Secjuice Squeeze 62

Welcome to the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly curated for you every week. This week's volume was curated by Secjuice writers Andy74, Tony Kelly, Ross Moore, Gurkirat Singh, Mars Groves, and Sinwindie.

In this edition, we have news articles, blog posts, and learning.

News

Discord Nitro gift codes now demanded as ransomware payments

In a novel approach to ransom demands, a new ransomware calling itself 'NitroRansomware' encrypts victim's files and then demands a Discord Nitro gift code to decrypt files.

Read more at bleepingcomputer.com

WhatsApp Pink is malware spreading through group chats

If installed; the fake and malicious WhatsApp pink app takes full control of a targeted device.

Read more at hackread.com

120 Compromised Ad Servers Target Millions of Internet Users

More than 120 compromised ad servers are running a malvertising campaign that targets millions of users.

Read more at thehackernews.com

Vulnerability In Juniper Networks Junos OS Could Allow RCE Attacks

Juniper Networks has patched the vulnerability with the latest releases of Junos OS. Exploiting the bug could lead to DoS and RCE attacks.

Read more at latesthackingnews.com

Mozilla Plans To Remove FTP Implementation With Firefox 90

Mozilla will first disable FTP with Firefox 88, and will ultimately remove the buit-in FTP implementation with Firefox 90.

Read more at latesthackingnews.com

Over 750,000 Users Downloaded New Billing Fraud Apps From Google Play Store

Researchers have discovered a new set of fraudulent Android apps in the Google Play store that hijack SMS notifications for billing scams.

Read more at thehackernews.com

Signal CEO gives mobile-hacking firm a taste of being hacked

Software developed by data extraction company Cellebrite contains vulnerabilities that allow arbitrary code execution on the device, claims Moxie Marlinspike, the creator of the encrypted messaging app Signal.

Read more at bleepingcomputer.com

Cybercriminals Using Telegram Messenger to Control ToxicEye Malware

Telegram Messenger being used by cybercriminals to control ToxicEye Malware.

Read more at thehackernews.com

Oracle Delivers 390 Security Fixes With April 2021 CPU

More than 200 of the vulnerabilities patched by Oracle could be exploited remotely without authentication.

Read more at securityweek.com

Massive Qlocker ransomware attack uses 7zip to encrypt QNAP devices

A massive ransomware campaign targeting QNAP devices worldwide is underway, and users are finding their files now stored in password-protected 7zip archives.

Read more at bleepingcomputer.com

WhatsApp Pink malware can now auto-reply to your Signal, Telegram texts

WhatsApp malware dubbed WhatsApp Pink has now been updated with advanced capabilities that let this counterfeit Android app automatically respond to your Signal, Telegram, Viber, and Skype messages. WhatsApp Pink refers to a counterfeit app that appeared this week, primarily targeting WhatsApp users in the Indian subcontinent.

Read more at bleepingcomputer.com

A Casino Gets Hacked Through a Fish-Tank Thermometer

Are your fish tanks secure?

Read more at entrepreneur.com

Hackers exploit Pulse Secure VPN flaws in sophisticated global campaign

Chinese-backed groups have been spying on US and European organisations including those in the defence industry.

Read more at itpro.co.uk

The Incredible Rise of North Korea’s Hacking Army

The country’s cyber forces have raked in billions of dollars for the regime by pulling off schemes ranging from A.T.M. heists to cryptocurrency thefts. Can they be stopped?

Read more at newyorker.com

Mount Locker Ransomware Aggressively Changes Up Tactics

The ransomware is upping its danger quotient with new features while signaling a rebranding to "AstroLocker."

Read more at threatpost.com

Attackers can hide 'external sender' email warnings with HTML and CSS

The "external sender" warnings shown to email recipients by clients like Microsoft Outlook can be hidden by the sender, as demonstrated by a researcher. Turns out, all it takes for attackers to alter the "external sender" warning, or remove it altogether from emails is just a few lines of HTML and CSS code.

Read more at bleepingcomputer.com

Linux bans University of Minnesota for committing malicious code

Linux kernel project maintainers have imposed a ban on the University of Minnesota (UMN) from contributing to the open-source Linux project after a group of UMN researchers were caught submitting a series of malicious code commits, or patches that deliberately introduced security vulnerabilities in the official Linux project.

Read more at bleepingcomputer.com

University duo thought it would be cool to sneak bad code into Linux as an experiment. Of course, it absolutely backfired

'Our community does not appreciate being experimented on' says Kroah-Hartman.

Read more at theregister.com

MI5 warns of spies using LinkedIn to steal secrets

The security agency says thousands of UK workers have been approached by spies using fake profiles.

Read more at bbc.co.uk

Blogs

Adversary Dossier: Ryuk Ransomware Anatomy of an Attack in 2021

Ryuk ransomware infections have been observed since late 2018. Ryuk actors are constantly evolving the TTPs used in Ryuk attributed campaigns. Some of the most notable targets of these campaigns have been hospitals, government entities, and large corporations. The Ryuk adversary group is widely considered to be one of the most successful and impactful targeting corporations and governments worldwide.

Read more at advanced-intel.com

Finding Buried Treasure in Server Message Block (SMB)

Service Message Block (SMB) shares can represent a significant risk to an organization. Companies often lack a realistic understanding of the exposure that SMB shares represent. Effective management typically requires a sound information management program focused on identifying where critical information resides, actively controlling access to that information, and routinely auditing permissions and access patterns.

Read more at blackhillsinfosec.com

Exploit Kit still sharpens a sword

It’s 2021 now. Moreover, the quarter has already passed. I thought Drive-by Download attack was dead four years ago. Angler Exploit Kit has disappeared, pseudo-Darkleech and EITest campaign have disappeared, and RIG Exploit Kit has also declined. At that time, Drive-by Download attack was definitely supposed to die. However, even if in 2021, it will not disappear fire still slightly.

Read more at nao-sec.org

What is OSINT in 2021?

OSINT is set to become a game-changer in the intelligence and data gathering space in the next decade.

Read more at blog.sociallinks.io

Training apps. Have their privacy settings improved in 5 years? | Pen Test Partners

TL;DR Run and bike tracking apps still have a pretty poor approach to password security & default privacy settings From being one of the more secure apps 5 years ago.

Read more at pentestpartners.com

Offensive Security Guide to SSH Tunnels and Proxies

This post aims to be a one-stop shop for all the things that an offensive security practitioner might want to know about using Secure Shell (SSH) tunnels and SOCKS proxies. The information provided here is not new, but it does aim to be a reference document that can be used during operations.

Read more at posts.specterops.io

Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities

The multi-stage cryptocurrency botnet has been observed exploiting the Microsoft Exchange vulnerabilities associated with the HAFNIUM attacks to penetrate networks.

Read more at cybereason.com

Learning

JSCU-NL/logging-essentials

A Windows event logging and collection baseline focused on finding balance between forensic value and optimising retention.

Learn more at github.com

Leaky John Deere API’s: Serious Food Supply Chain Vulnerabilities

Discovering who owns John Deere tractors, harvesters, and implements. What farm they are at. How old they are. And how long they are “subscribed” for.

Learn more at sick.codes