InForce Cyber

Threat Report August 2021

Widespread credential phishing campaign abuses open redirector links

Microsoft has been actively tracking a widespread credential phishing campaign using open redirector links. Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking. Doing so leads to a series of redirections—including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems—before taking the user to a fake sign-in page. This ultimately leads to credential compromise, which opens the user and their organization to other attacks.

The use of open redirects in email communications is common among organizations for various reasons. For example, sales and marketing campaigns use this feature to lead customers to a desired landing web page and track click rates and other metrics. However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent.

Singapore Government CIO’s Office Creates Vulnerability Hunting Program

Singapore is offering payouts of up to $5,000 for white hackers to uncover security vulnerabilities in systems used by the public sector. The new scheme is the latest in the government’s efforts to involve the community in assessing its ICT infrastructure.

The Government Technology Agency (GovTech) said its new Vulnerability Rewards Programme was the third crowdsourced initiative it has adopted to enhance the security of its ICT systems. It also runs bug bounty and vulnerability disclosure programmes, the latter of which is available to the public to report potential security holes.

„The three crowdsourced vulnerability discovery programmes offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community, in addition to routine penetration testing conducted by the government,“ GovTech said in a statement Tuesday.

Azure’s now-fixed Cosmos DB flaw could have been exploited to read, write any database

Infosec outfit Wiz has revealed that Microsoft’s flagship Azure database Cosmos DB could have been exploited to grant any Azure user full admin access – including the ability to read, write, and delete data – to any Cosmos DB instance on Azure. Without authorization. For months.

Wiz has named the flaw ChaosDB.

“By exploiting a chain of vulnerabilities in the Jupyter Notebook feature of Cosmos DB, a malicious actor can query information about the target Cosmos DB Jupyter Notebook,” reads Wiz’s explanation. “By doing so, the attacker will obtain a set of credentials related to the target Cosmos DB account, the Jupyter Notebook compute, and the Jupyter Notebook Storage account, including the Primary Key.”

Hacker steals 40,000 patients’ data from kidney hospital

The personal details of more than 40,000 patients at Bhumirajanagarindra Kidney Institute Hospital have been stolen by a hacker, hospital director Thirachai Chantharotsiri said on Wednesday.

Dr Thirachai said staff of the hospital in Ratchathewi district of Bangkok could not access the database of patients on Monday. A check on the system found that the information had been stolen.

The stolen data included patients’ personal information and treatment history, he said

Texas Right to Life website exposed job applicants’ resumes

Anti-abortion group Texas Right to Life exposed the personal information of hundreds of job applicants after a website bug allowed anyone to access their resumes, which were stored in an unprotected directory on its website.

A security researcher told TechCrunch that the group’s main website, built largely in WordPress, was not properly protecting the file storage on its website, which it used to store resumes of more than 300 job applicants, as well as other files uploaded to the website. The resumes contained names, phone numbers, addresses and details of a person’s employment history.

The website bug was fixed over the weekend, a short time after details of the leak were posted on Twitter. The group’s website no longer lists any of the exposed files.

“We are taking action to protect the concerned individuals,” said Kimberlyn Schwartz, a spokesperson for Texas Right to Life, told TechCrunch, referring to those who “sought and circulated the information.”

When asked, Schwartz would not say if the organization planned on informing those whose personal information was exposed by its security lapse. 

Bridgeport city government hacked, residents put on notice

BRIDGEPORT, W.Va. – Residents of Bridgeport have been notified city government was hacked in late May of this year. A five-page letter to residents said city IT systems were encrypted by ransomware that lets hackers hold data until a ransom is paid.

City officials have told residents operations were restored and the FBI Cyber Crimes Division was notified immediately.

There is no proof hackers were able to access information, but information that was available includes social security numbers, birth dates, addresses, driver’s license numbers and any other information used to establish any city account.

The city will provide residents with one year of free credit monitoring. Residents will have to notify the city by December 31, 2021 to take advantage of the offer.

New Zealand banks, post office hit by outages in apparent cyber attack

New Zealand and its national postal service were briefly down on Wednesday, with officials saying they were battling a cyber attack.

The country’s Computer Emergency Response Team (CERT) said it was aware of a DDoS (distributed denial of service) attack targeting a number of organisations in the country.

It was „monitoring the situation and are working with affected parties where we can,“ CERT said on its website.

Some of the affected websites affected by the attack according to local media reports included Australia and New Zealand Banking Group’s (ANZ.AX) New Zealand site and NZ Post.

In a Facebook post, ANZ told customers it was aware some of them were not able to access online banking services. „Our tech team are working hard to get this fixed, we apologise for any inconvenience this may cause,“ the post said. 

Data Breaches
Evin Prison (Iran)A group operating under the name ‘The Justice of Ali’ shared videos with the Associated Press which appear to show security footage from the prison. The group claims to have hundreds of gigabytes of data and stated that the hack occurred several months ago. The videos bear timestamps from 2020 and 2021.Unknown
Oriflame (Russia)According to Roskomnadzor, a stolen database of Oriflame clients was detected on three internet resources. The Kommersant newspaper reported that the passport scans of Oriflame clients were put up for sale on a hacker forum. The company disclosed that it has been targeted in a series of cyberattacks.1,300,000
Revere Health (US)The firm revealed that one of its employees was targeted in a phishing attack on June 21st, 2021, exposing medical records for patients in the Heart of Dixie Cardiology Department in St. George. The data includes medical record numbers, dates of birth, and some further medical and insurance information.12,000
SAC Wireless (US)The Nokia subsidiary was targeted in a Conti ransomware attack on June 16th, 2021. An investigation into the attack revealed that the attackers stole personal information of current and former employees during their attack. This includes names, dates of birth, contact information, government ID numbers, Social Security numbers, and more.Unknown
MultipleResearchers at UpGuard discovered multiple data leaks resulting from Microsoft Power Apps portals configured to allow public access. The identified exposure affected 47 entities including government bodies in the United States and private companies like American Airlines, J.B. Hunt, Ford, and Microsoft. Exposed personal data included COVID-19 contact tracing details and vaccination appointments, Social Security numbers, employee IDs, and millions of names and email addresses. The issue was first identified on May 24th, 2021.Unknown
Eye & Retina Surgeons (Singapore)The private clinic’s database containing personal data and clinical information of patients was targeted in a ransomware attack on August 6th, 2021.73,000

Here’s the top 10 list of CVEs released by Microsoft for August 2021:

CVE-2021-34527Windows Print Spooler Remote Code Execution VulnerabilityCritical8.8YesYesRCE
CVE-2021-34448Scripting Engine Memory Corruption VulnerabilityCritical6.8NoYesRCE
CVE-2021-31979Windows Kernel Elevation of Privilege VulnerabilityImportant7.8NoYesEoP
CVE-2021-33771Windows Kernel Elevation of Privilege VulnerabilityImportant7.8NoYesEoP
CVE-2021-34473Microsoft Exchange Server Remote Code Execution VulnerabilityCritical9.1YesNoRCE
CVE-2021-33781Active Directory Security Feature Bypass VulnerabilityImportant8.1YesNoSFB
CVE-2021-34523Microsoft Exchange Server Elevation of Privilege VulnerabilityImportant9YesNoEoP
CVE-2021-33779Windows ADFS Security Feature Bypass VulnerabilityImportant8.1YesNoSFB
CVE-2021-34492Windows Certificate Spoofing VulnerabilityImportant8.1YesNoSpoofing
CVE-2021-34474Dynamics Business Central Remote Code Execution VulnerabilityCritical8NoNoRCE

Trending Vulnerable Products

Attack Type mentions in Government