Multi Perimeter Device Exploit Mirai Version Hunting For Sonicwall, DLink, Cisco and more, (Tue, Jun 15th)Tue, 15 Jun 2021 10:16:33 GMT Vulnerable perimeter devices remain a popular target, and we do see consistent exploit attempts against them. This weekend, Guy wrote about some scans for Fortinet vulnerabilities [1], and Xavier notes that Crowdstrike observed attacks against EoL Sonicwalls [2]. Starting earlier this month, we did also observe a consistent trickle of requests looking for a relatively recent Sonicwall vulnerability:
Update: mac-robber.py, (Sun, Jun 13th)Sun, 13 Jun 2021 01:34:51 GMT Almost 4 years ago, I wrote a python version of mac-robber. I use it fairly regularly at &#;x26;#;x24;dayjob. This past week, one of my co-workers was using it, but realized that it hashes large files a little too slowly. He decided to use mac-robber.py to collect the MAC times and do the hashing separately so he could limit the hashes to to files under a certain size. That sounded reasonable, so I&#;x26;#;39;ve added a switch (-s or --size). If hashing is turned on the new switch will limit the hashing to files under the given size.
Fortinet Targeted for Unpatched SSL VPN Discovery Activity, (Sat, Jun 12th)Sat, 12 Jun 2021 17:32:44 GMT Over the past 60 days, I have observed scanning activity to discover FortiGate SSL VPN unpatched services. Fortinet has fixed several critical vulnerabilities in SSL VPN and web firewall this year from Remote Code Execution (RCE) to SQL Injection, Denial of Service (DoS) which impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall (WAF) products [1][2]. Two weeks ago, US-CERT [4] released an alert re-iterating that APT actors are looking for Fortinet vulnerabilities to gain access to networks. Additional information to look for signs of this activity available here.
Sonicwall SRA 4600 Targeted By an Old Vulnerability, (Fri, Jun 11th)Fri, 11 Jun 2021 13:55:53 GMT Devices and applications used to provide remote access are juicy targets. I&#;x26;#;39;ve already been involved in many ransomware cases and most of the time, the open door was an unpatched VPN device/remote access solution or weak credentials. A good example, the recent attack against the Colonial Pipeline that started with a legacy VPN profile[1].
Keeping an Eye on Dangerous Python Modules, (Fri, Jun 11th)Fri, 11 Jun 2021 05:31:23 GMT With Python getting more and more popular, especially on Microsoft Operating systems, it&#;x26;#;39;s common to find malicious Python scripts today. I already covered some of them in previous diaries[1][2]. I like this language because it is very powerful: You can automate boring tasks in a few lines. It can be used for offensive as well as defensive purposes, and... it has a lot of 3rd party "modules" or libraries that extend its capabilities. For example, if you would like to use Python for forensics purposes, you can easily access the registry and extract data:
Ransomware Poll: 80% of Victims Don’t Pay UpWed, 16 Jun 2021 18:01:27 +0000 Meanwhile, in a separate survey, 80 percent of organizations that paid the ransom said they were hit by a second attack.
Takeaways from the Colonial Pipeline Ransomware AttackWed, 16 Jun 2021 16:39:33 +0000 Hank Schless, senior manager of security solutions at Lookout, notes basic steps that organizations can take to protect themselves as ransomware gangs get smarter.
Euros-Driven Football Fever Nets Dumb PasswordsWed, 16 Jun 2021 15:50:33 +0000 The top easy-to-crack, football-inspired password in a database of 1 billion unique, clear-text, breached passwords? You probably guessed it: "Football."
5 Tips to Prevent and Mitigate Ransomware AttacksWed, 16 Jun 2021 13:00:45 +0000 Ransomware attacks are increasing in frequency, and the repercussions are growing more severe than ever. Here are 5 ways to prevent your company from becoming the next headline.
Peloton Bike+ Bug Gives Hackers Complete ControlWed, 16 Jun 2021 11:19:34 +0000 An attacker with initial physical access (say, at a gym) could gain root entry to the interactive tablet, making for a bevy of remote attack scenarios.
Malicious PDFs Flood the Web, Lead to Password-SnarfingTue, 15 Jun 2021 17:05:28 +0000 SolarMarker makers are using SEO poisoning, stuffing thousands of PDFs with tens of thousands of pages full of SEO keywords & links to redirect to the malware.
# Reddit netsec
# Krebs On Security
Ukrainian Police Nab Six Tied to CLOP RansomwareWed, 16 Jun 2021 14:42:42 +0000 Authorities in Ukraine this week charged six people alleged to have been part of the CLOP ransomware group, a cybercriminal gang said to have extorted more than half a billion dollars from victims. Some of CLOP's victims this year alone include Stanford University Medical School, the University of California, and University of Maryland.
How Does One Get Hired by a Top Cybercrime Gang?Tue, 15 Jun 2021 15:41:26 +0000 The U.S. Department of Justice (DOJ) last week announced the arrest of a 55-year-old Latvian woman who’s alleged to have worked as a programmer for Trickbot, a malware-as-a-service platform responsible for infecting millions of computers and seeding many of those systems with ransomware.Just how did a self-employed web site designer and mother of two come to work for one of the world’s most rapacious cybercriminal groups and then leave such an obvious trail of clues indicating her involvement with the gang? This post explores answers to those questions, as well as some of the ways Trickbot and other organized cybercrime gangs gradually recruit, groom and trust new programmers.
Microsoft Patches Six Zero-Day Security HolesTue, 08 Jun 2021 20:53:28 +0000 Microsoft today released another round of security updates for Windows operating systems and supported software, including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks.