Top News

• B1txor20 Linux botnet use DNS Tunnel and Log4J exploit

"Researchers from Qihoo 360’s Netlab have discovered a new backdoor used to infect Linux systems and include them in a botnet tracked as B1txor20.
The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system captured an unknown ELF file that was spreading by exploiting the Log4J vulnerability."

Link

TLP¹ : Green

• US Warns About Russian Attacks Exploiting MFA Protocols, PrintNightmare Flaw

"The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI on Tuesday warned organizations that Russian state-sponsored threat actors have gained access to networks and systems by exploiting default multi-factor authentication (MFA) protocols and a Windows vulnerability known as PrintNightmare.
According to the agencies, the unnamed threat group targeted an NGO in as early as May 2021, leveraging a misconfigured account set to default MFA protocols to access the victim’s network."

Link

TLP¹ : Green

• Russia’s disinformation uses deepfake video of Zelenskyy telling people to lay down arms

"Russian disinformation continues, this time it used a deepfake video of Zelenskyy inviting Ukrainians to ‘lay down arms.’ A deepfake video of the Ukrainian president Volodymyr Zelenskyy telling its citizens to lay down arms is the last example of disinformation conducted by Russia-linked threat actors. The fake video shows President Zelenskyy saying ‘It turned out to be not so easy being the president’.”
“My advice to you is to lay down arms and return to your families. It is not worth it dying in this war. My advice to you is to live. I am going to do the same.” the President says in the fake video.
The quality of the video is very low and it has been easy to debunk it due to the lack of proportion between the president’s face and his body."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• BIG sabotage: Famous npm package deletes files to protest Ukraine war

"This month, the developer behind the popular npm package 'node-ipc' released sabotaged versions of the library in protest of the ongoing Russo-Ukrainian War.
Newer versions of the 'node-ipc' package began deleting all data and overwriting all files on developer's machines, in addition to creating new text files with "peace" messages.
With over a million weekly downloads, 'node-ipc' is a prominent package used by major libraries like Vue.js CLI."

Link

TLP¹ : Green

• Ukraine Secret Service Arrests Hacker Helping Russian Invaders

"The Security Service of Ukraine (SBU) said it has detained a "hacker" who offered technical assistance to the invading Russian troops by providing mobile communication services inside the Ukrainian territory.
The anonymous suspect is said to have broadcasted text messages to Ukrainian officials, including security officers and civil servants, proposing that they surrender and take the side of Russia. The individual has also been accused of routing phone calls from Russia to the mobile phones of Russian troops in Ukraine."

Link

TLP¹ : Green

• ‘Fox guarding the henhouse’ – Founder of cyber-fraud prevention company pleads guilty to defrauding investors

"A US entrepreneur who pocketed millions of dollars after falsifying bank statements to generate investment for his cyber-fraud prevention firm has pleaded guilty to securities fraud.
Adam Rogas, co-founder and former CEO, CFO, and director of Las Vegas-based NS8, used fraudulent financial data to secure more than $123 million in financing for the company, around $17.5 million of which he “personally obtained”, according to a US Department of Justice (DoJ) press release.
Rogas, 44, pled guilty to one count of securities fraud before a federal court in New York yesterday (March 16). The charge carries a maximum sentence of 20 years in prison."

Link

TLP¹ : Green

• SolarWinds warns of attacks targeting Web Help Desk instances

"SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw).
WHD is an enterprise helpdesk ticketing and IT inventory management software designed to help customers automate ticketing and IT asset management tasks."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Hacker breaches key Russian ministry in blink of an eye

"In mere seconds, a hacker remotely accessed a computer belonging to a regional Russian Ministry of Health, taking advantage of sloppy cybersecurity practices to expose its entire network.
Original post at https://cybernews.com/cyber-war/hacker-breaches-key-russian-ministry-in-...
Spielerkid89, who wished to remain anonymous, did not intend to harm the organization and left its systems intact. However, his experiment is a perfect example of how poor cyber hygiene can leave organizations vulnerable to cyber attacks.
Russian state-sponsored cyber attacks can be devastating and leave hundreds of thousands of the Kremlin’s foes without water or electricity."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days,Patches and Exploits

• CISA adds 15 vulnerabilities to list of flaws exploited in attacks

"The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added fifteen additional flaws to its list of actively exploited vulnerabilities known to be used in cyberattacks.
These public warnings aim to raise awareness to system administrators who have yet to apply the corresponding security updates and urge them to prioritize the action.
Since threat actors have been observed targeting these flaws in the attacks, failing to address the security issues means risking a network compromise that can lead to a catastrophic data breach or ransomware attack."

