Siswal and CHC Uklana and the respective registrars. Copies of all fake birth certificates and details have also been given to the district health department.”

Title: Cyberattack Wave Hits Spar Stores; Who Is Responsible?
Date Published: December 8, 2021

Excerpt: “The news broke this week that SPAR was hit by largescale cyber ransomware. This attack targeted the James Hall & Company in Preston, Lancashire, not the main store chain. This company is integral to operations as they are the primary supply wholesaler for the company. The attack affected SPAR’s tills and IT systems, implemented by James Hall. This has caused stores across the country to close their doors, and the ones that have stayed open can only accept cash payments.”

Title: Moobot Botnet Spreading via Hikvision Camera Vulnerability
Date Published: December 8, 2021

Excerpt: “Other commands that the C2 server may send include 0x06 for UDP flood, 0x04 for ACK flood, and 0x05 for ACK+PUSH flood. By looking into the captured packet data, Fortinet could track down a Telegram channel that started offering DDoS services last August. Having your device enlisted in DDoS swarms results in increased energy consumption, accelerated wear, and causes the device to become unresponsive. The best way to protect your IoT devices from botnets is to apply available security updates as soon as possible, isolate them in a dedicated network, and replace the default credentials with strong passwords.”

Title: Trickbot Rebirths Emotet: 140,000 Victims in 149 Countries in 10 Months
Date Published: December 7, 2021

Excerpt: “Check Point Research (CPR) warns of potential ransomware attacks, as it sees samples of Emotet fast-spreading via Trickbot. Since Emotet’s takedown by law enforcement, CPR estimates 140,000 victims of Trickbot, across 149 countries in only 10 months. New Emotet samples spreading through Trickbot were discovered by CPR on November 15, 2021. Emotet is a strong indicator of future ransomware attacks, as the malware provides ransomware gangs a backdoor into compromised machines.”

Title: Hotel Guests Locked Out of Rooms After Ransomware Attack
Date Published: December 8, 2021

Excerpt: “Nordic Choice runs around 200 locations across the region, with brands such as Comfort, Clarion and Quality. It claimed to have been hit last Thursday with a ransomware attack which impacted “the hotel systems that handle reservations, check-in, check-out and creation of new room keys.” One guest took to social media to explain that hotel staff were forced to personally escort guests upstairs to their rooms because key cards were out-of-action. A press release dated Monday failed to mention the problem with room keys but revealed that the Conti variant was to blame. Conti has been responsible for large-scale attacks on Ireland’s Health Service Executive (HSE) and an outrageous $40m ransom demand aimed at Broward County Public Schools in the US.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 Excerpt: “The duration of ransomware attacks in 2021...