Cybersecurity Digest #38: 15/11/2021 – 26/11/2021

Cybersecurity news

  • T&T Alien Labs™ has found new Golang malware BotenaGo written in the open source programming language Golang. Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices.
  • The TrickBot malware operators have been using a new method to check the screen resolution of a victim system to evade detection of security software and analysis by researchers. Last year, the TrickBot gang added a new feature to their malware that terminated the infection chain if a device was using non-standard screen resolutions of 800×600 and 1024×768. In a new variation spotted by threat researchers, the verification code has been added to the HTML attachment of the malspam delivered to the potential victim.
  • A new analysis of website fingerprinting (WF) attacks aimed at the Tor web browser has revealed that it’s possible for an adversary to glean a website frequented by a victim, but only in scenarios where the threat actor is interested in a specific subset of the websites visited by users.
  • Cybersecurity specialists from Positive Technologies reported the detection of three critical vulnerabilities in the Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls, developed by Cisco and whose exploitation would allow threat actors to deploy denial of service (DoS) attacks, among other risk scenarios. According to the report, the flaws received scores of 8.6/10 according to the Common Vulnerability Scoring System (CVSS), so users of vulnerable deployments are recommended to update as soon as possible.
  • A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.
  • A new ransomware group called Memento takes the unusual approach of locking files inside password-protected archives after their encryption method kept being detected by security software. Last month, the group became active when they began exploiting a VMware vCenter Server web client flaw for the initial access to victims’ networks. The vCenter vulnerability is tracked as ‘CVE-2021-21972’ and is an unauthenticated, remote code execution bug with a 9.8 (critical) severity rating.

Cybersecurity Blog Posts

  • With organizations increasingly migrating services and data to the cloud, it is important to understand the various insider threat factors are associated with cloud security. (ISC) ²  experts highlighted two factors: human error and malicious intent.
  • Dean Parsons told about consequence-driven ICS risk management in his post. He thinks ICS intrusions will continue to occur and likely increase in their severity and range of consequences across critical infrastructure sectors. However, managing control system cyber risk and tactical ICS/OT defense is do-able, and it can protect critical resources and focus on recovery that improves resilience and reduces mean recovery time.
  • Phishing emails are now skating past traditional defenses. Justin Jett, director of audit and compliance at Plixer discussed what to do about it and provided 3 top tools for defending against phishing attacks.

Research and analytics

  • Binarly researchers  focused on uncovering ETW design problems and uncover attacks that affect all the solutions relying on ETW telemetry. Firmware implants to deliver operating system payloads implementing these attacks will NOT be detected by modern endpoint solutions.
  • According to Trend Micro global study Business Friction is Exposing Organisations to Cyber Threats, 90% of IT decision makers claim their business would be willing to compromise on cybersecurity in favour of digital transformation, productivity, or other goals. 82% of IT decision makers have felt pressured to downplay the severity of cyber risks to their board. Nearly a third claim this is a constant pressure.
  • Analysts from Fox-IT, part of the NCC group, offered some best practices to mitigate the impact of a ransomware attack based on the dataset of 700 ransomware negotiations that occurred between 2019 and 2020. Analysts explained that there are strategies that can influence the best possible outcome when negotiation is the only choice.
  • Ransomware operators don’t just target systems and data, they target people in their ever-increasing efforts to get the victim to pay. To help organizations improve their ransomware defenses, Sophos Rapid Response has compiled the top 10 pressure tactics that adversaries used in 2021.
  • Forescout Research Labs published Project Memoria conclusions – lessons learned after 18 months of vulnerability research. Project Memoria shows two things about silently patched vulnerabilities: they exist in very critical supply-chain software, so there are millions of devices out there that have been vulnerable for a long time, but silently patching a vulnerability does not mean that nobody will get to know about it: these issues tend to be rediscovered again and again.
  • Computer Security Group proposed a new highly effective approach for crafting non-uniform and frequency-based Rowhammer access patterns that can bypass TRR from standard PCs. They implemented these patterns in Rowhammer fuzzer named Blacksmith and show that it can bypass TRR on 100% of the PC-DDR4 DRAM devices in test pool.
  • The 2021 Norton Cyber Safety Insights Report: Special Release – Gaming & Cybercrime, conducted by The Harris Poll among more than 700 American adults who currently play online games, found that almost half of American gamers (47%) have experienced a cyberattack to their gaming account or device. Of those, more than three in four (76%) report that they were financially affected as a result, losing a striking $744 on average.
  • Palo Alto Networks researchers and Stony Brook University specialists captured data on 1,220 MITM phishing websites over the course of a year and discoveed that MITM phishing toolkits occupy a blind spot in phishing blocklists, with only 43.7% of domains and 18.9% of IP addresses associated with MITM phishing toolkits present on blocklists, leaving unsuspecting users vulnerable to these attacks.
  • NordPass publised their annual top 200 most common passwords according to the 2021 research. The list of passwords was compiled in partnership with independent researchers specializing in research of cybersecurity incidents, they evaluated a 4TB database. The list details how many times a certain password was used and how long it would take to crack it.
  • Digital Shadows has published its latest research piece titled Vulnerability Intelligence: Do you know where your flaws are?, where they explored the cybercriminal forums rabbit hole to understand how threat actors are continually exploiting security teams’ weaknesses. They thinks that the traditional – and sometimes chaotic – approach to vulnerability patching is not sustainable anymore and that we need a new paradigm to stay one step ahead of malicious actors.
  • In the latest investigative article SOS Intelligence took a look at alleged SS7 exploitation services on the Dark Web and diving into their credibility using their SOS Intelligence analytics toolkit. Given the feature rich tooling of SS7 it is ripe for abuse and a target for not only government run intelligence agencies but also organised crime groups that operate partly or wholly in the cyber domain.
  • Download Arkose Labs report on the 6 Hottest Fraud-Fighting Trends now to learn how to prepare for up to a 50% increase in attack volumes during the holiday season, why bots and credential stuffing attacks are expected to increase by at least 56% and why new account fraud has increased 4x and is expected to rise further.
  • Cymulate survey showed companies recovering quicker from ransomware attacks despite rise in frequency. Most companies not confident in current security measures Manufacturing, Retail and Hospitality industries most targeted. Poor password discipline remains a major vector. 28% of organizations were hit by ransomware over the last few years, 19% of the respondents experienced major damages and interruption to business or production and 26% reported that damages were relegated to a few systems.
  • MeriTalk, in partnership with Recorded Future, surveyed 150 Federal cybersecurity leaders in June 2021 to explore drivers and roadblocks to advanced threat intelligence. 84% of Federal cybersecurity leaders say improving their ability to identify, integrate, and analyze threat intelligence is one of their agency’s top tech priorities over the next three years.

Major Cyber Incidents

  • Hackers compromised a Federal Bureau of Investigation (FBI) email system according to the agency and security specialists. The hackers sent tens of thousands of emails warning of a possible cyberattack, threat-tracking organization Spamhaus Project said on its Twitter account.
  • World’s largest manufacturer of wind turbines shut down part of IT systems due to cyberattack. Due to the cyber incident, the Danish energy giant Vestas Wind Systems was forced to shut down part of the systems in a number of its divisions.
  • Web hosting provider GoDaddy said an attacker broke into its Managed WordPress service and accessed the account details and SSL keys of 1.2 million customers. It was found that the attacker had been enjoying access on the company’s network for more than two months before the intrusion was detected. GoDaddy said the attacker used a compromised password to access the provisioning system in the company’s legacy code base for Managed WordPress.
  • Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions. These cookies.sqlite databases normally reside in the Firefox profiles folder. They’re used to store cookies between browsing sessions. And they’re findable by searching GitHub with specific query parameters, what’s known as a search “dork.”
  • Cloudflare says it has blocked a distributed denial-of-service (DDoS) attack that peaked at just under 2 Tbps, making it one of the largest ever recorded. The internet company said in a blog post that the attack was launched from approximately 15,000 bots running a variant of the original Mirai code on exploited Internet of Things (IoT) devices and unpatched GitLab instances.
  • The Conti ransomware group has suffered a data breach that exposed its attack infrastructure and allowed researcher to access it. Reseаrchers аt security firm Prodаft were аble to identify the reаl IP аddress of one of the servers used by the Conti rаnsomwаre group аnd аccess the console for more thаn а month. The exposed server wаs hosting the pаyment portаl used by the gаng for rаnsom negotiаtion with the victims.
  • Spain’s second biggest beer maker Damm halted output at its main brewery outside Barcelona after a cyber attack hit its computer systems. The attack hit the brewery and for a few hours the plant in El Prat de Llobregat, which produces 7 million hectolitres of beer a year, was entirely paralyzed.Marine services giant Swire Pacific Offshore (SPO) has suffered a Clop ransomware attack that allowed threat actors to steal company data. Swire Pacific Offshore discovered an unauthorized network infiltration onto its IT systems, resulting in the compromise of some employee data.