Hackers backdoor Microsoft IIS, Twitter limits SMS 2FA, Fortinet issues patches

Hackers backdoor Microsoft IIS servers with new Frebniis?malware

The new malware, spelled 'Frebniis' on Microsoft's Internet Information Services (IIS) stealthily executes commands sent via web requests. It was discovered by Symantec's Threat Hunter Team, who initially reported that an unknown threat actor is currently using it against Taiwan-based targets. In the attacks observed by Symantec, the hackers abuse an IIS feature called 'Failed Request Event Buffering' (FREB), responsible for collecting request metadata (IP address, HTTP headers, cookies). Its purpose is to help server admins troubleshoot unexpected HTTP status codes or request processing problems. The malware injects malicious code into a specific function of a DLL file that controls FREB ("iisfreb.dll") to enable the attacker to intercept and monitor all HTTP POST requests sent to the IIS server. When the malware detects specific HTTP requests the attacker sends, it parses the request to determine what commands to execute on the server.

(Bleeping Computer)

Twitter limits SMS-based 2-factor authentication to Blue subscribers only

The company stated, "while historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used – and abused – by bad actors. We will no longer allow accounts to enroll in the text message/SMS method of 2FA unless they are Twitter Blue subscribers." Twitter users who have not subscribed to Blue that have enrolled for SMS-based 2FA have until March 20, 2023, to switch to an alternative method such as an authenticator app or a hardware security key. After this cutoff date, non-Twitter Blue subscribers will have their option disabled.

(The Hacker News)

Fortinet issues patches for 40 flaws?

The updates address vulnerabilities in its FortiWeb, FortiOS, FortiNAC, and FortiProxy, products, among others. Two of these flaws are rated Critical, 15 are rated High, 22 are rated Medium, and one is rated Low in severity. Top of the list is a severe bug residing in the FortiNAC network access control solution (CVE-2022-39952, CVSS score: 9.8) that could lead to arbitrary code execution.

(The Hacker News)

Ransomware attacks surge against US manufacturing plants

According to cybersecurity firm Dragos, the manufacturing industry suffered at least 437 ransomware attacks in 2022, thus making up more than 70% of all ransomware assaults last year. The number of attacks against manufacturing plants also jumped about 107% compared with the 211 recorded against the sector in 2021. Dragos CEO Robert M. Lee said that one of the issues facing manufacturing facilities is that all too often the operators have little to no visibility into their systems as well as shared credentials between information networks and operational technology systems.

(Cyberscoop)

Thanks to this week’s episode sponsor, Barricade Cyber Solutions

Data from Australian tech giant Atlassian dumped online after apparent hack

A hacking crew called SiegedSec posted data on what appears to be thousands of employees’ PII as well as floor plans for two of the company's offices in Sydney and San Francisco. An Atlassian representative initially told CyberScoop in an email on Thursday that on Feb. 15, the company learned that data from Envoy, a third-party app Atlassian uses to coordinate in-office resources, was published online but that “Atlassian product and customer data” was “not at risk.” Atlassian makes software for project management and collaboration such as Trello, Jira and Confluence.

(Cyberscoop)

GoDaddy discloses multi-year security breach

Web hosting services provider GoDaddy on Friday disclosed a multi-year security breach that enabled unknown threat actors to install malware and siphon source code related to some of its services. The company attributed the campaign to a "sophisticated and organized group targeting hosting services." GoDaddy said in December 2022, it received an unspecified number of customer complaints about their websites getting sporadically redirected to malicious sites, which it later found was due to the unauthorized third party gaining access to servers hosted in its cPanel environment.

(The Hacker News)

European airports endure rough week on cyberattack front

A day after a major IT failure at Lufthansa left thousands of passengers stranded, the websites of seven airports including Dusseldorf, Nuremberg, Erfurt-Weimar and Dortmund were hit by a suspected DDoS attack. The websites of Germany’s biggest airports in Frankfurt, Munich and Berlin were not targeted. On Wednesday, the pro-Russian hacker group Killnet told Russian media that it was responsible for the IT outage at Lufthansa, but the airline blamed the outage on damaged broadband cables mistakenly cut on the railway line during construction work. The group “Anonymous Russia” took responsibility for cyberattacks on German airports, and this also follows an attack last week on Scandinavian Airlines (SAS) that knocked its website offline and exposed some customer data allegedly by a group calling itself “Anonymous Sudan.”

(The Record)

VMware, Broadcom extend merger close deadline by three months

Cloud computing company VMware and chipmaker Broadcom have extended the date by which their $61 billion merger is to be completed, by 90 days, according to a regulatory filing on Friday. The new "outside date" for the deal is May 26, the filing said. The Broadcom-VMware deal was one of the biggest announcements globally in 2022, marking the chipmaker's attempt to diversify into the enterprise software segment.

(Reuters)