Overview of security incidents for the period 4-10 September 2021

Overview of security incidents for the period 4-10 September 2021

Record DDoS attack on Yandex, hacking of the UN computer network, a zero-day vulnerability in Zoho servers, leaked passwords for Fortinet VPN accounts, scandal with the Protonmail service – these are just a few of the events that will be remembered for the past week.

Yandex was faced with the largest DDoS attack in the history of the Russian Internet, which, however, did not affect the operation of the Internet giant’s services, and user data did not suffer either. The source of the attack was a new botnet called Mēris (“plague” in Latvian). Experts began to notice signs of botnet activity, presumably consisting of network devices, in June this year. According to experts, the botnet includes more than 200 thousand devices, and reverse L2TP tunnels are used for communication within the network.

This week, DDoS attacks temporarily disrupted the robot ANZ, New Zealand’s largest bank, and a number of other financial institutions, as well as the country’s national postal service.

The US Cybersecurity and Infrastructure Protection Agency (CISA) has warned of a zero-day vulnerability in Zoho ManageEngine servers, which has been actively used in hacker attacks for more than a week.

Issue ( CVE-2021-40539 ) affects password management and SSO (single sign-on) solution Zoho ManageEngine ADSelfService Plus from India’s Zoho Corporation. The vulnerability could be exploited to bypass authentication through the ADSelfService Plus REST API URL and execute malicious code on a vulnerable server. The issue is fixed in ADSelfService Plus build 6114.

As it became known this week, unknown hackers hacked into the United Nations computer network and stole information that could be used to attack UN agencies. Attackers compromised the network using stolen account credentials for Umoja, a UN proprietary resource management system.

An array of nearly 500,000 Fortinet VPN device credentials has been posted on the underground RAMP forum. In total, the published file contains VPN credentials for 498,908 users on 12,856 devices. Experts believe that the attackers exploited a directory traversal vulnerability ( CVE-2018-13379 ) in FortiOS SSL VPN to collect credentials.

The full source code of the Babuk (Babyk) ransomware program, widely known after the attack on the Washington police department, has been published on the Russian-language XSS hacker forum.

According to the information published on the forum, the source code of the Babuk encryption program was posted directly by its developer. The young man said that he was sick with cancer, he did not have long to live and he was provided for the rest of his life.

Interestingly, the portal of the extortionist group REvil, which was disabled in June this year after the group’s activities attracted close attention from the US authorities, returned to life this week.

While cybersecurity experts have not identified new versions of the REvil program, it is also unclear whether the group has carried out new attacks.

Law enforcement officers in South Korea have arrested a Russian suspected of collaborating with the cybercriminal group TrickBot. The Russian spent 1.5 years in South Korea due to the coronavirus pandemic and was detained at Seoul airport while trying to fly to Russia.

The Ragnar Locker ransomware group has found a new way to influence victims. The group now threatens to release data stolen from victims if they seek help from law enforcement.

The threat also extends to those who bring in experts to recover encrypted files or negotiate a ransom, according to a post by Ragnar Locker on the darknet website.

Jenkins developers reported a cyberattack in which attackers gained access to one of the internal servers of the project and installed a program for mining Monero cryptocurrency.

According to the notice, the hackers hacked into one of the servers using Atlassian Confluence that contained a remote code execution vulnerability ( CVE-2021-26084 ). According to the developers, the attack did not affect Jenkins releases, plugins or project source code.

Independent organization ProPublica reported that Facebook’s WhatsApp messenger regularly scans users’ private messages. WhatsApp employs more than 1,000 contractors in the United States and abroad (Ireland, Singapore) who study private messages, photos and videos of users using special Facebook software and AI systems.

The encrypted email service ProtonMail has been at the centre of a scandal after it disclosed the IP addresses of a number of its French users associated with the green Youth for Climate movement. The data was provided at the request of the French authorities, after which these users were arrested. The news drew strong public criticism, after which the company removed the clause that does not keep IP logs, which may be associated with an anonymous email account, from the privacy policy.

A hacker using the pseudonym SangKancil managed to steal the personal data of approximately 7 million Israeli citizens by hacking into the base of the CITY4U website, with which municipalities and local councils cooperate.

The stolen information includes identity cards, driver’s licenses, tax returns, a notice of fines, certificates of payments for education, water, parking and other documents.

Anomali specialists reported on a wave of targeted phishing attacks using a malicious Microsoft Word document exploiting the theme of the new Windows 11. The document serves to distribute a JavaScript backdoor to collect information from infected devices.

The attackers used a malicious Word document containing an image allegedly taken on a device running Windows 11 Alpha. The image prompts the user to activate the macro to initiate the second stage of the attack, which involves executing an obfuscated VBA macro to load the JavaScript payload, which in turn loads the backdoor.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts