AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 02/02/2022

Threat actor target Ubiquiti network appliances using Log4Shell exploits

Developed by Ubiquiti Networks, one of the largest hardware vendors in the world, the UniFi software can be installed on Linux and Windows servers and allow network administrators to manage Ubiquiti wireless and networking equipment from a centralized web-based application. This application was built using Java and utilized the Log4j library for its logging capabilities and was listed as impacted by the Log4Shell, having received a patch on December 10, just a day after the Log4Shell news became made public. While Sprocket Security published its adaptation of the Log4Shell attack for UniFi devices in late December, attacks haven’t been seen in the wild until Morphisec’s public report last Friday. Morphisec said the attackers took over UniFi devices and ran malicious PowerShell code that later downloaded and installed a version of the Cobalt Strike Beacon backdoor.


Shuckworm Continues Cyber-Espionage Attacks Against Ukraine

The Russia-linked Shuckworm group (aka Gamaredon, Armageddon) is continuing to conduct cyber-espionage attacks against targets in Ukraine. Over the course of recent months, Symantec’s Threat Hunter Team, a part of Broadcom Software, has found evidence of attempted attacks against a number of organizations in the country. Active since at least 2013, Shuckworm specializes in cyber-espionage campaigns mainly against entities in Ukraine. The group is known to use phishing emails to distribute either freely available remote access tools, including Remote Manipulator System (RMS) and UltraVNC, or customized malware called Pterodo/Pteranodon to targets. A recent report published by The Security Service of Ukraine (SSU) noted that Shuckworm’s attacks have grown in sophistication in recent times, with attackers now using living-off-the-land tools to steal credentials and move laterally on victim networks. Recent activity seen by Symantec is consistent with that documented by SSU.


Germany: 2 oil storage and supply firms hit by cyberattack

Two companies involved in storing and supplying oil and other materials said Tuesday they have been hit by a cyberattack that has impacted operations in Germany. Oiltanking GmbH Group and Mabanaft Group on Saturday discovered what they called a “cyber incident affecting our IT systems” and launched an investigation together with external specialists, the companies said in an emailed statement. They did not elaborate on the nature of the incident or address who might be responsible, and said they are working to understand its “full scope.” They said that Oiltanking GmbH Group — which operates storage tank terminals for oil, gas and chemicals — is still operating all terminals in all global markets. But facilities at Oiltanking Deutschland GmbH, a separate entity that operates all terminals in Germany and is part of Mabanaft, are “operating with limited capacity.”


NSO offered US mobile security firm ‘bags of cash’, whistleblower claims

A whistleblower has alleged that an executive at NSO Group offered a US-based mobile security company “bags of cash” in exchange for access to a global signalling network used to track individuals through their mobile phone, according to a complaint that was made to the US Department of Justice. The allegation, which dates back to 2017 and was made by a former mobile security executive named Gary Miller, was disclosed to federal authorities and to the US congressman Ted Lieu, who said he conducted his own due diligence on the claim and found it “highly disturbing”. Details of the allegation by Miller were then sent in a letter by Lieu to the Department of Justice.


NordVPN and Surfshark are merging, continuing VPN consolidation trend

NordVPN and Surfshark have finalized a merger agreement between the two VPN providers, the companies announced Wednesday. Though the specifics of the transaction aren’t being released, the finalized merger agreement follows months of negotiations between the two companies that began in mid-2021, according to a joint press release issued by Surfshark and Nord Security, NordVPN’s parent company. Surfshark and NordVPN had been rivals in the ultra-competitive market for VPNs (virtual private networks) prior to the merger, but are now joining forces to “solidify both companies’ offerings in different market segments and diversify the geographical reach,” according to the press release. More consumers have turned to VPNs in recent years to counter increasingly invasive digital tracking from search engines, ISPs and advertisers, as well as to circumvent local content restrictions and censorship. 


FBI warning: Scammers are posting fake job ads on networking sites to steal your money and identity

The FBI’s Internet Crime Center (IC3) is warning that scammers are exploiting verification weaknesses in job-focused networking sites to post legitimate looking ads, capture personal information and steal money from job seekers. Scammers “continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money,” the FBI warns in a new public service announcement. The bogus ads threaten to damage the impersonated firm’s reputation and financial loss for the job seeker. According to IC3’s complaint reports, the average reported loss from this scheme since early 2019 has been $3,000 per victim.


Related Posts