Overview of security incidents for the period 18-24 September 2021

The sixteenth vulnerability in Apple products this year, a “terrorist attack” on the financial system of Venezuela, a key hidden by the FBI to recover encrypted REvil files, the exploitation of an eleven-year vulnerability in Adobe ColdFusion – read about these and other security incidents for the period from September 18 to September 24, 2021. 

Following the publication on September 16 of the PoC for the OMIGOD vulnerability , active scans of the Internet began looking for unsecured Azure Linux servers. Cybercriminals have begun deploying cryptocurrency mining programs on compromised servers, or hacked devices become part of a botnet.

A hacker group, allegedly funded by a certain state, attempted to attack the computer network of one of the largest ports in the United States, the Port of Houston. During the attack, the attackers intended to exploit a zero-day vulnerability in Zoho ( CVE-2021-40539 ). The port authority said it had successfully repelled the attack and “no operational data or systems were affected.” As a result of the CISA investigation, the FBI and the US Coast Guard issued a joint warning to organizations in the United States about foreign attacks through the vulnerability in Zoho.

The sixteenth in a row this year, a zero-day vulnerability in its products was fixed by Apple. The vulnerability, identified as CVE-2021-30869 , is present in the XNU kernel component in modern operating systems from Apple and has already been exploited in hacker attacks. As Shane Huntley, head of the Google Threat Analysis Group, explained, the vulnerability in XNU is one of two links in the exploit chain. Hackers use it, together with a known vulnerability in WebKit, to execute malicious code in the victim’s browser and escalate its privileges in order to gain control over the attacked device.

One of the most notorious events of the week is the attack on NEW Cooperative, a major US agricultural supplier. A farm cooperative with more than sixty locations in Iowa has been cyberattacked using the ransomware BlackMatter. The extortionists demanded a $ 5.9 million ransom from the cooperative, threatening otherwise to publish the data stolen from its computer networks.

Presumably, an attack on the servers of the Bank of Venezuela was carried out from the territory of the United States , which disabled the systems of the country’s main financial institution for five days. According to Venezuelan Vice President Delsi Rodriguez, there have been several continuous attacks aimed at destroying data and damaging the country’s financial system. It took five days to eliminate the consequences of the cyberattack and strengthen the system’s defenses.

Specialists of the British information security company Cyjax spoke about a large-scale phishing campaign against employees of government agencies in Russia and neighboring countries. The campaign aimed to collect government-owned email authorization credentials by creating phishing pages that mimic email login pages. The malicious operation began in the spring of 2020, when the attackers transferred fake domains to their current hosts. At the time of its discovery, 15 phishing pages were still active and were used to collect data from government officials of Belarus, Georgia, Turkmenistan, Kyrgyzstan, Uzbekistan, Ukraine and other countries. Several pages were fake authorization pages in the Mail.ru service.

The personal data of over 106 million international travelers who have visited Thailand in the past 10 years have been made publicly available. The leaked database included visitors’ full names, passport numbers, arrival dates, visa types, residence status, and more. Bob Dyachenko, cybersecurity specialist at Comparitech, discovered the database on August 22 and immediately notified the Thai authorities. In Thailand, the incident was acknowledged and measures were taken the next day to ensure data security.

The personal data of participants of virtual events organized by EventBuilder platform, were in the public domain to be indexed by different search engines (eg, Grayhat Warfare). According to cybersecurity researcher Bob Dyachenko and Clario Tech, due to incorrect configuration, EventBuilder exposed hundreds of thousands of CSV and JSON files with personal information belonging to people registering for events through Microsoft Teams. The disclosed information included full names, email addresses, company names and title of the user, phone numbers, etc.

The decentralized VEE Finance platform was hacked on September 20 . The attackers withdrew $ 35 million – $ 26 million in Ethereum and $ 9 million in bitcoins. The company advised users to suspend all operations on the platform for now. Unknown persons, according to VEE Finance, gained access to the project’s smart contract. On the third attempt, they managed to withdraw funds to one wallet.

Cross-chain platform DeFi pNetwork reported the loss of 277 BTC ($ 12.5 million) as a result of a hacker attack, an attacker exploited a vulnerability in the platform’s code. According to the project representatives, the rest of the cross-chain bridges were not damaged. The developers have assured users that they have already updated the code and are now waiting for all validators on the network to apply the update. The developers offered the hacker a reward of $ 1.5 million for a refund, although they considered such a development of events unlikely.

For almost three weeks, the FBI refrained from helping to unlock the computers of hundreds of businesses and organizations affected by attacks using the ransomware REvil. The agency gained access to the servers of a Russian criminal group and secretly obtained the digital key needed to restore encrypted files. Publishing the key could help affected schools, hospitals and businesses avoid the cost of data recovery. But the FBI concealed the key with the consent of other agencies, as it planned to conduct an operation to neutralize the extortionist group REvil. The planned operation never happened.

An unknown cybercriminal group in a matter of minutes remotely hacked into a server with an outdated version of Adobe ColdFusion 9 released 11 years ago and seized control over it, and 79 hours later deployed ransomware Cring on the server. The server, owned by an unnamed service provider, was used to collect timesheets and accounting data for payroll, as well as to host a number of virtual machines. According to the experts of the information security company Sophos, the attacks were carried out from an Internet address belonging to the Ukrainian Internet provider Green Floid.

Attackers break into Windows Internet Information Services (IIS) servers and inject certificate expiration pages prompting you to install software that is actually a malware installer. The malicious program automatically installs and starts the TeamViewer remote control program. Once launched, the TeamViewer server contacts the attackers’ C&C server.

A targeted phishing campaign targeting the aircraft industry for two years is a prime example of how even low-skilled cybercriminals can carry out small malicious operations without being detected for a long time. Cisco Talos called the campaign, allegedly carried out from the territory of Nigeria, Operation Layover.

Cybersecurity researchers at Black Lotus Labs have documented a new vector of compromise on Windows computers that includes malicious Linux binaries built for the Windows Subsystem for Linux (WSL). The experts found a number of malicious files written in Python and compiled in the Linux ELF (Executable and Linkable Format) binary for the Debian distribution.

Catch up on more articles here

Follow us on Twitter here


Must read


Related Posts