June 16, 2022

Fortify Security Team
Jun 16, 2022

Title: Microsoft Office 365 Feature Can Help Cloud Ransomware Attacks

Date Published: June 16, 2022

https://www.bleepingcomputer.com/news/security/microsoft-office-365-feature-can-help-cloud-ransomware-attacks/

Excerpt: “Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage. A ransomware attack targeting files on these services could have severe consequences if backups aren’t available, rendering important data inaccessible to owners and working groups. ”

Title: Hackers Exploit Three-Year-Old Telerik Flaws to Deploy Cobalt Strike

Date Published: June 15, 2022

https://www.bleepingcomputer.com/news/security/hackers-exploit-three-year-old-telerik-flaws-to-deploy-cobalt-strike/

Excerpt: “A threat actor known as ‘Blue Mockingbird’ targets Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources. The flaw leveraged by the attacker is CVE-2019-18935, a critical severity (CVSS v3.1: 9.8) deserialization that leads to remote code execution in the Telerik UI library for ASP.NET AJAX. The same threat actor was seen targeting vulnerable Microsoft IIS servers that used Telerik UI in May 2020, by which time a year had passed since security updates were made available by the vendor. Surprisingly, Sophos researchers reported today that Blue Mockingbird is still leveraging the same flaw to launch cyberattacks, according to their detection data.”

Title: Cisco Secure Email Bug Can Let Attackers Bypass Authentication

Date Published: June 15, 2022

https://www.bleepingcomputer.com/news/security/cisco-secure-email-bug-can-let-attackers-bypass-authentication/

Excerpt: “Cisco notified customers this week to patch a critical vulnerability that could allow attackers to bypass authentication and login into the web management interface of Cisco email gateway appliances with non-default configurations. The security flaw (tracked as CVE-2022-20798) was found in the external authentication functionality of virtual and hardware Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager appliances. CVE-2022-20798 is due to improper authentication checks on affected devices using Lightweight Directory Access Protocol (LDAP) for external authentication.”

Title: Researchers Disclosed a Remote Code Execution Vulnerability, Tracked as CVE-2022-25845, in the Popular Fastjson Library

Date Published: June 16, 2022

https://securityaffairs.co/wordpress/132333/security/fastjson-library-rce.html

Excerpt: “Cybersecurity researchers from JFrog disclosed details of a now patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object. Fastjson can work with arbitrary Java objects including pre-existing objects that you do not have source-code of. The flaw, tracked as CVE-2022-25845 (CVSS score: 8.1), resides in a feature called “AutoType” and is related to the deserialization of untrusted data. The AutoType function allows specifying a custom type when parsing a JSON input that can then be deserialized into an object of a specific class.”

Title: Citrix fixed a Critical Flaw in Citrix Application Delivery Management (ADM), Tracked as CVE-2022-27511, That Can Allow Attackers to Reset Admin Passwords

Date Published: June 15, 2022

https://securityaffairs.co/wordpress/132299/security/citrix-application-delivery-management-flaw.html

Excerpt: “Citrix fixed a critical vulnerability in Citrix Application Delivery Management (ADM), tracked as CVE-2022-27511, that can be exploited by attackers to reset admin passwords. Citrix Application Delivery Management (ADM) is a comprehensive platform that enables automation, orchestration, management, and analytics for application delivery across hybrid multi-cloud environments. The flaw is an Improper Access Control issue reported by the security researcher Florian Hauser from Code White. The flaw impacts all supported versions of Citrix Application Delivery Management server.”

Title: Researchers Discovered a New Golang-Based Peer-To-Peer (P2P) Botnet, Dubbed Panchan, Targeting Linux Servers in the Education Sector Since March 2022.

Date Published: June  15, 2022

https://securityaffairs.co/wordpress/132290/cyber-crime/panchan-p2p-botnet.html

Excerpt: “Akamai security researchers discovered a new Golang-based P2P Botnet, tracked as Panchan, that is targeting Linux servers that has been active since March 2022. Panchan uses a basic SSH dictionary attack to implement wormable behavior; it also harvests SSH keys and uses them for lateral movement. The bot uses “its built-in concurrency features to maximize spreadability and execute malware modules.”
The botnet is engaged in crypto mining activity, the malicious code has been designed to hijack the computer’s resources to mine cryptocurrencies. The bot was observed using XMRig and nbhash miners that aren’t extracted to the disk to avoid detection.”

