CyberSec Intel Thursday #2

December 16, 2021 - Welcome to CyberSec Intel Thursday (CIT)!

  • Over 16 million WordPress sites attacked. Wordfence threat intelligence uncovered over 13.7 million attacks coordinated in the past 36 hours targeting four different plugins and several Epsilon Framework from 16,000 different IP addresses.

  • Massive scanning activity observed for Apache Log4j seeking to exploit zero-day vulnerability named Log4Shell or LogJam, CVE-2021-44228, an unauthenticated RCE vulnerability allowing complete system takeover on systems with Log4j 2.0-beta9 up to 2.14.1. CISA sounded alarm on Log4J vulnerability. Proof of concept for the exploit can be obtained from this github repository.

  • Eclypsium researchers reported that MikroTik routers, a popular supplier of routers and wireless ISP devices since 1996 with more than 2,000,000 devices deployed worldwide, are highly vulnerable. Core to the issue are the use of default credentials of admin/empty password; lack of default settings for the WAN port; auto-upgrade feature is not turned on, meaning that many devices are simply never updated, and; utilizes complex configuration interface, making it easy for users to make risky mistakes.

  • Volvo reported cybersecurity attack where some of its file repositories were accessed. Bleeping Computer reported that the Snatch ransomware group has claimed responsibility for the attack after adding the company to its leak site on November 30.

  • Websites under Brazil's Ministry of Health (MoH) have suffered a major ransomware attack that resulted in the unavailability of COVID-19 vaccination data of millions of citizens. Approximately 50TB worth of COVID-19 vaccination data were taken while the local data were deleted. Lapsus$ Group claimed responsibility for the hack.

  • Solana blockchain suffered a DDoS attack. This is the second time Solana experienced outage. Back in September the network suffered a 17-hour-outage due to mass botting activity for an initial DEX offering (IDO) on Solana-based decentralized exchange platform Raydium.

  • Google releases patch to address high-severity zero-day vulnerability. While Google provided limited information on the specific attack PoC, 'use after free' bugs allow attackers to execute arbitrary code on computers running unpatched Chrome versions and/or escape the browser's security sandbox. Verify that you have the patched version of Chrome 96.0.4664.110 (Official Build).

  • More ransomware crackdown with France detaining a suspect responsible for the laundering of $21.4M.

  • Interpol held an online virtual assets conference December 7-8 to protect the world’s financial systems by increasing multi-sector cooperation to strengthen cryptocurrency crime investigations. The discussions highlighted the fast-evolving fields of decentralized finance and non-fungible tokens (NFTs), regulatory developments affecting anti-money laundering compliance, crypto-enabled fraud and their recoveries. For sessions that restricted to law enforcement circles, speakers shared their experiences in national and regional cryptocurrency investigations, demonstrating new methodologies for exploring criminal flows and operations in dark markets and decentralized money laundering scams.

  • Mandiant reported that Russian hackers annoyed targeted government and business users with push notifications of multi-factor authentication to gain access to user accounts.