MS Exchange Servers and BlackKingdom ransomware : Per Bleeping Computer,

This weekend security researcher Marcus Hutchins reported seeing a threat actor run a script to compromise all Exchange servers vulnerable to ProxyLogon. It dropped a Black KingDom ransomware note but did not encrypt anything.

However, Michael Gillepsie of ID Ransomware claims he’a seen 30 unique submissions to his system and device encryptions. Also of note is that back in 2020 corporate networks were being targeted via Pulse VPN vulnerabilities and hit with ransomware known as BlackKingdom, and it’s being determined if these are the same. Stay tuned and more importantly – stay vigilant!

Patch It! Critical vulnerability in Apache OFBiz per The Hacker News

This particular Apache product is “a Java-based web framework” for automating open source enterprise resource planning systems or ERP. I’m guessing there’s a lot out there. CVE-2021-26295 can allow for remote code execution by unauthorized parties via unsafe deserialization in the attack. Deserialization exploits do bad things with data integrity.

This vulnerability affects versions before 17.12.06 so upgrade asap. Please! Because we all recall what happened to unpatched Apache Struts vulnerabilities! Cough – Equifax – cough.

Keep Watch: Active exploits against BIG-IP by F5 ongoing. If you aren’t patched, assume compromise. Seriously 😐

#ShareTheMicInCyber is a campaign on both Twitter and LinkedIn to boost the profiles and share the experiences of black women in cyber security and privacy. These are just some of the amazing women and supporters featured today. Let’s keep amplifying and lift each other up!

Supply chain attack targets iOS developers with XcodeSpy malware per Bleeping Computer

We love all the cool fun stuff Apple makes. To enable the creativity there is a free application development environment known as Xcode, where devs can share things. Collaboration is powerful, saving time and money when you can use something already made. Over 2020 we saw more attackers accessing online repositories to mess with the code, which can become a supply chain attack when tainted code gets distributed by a trusted source.

A malicious version of legit iOS “TabBarInteraction” Xcode was found by SentinelOne researchers. It had an obfuscated command that opens a remote shell back home and uses the EggShell backdoor. Apple devices have an established rep for being secure, which comes with the expectation that associated apps and services will be too. For attackers, this presents a major opportunity to gain access by abusing that inherent trust.

Steganography: Two attacks this week hide bad things in good images per Threatpost

Deception. Or, what you can’t see may hurt you. Steganography continues to evolve as an attack tactic that lets attackers hide their malicious code inside media files. Hide in plain sight. There were two new developments this week.

In one, security researcher David Buchanan shared how to hide MP3 audio files and ZIP archives in PNG images on Twitter, because of how Twitter handles PNG uploads. There are some limitations, but nothing a motivated attacker couldn’t work around.

In the other, researchers at Sucuri found Magecart attackers were hiding the stolen payment card data they skimmed in JPG files on websites they injected with malicious code. Magecart attacks are hard to detect unless you know where to look in the code and are actively watching for them. Over 2020 these attacks rose sharply and Magento sites are a favourite target.

MS Exchange Server Hits: Chilean banking regulator reports server compromise. 32 Indian organizations have been compromised.

SolarWinds Update: per Bleeping Computer. Mimecast, a major email security provider, reported they were accessed via the Sunburst backdoor. The attackers accessed email, contact info, and took source code. Mimecast says it does not look like enough code was taken to do anything significant, but given the number of things that come to light post compromise I am pessimistic. Also: Note the abuse of certificates in the attack. Mimecast published an Incident Report with more details.

Trio of 15 year old Linux bugs found per Sophos

Security researcher at Grimm identified three bugs in the Linux kernel that fortunately are now patched and which no one else noticed in all this time. Read their report here. This was for iSCSI implementation, which isn’t something at the forefront anymore. However – as we know so well with Windows and older Linux libraries – age doesn’t matter. There are many components that have been around for years, even decades, in which major vulnerabilities are currently being identified. Some are critical, allowing for RCE and total system compromise. And with Linux systems some of these kernel modules are configured to be automatically loaded by certain apps. Not to be overly dramatic but there could be a ticking time bomb buried deep within the network

New Botnet using Mirai variant and targeting numerous vulnerabilities per Threatpost

Researchers at Palo Alto’s Unit 42 report a very busy botnet hunting connected devices, including network security ones. The botnet has leveraged at least ten known vulnerabilities to compromise devices and then infects them with a variant of Mirai malware flavoured for the that device’s architecture: SonicWall, D-Link, Netgear among others. With APTs from Russia and China merrily traversing our networks, now is a great time to say remember 2019 and VPN botnet? These things can be weaponized …

China-based cyber espionage campaign targets telecoms per ZDNet

Telecoms have been targets by APTs for some time and this campaign, dubbed Operation Diànxùn, is brought to you by Mustang Panda and RedDelta. Chinese APTs are notoriously good at cyber espionage, and telecoms are great sources to access information. So far 23 providers in Europe, the US, and South East Asia have been targets in the operation extending back to August 2020. There has been a clear uptick in aggressive cyber activities by China, and given the current situation with Exchange servers I urge active monitoring to look for activity: do not underestimate the depth or extent of their intrusions.

Did someone leak PoC code for Microsoft Exchange servers per ZDNet

What if … there was a leak involving the very sensitive proof of concept exploit code about those massive Exchange server vulns? Could that explain the rampant proliferation of exploits and attacks by a number of threat actors? Microsoft is asking that very question as it shared the code with certain security partners in its Microsoft Active Protections Program on Feb 23 before the patches were released. At least 6 known APTs were playing hide and seek before March 2: Hafnium, Tick, Calypso, LuckyMouse, Websiic and Winnti Group. There are still 82,000 unpatched servers out there and unfortunately not all can be patched or patched easily. Worse, patching does not resolve compromise. Might I suggest burn it with fire 🔥

Phishing Kits now detecting and evading virtual machine browsers per Bleeping Computer

Not good for the defenders using virtual machines to check if a site is tainted. With this new trick, phishing kits use JavaScript to determine if a browser is using software rendering and also to check for a real monitor or a simulation. The kit just puts up a blank screen if it finds something “faux” that would be a foe.

0Day: Third Google Chrome Zeroday reported in 3 months. I did a write up on that yesterday

Per Bleeping Computer CVE-2021-21193 is the second of the three bugs to be actively exploited. It’s described as a use after free bug in the open source browser-rendering engine Blink and could result in arbitrary code execution, and possibly tears. Google’s not sharing much more til it gets patches out. Its other two friends are CVE-2021-21166 and CVE-2021-2114, which you probably want to look further into if you haven’t already.