Title: BNPL Fraud Alert as Account Takeovers Surge

Date Published: June  15, 2022

https://www.infosecurity-magazine.com/news/bnpl-fraud-alert-as-account/

Excerpt: “Account takeover (ATO) attacks targeting the financial services sector surged 58% from April to May this year, raising fears that fraudsters are focusing more on buy now, pay later (BNPL) schemes. BNPL has become increasingly popular as the cost-of-living crisis bites, enabling consumers to buy the products they want by splitting purchases into smaller, interest-free payments.”

Title: ‘Hertzbleed’ Side-Channel Attack Threatens Cryptographic Keys for Servers

Date Published: June 15, 2022

https://www.darkreading.com/attacks-breaches/hertzbleed-side-channel-attack-cryptographic-keys-servers

Excerpt: “A novel timing attack allows remote attackers with low privileges to infer sensitive information by observing power-throttling changes in the CPU. A side-channel timing attack dubbed “Hertzbleed” by researchers could allow remote attackers to sniff out cryptographic keys for servers. It affects most Intel processors, as well as some chipsets from AMD and likely others.”

Title: Elasticsearch Database Mess Up Exposed Login, PII Data of 30,000 Students

Date Published: June 15, 2022

https://www.hackread.com/elasticsearch-database-expose-login-pii-data-students/

Excerpt: “SafetyDetectives’ cybersecurity research team led by Anurag Sen identified a misconfigured Elasticsearch server that exposed the data of Transact Campus app. According to their analysis, the server was internet-connected and didn’t need a password to allow access to data. Resultantly, around 1 million records were leaked, revealing personally identifiable information of over 30,000 to 40,000 students.”

Title: Facebook Messenger Scam Duped Millions

Date Published: June 16, 2022

https://threatpost.com/acebook-messenger-scam/179977/

Excerpt: “For months now, millions of Facebook users have been duped by the same phishing scam that cons users into handing over their account credentials. According to a report outlining the phishing campaign, the scam is still active and continues to push victims to a fake Facebook login page where victims are enticed to submit their Facebook credentials. Unconfirmed estimates suggest nearly 10 million users fell prey to the scam, earning a single perpetrator behind the phishing ploy a huge payday. According to a report published by researchers at PIXM Security, the phishing campaign began last year and ramped up in September. Researchers believe millions of Facebook users were exposed each month by the scam. Researchers assert that the campaign remains active.”

Recent Posts

July 27, 2022

Title: Phishing Attacks Skyrocket With Microsoft and Facebook as Most Abused Brands Date Published: July 26, 2022 https://threatpost.com/popular-bait-in-phishing-attacks/180281/ Excerpt: “The bloom is back on phishing attacks with criminals doubling down on fake...

July 26, 2022

Title: Nist Updates Healthcare Security Guidance Date Published: July 25, 2022 https://www.infosecurity-magazine.com/news/nist-healthcare-guidance/ Excerpt: “The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for...

July 25, 2022

Title: Lockbit Ransomware Gang Claims to Have Breached the Italian Revenue Agency Date Published: July 25, 2022 https://securityaffairs.co/wordpress/133640/cyber-crime/lockbit-ransomware-italian-revenue-agency.html Excerpt: “The ransomware gang Lockbit claims to have...

July 22, 2022

Title: Hackers for Hire: Adversaries Employ ‘Cyber Mercenaries’ Date Published: July 21, 2022 https://threatpost.com/hackers-cyber-mercenaries/180263/ Excerpt: “A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and...

July 21, 2022

Title: Windows 11 Now Blocks Rdp Brute-Force Attacks by Default Date Published: July 21, 2022 https://www.bleepingcomputer.com/news/microsoft/windows-11-now-blocks-rdp-brute-force-attacks-by-default/ Excerpt: “Recent Windows 11 builds come with the Account Lockout...

July 20, 2022

Title: New Luna Ransomware Encrypts Windows, Linux, and Esxi Systems Date Published: July 20, 2022 https://www.bleepingcomputer.com/news/security/new-luna-ransomware-encrypts-windows-linux-and-esxi-systems/ Excerpt: “A new ransomware family dubbed Luna can be used to...

July 18, 2022

Title: A Massive Cyberattack Hit Albania Date Published: July 18, 2022 https://securityaffairs.co/wordpress/133363/cyber-warfare-2/albania-cyber-attack.html Excerpt: “Albania was hit by a massive cyberattack over the weekend, the government confirmed on Monday. A...