January 26, 2022

Fortify Security Team
Jan 26, 2022

Title: QNAP Warns of New DeadBolt Ransomware Encrypting NAS Devices
Date Published: January 26, 2022


Excerpt: “QNAP is warning customers again to secure their Internet-exposed Network Attached Storage (NAS) devices to defend against ongoing and widespread attacks targeting their data with the new DeadBolt ransomware strain. “DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users’ data for Bitcoin ransom,” the company said in a statement issued today. “Your NAS is exposed to the Internet and at high risk if there shows ‘The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP’ on the dashboard.””

Title: PwnKit: Local Privilege Escalation Bug Affects Major Linux Distros
Date Published: January 26, 2022


Excerpt: “An attacker can exploit a vulnerability in Polkit’s pkexec component, tracked as CVE-2021-4034, that affects all major Linux distributions to gain full root privileges on the system. The good news is that this issue is not remotely exploitable, but if an attacker can log in as any unprivileged user, it can allow to gain root privileges. The flaw, dubbed PwnKit, was introduced more than 12 years ago (May 2009) since the initial commit of pkexec, this means that all the versions are affected. Polkit (formerly PolicyKit) is a component used to controll system-wide privileges in Unix-like OS. It allows non-privileged processes to communicate with privileged processes. polkit also allow to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).”

Title: Google Drops FLoC and Introduces Topics API to Replace Tracking Cookies for Ads
Date Published: January 25, 2022


Excerpt: “Google on Tuesday announced that it is abandoning its controversial plans for replacing third-party cookies in favor of a new Privacy Sandbox proposal called Topics, which categorizes users’ browsing habits into approximately 350 topics. The new mechanism, which takes the place of FLoC (short for Federated Learning of Cohorts), slots users’ browsing history for a given week into a handful of top pre-designated interests (i.e., topics), which are retained only on the device for a revolving period of three weeks. Subsequently, when a user visits a participating site, the Topics API selects three of the interests — one topic from each of the past three weeks — to share with the site and its advertising partners. To give more control over the framework, users can not only see the topics but also remove topics or disable it altogether.”

Title: Nobel Foundation Site hit by DDoS Attack on Award Day
Date Published: January 26, 2022


Excerpt: “The Nobel Foundation and the Norwegian Nobel Institute have disclosed a cyber-attack that unfolded during the award ceremony on December 10, 2021. Nobel is an annual prize awarded to people whose work in physics, chemistry, physiology, medicine, literature, and peace, has been exceptional and is deemed particularly beneficial to humanity. The Nobel prize ceremony is being live-streamed from Oslo and Stockholm, and as such, DDoS attacks can interrupt the video feed and possibly even blemish the prestige of the institution.”

Title: VMware Urges Customers to Patch VMware Horizon Servers Against Log4j Attacks
Date Published: January 26, 2022


Excerpt: VMware urges customers to patch critical Log4j security vulnerabilities impacting Internet-exposed VMware Horizon servers targeted in ongoing attacks. Searching for Internet-exposed VMware Horizon servers with Shodan, we can find tens of thousands of installs potentially exposed to attacks. This month, the Night Sky ransomware operation started exploiting the Log4Shell flaw (CVE-2021-44228) in the Log4j library to gain access to VMware Horizon systems. In early January, threat actors started targeting VMware Horizon systems exposed on the Internet. VMware has addressed Log4Shell in Horizon with the release of 2111, 7.13.1, 7.10.3 versions, but unfortunately many unpatched systems are still exposed online.”

Title: Segway Hit by Magecart Attack Hiding in a Favicon
Date Published: January 25, 2022


Excerpt: “Visitors who shopped on the company’s eCommerce website in January will likely find their payment-card data heisted, researchers warned. Segway, maker of the iconic – and much-spoofed – personal motorized transporter familiar from guided city tours everywhere, has been serving up a nasty credit-card harvesting skimmer via its website that’s likely linked to Magecart Group 12. That’s according to Malwarebytes, which noted that “We already have informed Segway so that they can fix their site, but are publishing this blog now in order to raise awareness.” Segway, which is now owned by Chinese company Ninebot, did not immediately return a request for confirmation that the site is cleaned.”

Title: PrinterLogic fixes high Severity Flaws in Printer Management Suite
Date Published: January 26, 2022


Excerpt: “PrinterLogic has released security updates to address nine vulnerabilities in Web Stack and Virtual Appliance, the most severe ones, tracked as CVE-2021-42631, CVE-2021-42635, and CVE-2021-42638, are rated as high severity flaws (CVSS base score of 8.1). Below is the list of vulnerabilities fixed by Paranoids:

CVE-2021-42631: Object Injection leading to RCE
CVE-2021-42635: Hardcoded APP_KEY leading to RCE
CVE-2021-42638: Misc command injections leading to RCE
CVE-2021-42633: SQLi may disclose audit logs
CVE-2021-42637: Blind SSRF
CVE-2021-42639: Misc reflected XSS
CVE-2021-42640: Driver assignment IDOR
CVE-2021-42641: Username/email info disclosure
CVE-2021-42642: Printer console username/password info disclosure

An attacker can trigger these three vulnerabilities to remotely execute arbitrary code on vulnerable systems. CVE-2021-42631 is an object injection flaw, CVE-2021-42635 is a hardcoded APP_KEY issue, while CVE-2021-42638 is miscellaneous command injections. PrinterLogic pointed out that most of the installs are not internet-facing.”

Title: German Govt Warns of APT27 Hackers Backdooring Business Networks
Date Published: January 26, 2022


Excerpt: “The BfV German domestic intelligence services (short for Bun­des­amt für Ver­fas­sungs­schutz) warn of ongoing attacks coordinated by the APT27 Chinese-backed hacking group. This active campaign is targeting German commercial organizations, with the attackers using the HyperBro remote access trojans (RAT) to backdoor their networks. HyperBro helps the threat actors maintain persistence on the victims’ networks by acting as an in-memory backdoor with remote administration capabilities.”

Title: Threat Actors Blanket Androids with Flubot, Teabot Campaigns
Date Published: January 26, 2022


Excerpt: “Researchers have discovered a raft of active campaigns delivering the Flubot and Teabot trojans through a variety of delivery methods, with threat actors using smishing and malicious Google Play apps to target victims with fly-by attacks in various regions across the globe. Researchers from Bitdefender Labs said they have intercepted more than 100,000 malicious SMS messages trying to distribute Flubot malware since the beginning of December, according to a report published Wednesday. During their observation of Flubot, the team also discovered a QR code-reader app that’s been downloaded more than 100,000 times from the Google Play store and which has delivered 17 different Teabot variants, they said.”

Title: Proactive Software Supply Chain Security Becoming Critical as Threats Rise
Date Published: January 26, 2022


Excerpt: “Anchore released its report of executive insights into managing enterprise software supply chain security practices. The Anchore 2022 Software Supply Chain Security Report compiles responses from 428 leaders and executives in IT, security and development roles to identify the latest trends on how organizations are adapting to new security challenges of the software supply chain. The survey was conducted in December 2021, both before and after the Log4j zero-day vulnerability was published. The impact was seen immediately, with respondents surveyed after the Log4j incident being much more likely to report significant or moderate impacts from supply chain attacks.”

Recent Posts

June 10, 2022

Title: Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/bizarre-ransomware-sells-decryptor-on-roblox-game-pass-store/ Excerpt: “A new ransomware is taking the unusual approach of...

June 9, 2022

Title: New Symbiote Malware Infects all Running Processes on Linux Systems Date Published: June 9, 2022 https://www.bleepingcomputer.com/news/security/new-symbiote-malware-infects-all-running-processes-on-linux-systems/ Excerpt: “A newly discovered Linux malware known...

June 8, 2022

Title: Surfshark, ExpressVPN pull out of India Over Data Retention Laws Date Published: June 7, 2022 https://www.bleepingcomputer.com/news/legal/surfshark-expressvpn-pull-out-of-india-over-data-retention-laws/ Excerpt: “Surfshark announced today they are shutting down...

June 6, 2022

Title: Italian City of Palermo Shuts Down all Systems to Fend off Cyberattack Date Published: June 6, 2022 https://www.bleepingcomputer.com/news/security/italian-city-of-palermo-shuts-down-all-systems-to-fend-off-cyberattack/ Excerpt: “The municipality of Palermo in...

June 3, 2022

Title: Critical Atlassian Confluence Zero-Day Actively Used in Attack Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/critical-atlassian-confluence-zero-day-actively-used-in-attacks/ Excerpt: “Hackers are actively exploiting a new Atlassian...

June 2, 2022

Title: Conti Ransomware Targeted Intel Firmware for Stealthy Attacks Date Published: June 2, 2022 https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-intel-firmware-for-stealthy-attacks/ Excerpt: “Researchers analyzing the leaked chats of the...

June 1, 2022

Title: Ransomware Attacks Need Less Than Four Days to Encrypt Systems Date Published: June 1, 2022 https://www.bleepingcomputer.com/news/security/ransomware-attacks-need-less-than-four-days-to-encrypt-systems/ Excerpt: “The duration of ransomware attacks in 2021...