Bullseye OS, Unicode Mystery, ‘Bearded Barbie’ CatPhishing, & NginxDay – PSW #736

"Researchers from MalwareHunterTeam noted Static Web Apps have two features that are being abused with ease - custom branding for web apps, and web hosting for static content such as HTML, CSS, JavaScript, or images."

"Another notable feature of the malware is its use of DNS over HTTPS (DoH) for communicating with its command-and-control server ("gw.denonia[.]xyz") by concealing the traffic within encrypted DNS queries." - Also, it doesn't target a weakness in Lamba, but checks for that environment. Original article: https://www.cadosecurity.com/cado-discovers-denonia-the-first-malware-specifically-targeting-lambda/

"What the judge found most damning, perhaps, was a photo of Griffith presenting at the conference, wearing a traditional North Korean suit and standing in front of a blackboard on which it read “No sanctions!” with a smiley face."

Sounds like what we've been doing with 3rd party tools all along? "Updates are applied to a small initial set of devices, evaluated, and then graduated to increasingly larger sets, with an evaluation period at each progression," Microsoft said. "The outcome is to assure that registered devices are always up to date and disruption to business operations is minimized."

"Up until now, all installs of Raspberry Pi OS have had a default user called “pi”. This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place. But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials."

Strange disclosure: "As Nginx have now released a blog post about the public releases of information, we've emailed them with a description, some familiarities of the issue that they highlighted over and assets affected. However, people are quick to jump on the "This is fake" or "This isn't anything" bandwagon. As we got no answer to if there is any bounty offered by Nginx for the findings, we've not shared any deeper information about this. If there is no bounty or even reward, we've looked at the other option that would be to sell the exploit on either breached.co, exploit.in or other sites. (We've been offered about 200K in XMR for the exploit)." NGINX blog post: https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/

Catphished? "After gaining the trust of the target by interacting with them for a while, the adversaries suggest migrating the conversation to WhatsApp, supposedly for better privacy. This is when the conversation takes an erotic turn, with the threat actors suggesting another pivot to a supposedly more discreet Android IM app, which is actually the VolatileVenom malware. Simultaneously, the operative sends a link to a RAR file that purportedly contains a sexual video, but which in reality is a downloader for the BarbWire backdoor."

This is a long but amazing read. So many twists and turns, and thankfully we have investigators that don't give up and are able to take down scumbags at scale.

Interesting to see how this is exploited: "The log_fdw extension, AWS also notes, is pre-installed in both Aurora PostgreSQL and Amazon RDS for PostgreSQL. A privileged, authenticated user able to trigger the bug could use the leaked credentials to gain elevated access to database resources. “They would not be able to use the credentials to access internal RDS services or move between databases or AWS accounts. The credentials could only be used to access resources associated with the Aurora database cluster from which the credentials were retrieved,” AWS notes."

"According to notes published alongside the release of OpenSSH 9.0, the open-source group will now use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default, a move that includes a backstop against future discoveries of flaws in the NTRU algorithm." - Huh? Some resources: https://ntruprime.cr.yp.to/ and https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x25519/#

Borrowing from Mirai, still.. "This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for cryptomining is a big possibility." Original Source: https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet

Turn the power off once, shame on you. Let it happen again, shame on me: "In Tuesday's press briefing, SSSCIP's Zhora took the opportunity to argue that the relatively limited damage from Russia's cyber operations represents not merely Russia's lack of focus on cyberwar as it carries out a full-blown physical war, but also Ukraine's growing ability to defend itself in the digital domain. “We have been dealing with an opponent that has been constantly training us, drilling us. Since 2014 we've been under constant aggression, and our expertise is unique in how to rebuff this aggression,” says Zhora. “We're stronger. We're more prepared. And of course, we will secure victory.”"

Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains that were being used by the group as attack infrastructure to hit various Ukrainian institutions and the media.

Malware dubbed "Denonia" being leveraged in attacks targeting the Amazon Web Services' (AWS) Lambda serverless computing platform. Denonia is programmed in the "Go" language and includes a customized "XMRig" cryptocurrency mining variant.

California-based respiratory care provider SuperCare Health recently disclosed a data breach affecting more than 300,000 individuals. Breached 7/23-27/21 disclosed 2/4/22 because of analysis. How long is too long?

The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical subsystems using a new version of the CaddyWiper data destruction malware.

Researchers say they have observed threat actors leveraging a new piece of Windows information-stealing malware dubbed "FFDroider" that is disguised as the Telegram instant messaging app and specifically designed to steal targeted victims' credentials and browser cookies.

According to Symantec, as part of the attacks, Cicada uses a "clean" version of VLS to drop a malicious file with VLC's export functions, which is a technique frequently used by hackers to introduce malware into legitimate software.