June 16, 2022

Fortify Security Team
Jun 16, 2022

Title: Microsoft Office 365 Feature Can Help Cloud Ransomware Attacks

Date Published: June 16, 2022


Excerpt: “Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage. A ransomware attack targeting files on these services could have severe consequences if backups aren’t available, rendering important data inaccessible to owners and working groups. ”

Title: Hackers Exploit Three-Year-Old Telerik Flaws to Deploy Cobalt Strike

Date Published: June 15, 2022


Excerpt: “A threat actor known as ‘Blue Mockingbird’ targets Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources. The flaw leveraged by the attacker is CVE-2019-18935, a critical severity (CVSS v3.1: 9.8) deserialization that leads to remote code execution in the Telerik UI library for ASP.NET AJAX. The same threat actor was seen targeting vulnerable Microsoft IIS servers that used Telerik UI in May 2020, by which time a year had passed since security updates were made available by the vendor. Surprisingly, Sophos researchers reported today that Blue Mockingbird is still leveraging the same flaw to launch cyberattacks, according to their detection data.”

Title: Cisco Secure Email Bug Can Let Attackers Bypass Authentication

Date Published: June 15, 2022


Excerpt: “Cisco notified customers this week to patch a critical vulnerability that could allow attackers to bypass authentication and login into the web management interface of Cisco email gateway appliances with non-default configurations. The security flaw (tracked as CVE-2022-20798) was found in the external authentication functionality of virtual and hardware Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager appliances. CVE-2022-20798 is due to improper authentication checks on affected devices using Lightweight Directory Access Protocol (LDAP) for external authentication.”

Title: Researchers Disclosed a Remote Code Execution Vulnerability, Tracked as CVE-2022-25845, in the Popular Fastjson Library

Date Published: June 16, 2022


Excerpt: “Cybersecurity researchers from JFrog disclosed details of a now patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object. Fastjson can work with arbitrary Java objects including pre-existing objects that you do not have source-code of. The flaw, tracked as CVE-2022-25845 (CVSS score: 8.1), resides in a feature called “AutoType” and is related to the deserialization of untrusted data. The AutoType function allows specifying a custom type when parsing a JSON input that can then be deserialized into an object of a specific class.”

Title: Citrix fixed a Critical Flaw in Citrix Application Delivery Management (ADM), Tracked as CVE-2022-27511, That Can Allow Attackers to Reset Admin Passwords

Date Published: June 15, 2022


Excerpt: “Citrix fixed a critical vulnerability in Citrix Application Delivery Management (ADM), tracked as CVE-2022-27511, that can be exploited by attackers to reset admin passwords. Citrix Application Delivery Management (ADM) is a comprehensive platform that enables automation, orchestration, management, and analytics for application delivery across hybrid multi-cloud environments. The flaw is an Improper Access Control issue reported by the security researcher Florian Hauser from Code White. The flaw impacts all supported versions of Citrix Application Delivery Management server.”

Title: Researchers Discovered a New Golang-Based Peer-To-Peer (P2P) Botnet, Dubbed Panchan, Targeting Linux Servers in the Education Sector Since March 2022.

Date Published: June  15, 2022


Excerpt: “Akamai security researchers discovered a new Golang-based P2P Botnet, tracked as Panchan, that is targeting Linux servers that has been active since March 2022. Panchan uses a basic SSH dictionary attack to implement wormable behavior; it also harvests SSH keys and uses them for lateral movement. The bot uses “its built-in concurrency features to maximize spreadability and execute malware modules.”
The botnet is engaged in crypto mining activity, the malicious code has been designed to hijack the computer’s resources to mine cryptocurrencies. The bot was observed using XMRig and nbhash miners that aren’t extracted to the disk to avoid detection.”

Title: BNPL Fraud Alert as Account Takeovers Surge

Date Published: June  15, 2022


Excerpt: “Account takeover (ATO) attacks targeting the financial services sector surged 58% from April to May this year, raising fears that fraudsters are focusing more on buy now, pay later (BNPL) schemes. BNPL has become increasingly popular as the cost-of-living crisis bites, enabling consumers to buy the products they want by splitting purchases into smaller, interest-free payments.”

Title: ‘Hertzbleed’ Side-Channel Attack Threatens Cryptographic Keys for Servers

Date Published: June 15, 2022


Excerpt: “A novel timing attack allows remote attackers with low privileges to infer sensitive information by observing power-throttling changes in the CPU. A side-channel timing attack dubbed “Hertzbleed” by researchers could allow remote attackers to sniff out cryptographic keys for servers. It affects most Intel processors, as well as some chipsets from AMD and likely others.”

Title: Elasticsearch Database Mess Up Exposed Login, PII Data of 30,000 Students

Date Published: June 15, 2022


Excerpt: “SafetyDetectives’ cybersecurity research team led by Anurag Sen identified a misconfigured Elasticsearch server that exposed the data of Transact Campus app. According to their analysis, the server was internet-connected and didn’t need a password to allow access to data. Resultantly, around 1 million records were leaked, revealing personally identifiable information of over 30,000 to 40,000 students.”

Title: Facebook Messenger Scam Duped Millions

Date Published: June 16, 2022


Excerpt: “For months now, millions of Facebook users have been duped by the same phishing scam that cons users into handing over their account credentials. According to a report outlining the phishing campaign, the scam is still active and continues to push victims to a fake Facebook login page where victims are enticed to submit their Facebook credentials. Unconfirmed estimates suggest nearly 10 million users fell prey to the scam, earning a single perpetrator behind the phishing ploy a huge payday. According to a report published by researchers at PIXM Security, the phishing campaign began last year and ramped up in September. Researchers believe millions of Facebook users were exposed each month by the scam. Researchers assert that the campaign remains active.”

Recent Posts

December 9, 2022

Title: US Health Dept Warns of Royal Ransomware Targeting Healthcare Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-royal-ransomware-targeting-healthcare/ Excerpt: “The U.S. Department of Health and Human...

December 8, 2022

Title: New ‘Zombinder’ Platform Binds Android Malware With Legitimate Apps Date Published: December 8, 2022 https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds-android-malware-with-legitimate-apps/ Excerpt: “A darknet platform dubbed...

December 7, 2022

Title: Fantasy – A New Agrius Wiper Deployed Through a Supply-Chain Attack Date Published: December 7, 2022 https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-chain-attack/ Excerpt: “ESET researchers discovered a new wiper and its execution...

December 6, 2022

Title: This Badly Made Ransomware Can’t Decrypt Your Files, Even if You Pay the Ransom Date Published: December 6, 2022 https://www.zdnet.com/article/this-badly-made-ransomware-cant-decrypt-your-files-even-if-you-pay-the-ransom/ Excerpt: “Victims of a recently...

December 5, 2022

Title: SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist Date Published: December 3, 2022 https://www.bleepingcomputer.com/news/security/sim-swapper-gets-18-months-for-involvement-in-22-million-crypto-heist/ Excerpt: “Florida man Nicholas Truglia...

December 2, 2022

Title: New Go-Based Redigo Malware Targets Redis Servers Date Published: December 1, 2022 https://securityaffairs.co/wordpress/139164/malware/redigo-malware-targets-redis-servers.html Excerpt: “Redigo is a new Go-based malware employed in attacks against Redis servers...

December 1, 2022

Title: Keralty Ransomware Attack Impacts Colombia’s Health Care System Date Published: November 30, 2022 https://www.bleepingcomputer.com/news/security/keralty-ransomware-attack-impacts-colombias-health-care-system/ Excerpt: “The Keralty multinational healthcare...