Link

TLP¹ : Green

• Unpatched plugins threaten millions of WordPress websites

"A year-on-year surge has been observed in the number of security vulnerabilities found in the WordPress ecosystem.
The number of flaws reported in plugins and themes for WordPress was 150% higher in 2021 than in 2020, according to researchers at WordPress security firm Patchstack. As many as 29% of critical vulnerabilities were never patched.
WordPress powers just over 40% of all websites, but bugs in plugins and themes can render those sites vulnerable to SQL injection, arbitrary file upload, remote code execution (RCE) or privilege escalation attacks, among others."

Link

TLP¹ : Green

• New Vulnerability in CRI-O Engine Lets Attackers Escape Kubernetes Containers

"A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called cr8escape could be exploited by an attacker to break out of containers and obtain root access to the host.
"Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data, and lateral movement across pods," CrowdStrike researchers John Walker and Manoj Ahuje said in an analysis published this week."

Link

TLP¹ : Green

• Microsoft Defender tags Office updates as ransomware activity

"Windows admins were hit today by a wave of Microsoft Defender for Endpoint false positives where Office updates were tagged as malicious in alerts pointing to ransomware behavior detected on their systems.
According to Windows system admins reports [1, 2, 3, 4], this started happening several hours ago and, in some cases, it led to a "downpour of ransomware alerts."
Following the surge of reports, Microsoft confirmed the Office updates were mistakenly marked as ransomware activity due to false positives."

Link

TLP¹ : Green

• Google Patches Critical Vulnerability With Chrome 99 Update

"A Chrome 99 update released by Google on Tuesday patches a critical vulnerability discovered by one of the company’s own researchers.
The critical flaw, tracked as CVE-2022-0971, has been described as a use-after-free issue affecting the Blink Layout component. Sergei Glazunov of Google Project Zero has been credited for reporting the flaw.
Google doesn’t often assign a “critical severity” rating to Chrome vulnerabilities. In fact, over the past year, only four other Chrome updates fixed a critical issue. Two of the four critical vulnerabilities were discovered by Glazunov, who has also identified a high-severity bug that was patched this week."

Link

TLP¹ : Green

• Unpatched RCE Bug in dompdf Project Affects HTML to PDF Converters

"Researchers have disclosed an unpatched security vulnerability in "dompdf," a PHP-based HTML to PDF converter, that, if successfully exploited, could lead to remote code execution in certain configurations.
"By injecting CSS into the data processed by dompdf, it can be tricked into storing a malicious font with a .php file extension in its font cache, which can later be executed by accessing it from the web," Positive Security researchers Maximilian Kirchmeier and Fabian Bräunlein said in a report published today."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• 7 Capabilities Every WAF Should Provide

"WAF solutions or Web Application Firewall solutions are indispensable today in ensuring round-the-clock, proactive security against a wide range of threats – known and emerging."

Link

TLP¹ : Green

• Cloudflare Announces New Security Tools for Email, Applications, APIs

"Cloudflare this week made several security-related announcements, offering customers a new web application firewall (WAF) engine, as well as email security and API security tools.
The new email security tools, announced on Monday, are a result of Cloudflare’s recent acquisition of Area 1 Security. Once the acquisition of Area 1 closes — the deal should be finalized in the second quarter — Cloudflare will provide enterprise-grade email security tools to all customers at no additional charge."

Link

TLP¹ : Green

• IOCs vs. IOAs — How to Effectively Leverage Indicators

"Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Log4Shell Makes the Case for Runtime Application Self-Protection

"Dive into the case for RASP to combat Log4Shell and why Web app firewalls aren't great for these types of attacks."

Link

TLP¹ : Green

• Raspberry Pi Users Urged to Change Default Passwords as Attacks Surge

"Security experts have called on Raspberry and Linux users to change default passwords on their machines as new data revealed the extent of bot-driven attempts to hijack systems.
Cybersecurity vendor Bulletproof set up a series of honeypots in the public cloud to analyze the behavior of threat actors from November 2020 to November 2021.
It found that 70% of web traffic was comprised of bot activity, with default credentials the most common passwords used by bad actors to attempt access. Of the top failed default credential login attempts targeting the honeypots, Linux username and password “nproc” was in second, and the combo of “pi” and “raspberry” came eighth."

Link

TLP¹ : Green

• Unsecured Microsoft SQL, MySQL servers hit by Gh0stCringe malware

"Hackers target poorly secured Microsoft SQL and MySQL database servers to deploy the Gh0stCringe remote access trojans on vulnerable devices.
Gh0stCringe, aka CirenegRAT, is a variant of Gh0st RAT malware that was most recently deployed in 2020 Chinese cyber-espionage operations but dates as far back as 2018.
In a new report today by cybersecurity firm AhnLab, researchers outline how the threat actors behind GhostCringe are targeting poorly secured database servers with weak account credentials and no oversight."

Link

TLP¹ : Green

• What the Newly Signed US Cyber-Incident Law Means for Security

"Bipartisan cybersecurity legislation comes amid increased worries over ransomware, and fears of cyberattacks from Russia in the wake of its invasion of Ukraine."

Link

TLP¹ : Green

• Microsoft the No. 1 Most-Spoofed Brand in Phishing Attacks

"New Barracuda Networks data shows attackers sent some 3 million emails from around 12,000 pilfered accounts."

Link

TLP¹ : Green

• TrickBot Malware Abusing MikroTik Routers as Proxies for Command-and-Control

"Microsoft on Wednesday detailed a previously undiscovered technique put to use by the TrickBot malware that involves using compromised Internet of Things (IoT) devices as a go-between for establishing communications with the command-and-control (C2) servers.
"By using MikroTik routers as proxy servers for its C2 servers and redirecting the traffic through non-standard ports, TrickBot adds another persistence layer that helps malicious IPs evade detection by standard security systems," Microsoft's Defender for IoT Research Team and Threat Intelligence Center (MSTIC) said."

Link

TLP¹ : Green

• Emotet malware campaign impersonates the IRS for 2022 tax season

"The Emotet malware botnet is taking advantage of the 2022 U.S. tax season by sending out malicious emails pretending to be the Internal Revenue Service sending tax forms or federal returns.
Emotet is a malware infection distributed through phishing emails with attached Word or Excel documents containing malicious macros. Once these documents are opened, they will trick the user into enabling macros that will download the Emotet malware onto the computer.
Once Emotet is installed, the malware will steal victims' emails to use in future reply-chain attacks, send further spam emails, and ultimately install other malware that could lead to a Conti ransomware attack on the compromised network."

Link

TLP¹ : Green

• A Detailed Guide on httpx

"httpx is a fast web application reconnaissance tool coded in go by www.projectidscovery.io. With a plethora of multiple modules effective in manipulating HTTP requests and filtering out responses, it is proving to be an effective tool in Bug Bounty Hunter’s arsenal. While tools like curl already exist that can perform almost all the features covered in this tool, httpx has its own place among the analysts because of its speed and ease of access. You can download the source code from here."

Link

TLP¹ : Green

• Hundreds of GoDaddy-hosted sites backdoored in a single day

"Internet security analysts have spotted a spike in backdoor infections on WordPress websites hosted on GoDaddy's Managed WordPress service, all featuring an identical backdoor payload.
The case affects internet service resellers such as MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress.
The discovery comes from Wordfence, whose team first observed the malicious activity on March 11, 2022, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy.

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp