OSN September 29, 2021

Fortify Security Team
Sep 29, 2021

Title: This Dangerous Mobile Trojan Has Stolen a Fortune From Over 10 Million Victims
Date Published: September 29, 2021

https://www.zdnet.com/article/this-dangerous-mobile-trojan-has-stolen-a-fortune-from-over-10-million-victims-worldwide/

Excerpt: “Victims first download Android apps that appear innocent and legitimate. These apps vary from puzzle games and utilities to dating software, food and drink, with the most popular malicious app — a translator — accounting for at least 500,000 downloads. Upon installation, however, the GriftHorse Trojan, written in Apache Cordova, constantly bombards the user with messages, alerting them to a fake prize they have won and then redirecting them to a website page based on their geolocation, and, therefore, their language. Mobile users are then asked to submit their phone numbers for verification purposes. If they submit this information, they are then subscribed to premium services “without their knowledge and consent,” zLabs noted.”

Title: NSA, CISA Release Guidance on Hardening Remote Access via VPN Solutions
Date Published: September 29, 2021

https://securityaffairs.co/wordpress/122718/security/hardening-access-via-vpn-solutions.html

Excerpt: “The guidance suggests to select only industry-standard solutions, do not choose non-standard VPN solutions, including a class of products referred to as Secure Sockets Layer/Transport Layer Security (SSL/TLS) VPNs. These products include custom, non-standard features to tunnel traffic via TLS. The report refers to the National Information Assurance Partnership (NIAP) Product Compliant List (PCL) that includes validated VPNs that were approved after being rigorously tested by third-party labs. Select a vendor that is known for supporting products via regular software updates and quickly remediating known vulnerabilities. The agencies recommend VPN solutions that implements protections against intrusions, such as the use of signed binaries or firmware images, a secure boot process that verifies boot code before it runs, and integrity validation of runtime processes and files.”

Title: Akamai Acquires Cybersecurity Firm Guardicore for $600 Million
Date Published: September 29, 2021

https://www.zdnet.com/article/akamai-acquires-cybersecurity-firm-guardicore/

Excerpt: “The deal was announced on Wednesday. Under the terms of the agreement, Akamai will pay roughly $600 million to acquire all outstanding equity. Tel Aviv, Israel-based Guardicore is a cybersecurity company that offers the enterprise a micro-segmentation solution to reduce the potential attack surface of corporate networks, secure applications, and to meet compliance standards. The firm’s software is based on zero-trust and strict permissions architecture, with process-level rules implemented to bolster secure access across public, private, and hybrid cloud environments.”

Title: New Finspy Malware Variant Infects Windows Systems With UEFI Bootkit
Date Published: September 29, 2021

https://thehackernews.com/2021/09/new-finspy-malware-variant-infects.html

Excerpt: “While the tool was previously deployed through tampered installers of legitimate applications such as TeamViewer, VLC, and WinRAR that were backdoored with an obfuscated downloader, subsequent updates in 2014 enabled infections via Master Boot Record (MBR) bootkits with the goal of injecting a malicious loader in a manner that’s engineered to slip past security tools. The latest feature to be added is the ability to deploy a UEFI bootkit to load FinSpy, with new samples exhibiting properties that replaced the Windows UEFI boot loader with a malicious variant as well as boasting of four layers of obfuscation and other detection-evasion methods to slow down reverse engineering and analysis.”

Title: TA544 Targets Italian Organizations with Ursnif Malware
Date Published: September 29, 2021

https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware

Excerpt: “TA544 is a cybercriminal threat actor that distributes banking malware and other payloads in various geographic regions including Italy and Japan. Proofpoint has tracked this actor since 2017. Typically, this group varies its payloads which appear to be targeted by region – for example, in 2021, all TA544 Ursnif campaigns have specifically targeted Italian organizations while Dridex payloads associated with this threat actor do not have specific geographic targeting. Ursnif is a trojan that can be used to steal data from websites, with the help of web injections, proxies and VNC connections; steal data such as stored passwords; and download updates, modules, or other malware. Although this malware is used by multiple cybercriminal threat actors, TA544’s activity targeting Italy differentiates it from other actors. Between January and August 2021, the number of observed Ursnif campaigns impacting Italian organizations surpassed the total number of observed Ursnif campaigns targeting this region in all of 2020.”

Title: REvil Customers Complain Ransomware Gang Uses Backdoors to Filch Ransoms
Date Published: September 29, 2021

https://www.theregister.com/2021/09/29/revil_customers_complain_about_backdoors/

Excerpt: “Security intelligence vendor Flashpoint claims to have found forum comments from customers of the REvil ransomware-as-a-service gang, and they’re not happy. The gang’s malware may contain backdoors that REvil uses to restore encrypted files. REvil’s modus operandi is to rent its malware to other evildoers, in return for a hefty cut of any ransoms paid by victims. Flashpoint writes that the “Exploit” forum has recently featured posts from a threat actor complaining about the backdoor, and the fact its presence meant that REvil could let its customers do all the hard work of arranging an infection, then subvert communications with victims and keep the entire ransom for itself.”

Title: Outsourced Software Pose Greater Risks to Enterprise Application Security
Date Published: September 28, 2021

https://www.darkreading.com/edge-threat-monitor/outsourced-software-pose-greater-risks-to-enterprise-application-security

Excerpt: “Respondents are more worried about two issues this year compared to last: outsourced applications and poorly secured infrastructure. Even so, the difference is not large, as 27% of respondents say outsourced applications pose risks to the organization’s application security in 2021, compared to 25% in 2020; and 24% are worried about poorly secured infrastructure in 2021, compared to 21% in 2020. In some cases, the respondents appear to be less worried, such as over adequate developer security training, DevOps practices, and management support for application security. In 2021, just 30% of respondents say they are worried about developers untrained in security, compared to 38% who said the same in 2020.”

Title: Most Large Enterprises Fail to Protect Their Domain Names
Date Published: September 28, 2021

https://www.darkreading.com/cloud/large-enterprises-fail-to-implement-domain-protection-measures

Excerpt: “A new study published this week by domain-name management firm Corporation Service Company (CSC) analyzed the domain records of companies in the Forbes Global 2000 and used a fuzzy-matching algorithm to detect domains that were similar to those companies’ domain names — so-called “homoglyphs.” CSC found that 70% of similar domains had been registered by third parties, with more than half of homoglyphs (60%) registered in the past two years. Despite the existence of what are likely bad actors, however, 81% of large enterprises do not take basic domain security precautions, such as using the registry lock protocol, says Vincent D’Angelo, global director at CSC Digital Brand Services. “There are all these proactive controls that companies could put in place to prevent hijacking,” he says. “While there is no single magic bullet, the use of several of these controls make [their domains] that much harder to compromise”.”

Title: US Deports Convicted Cyber-Criminal to Russia
Date Published: September 28, 2021

https://www.infosecurity-magazine.com/news/us-deports-convicted-cybercriminal/

Excerpt: “A cyber-criminal imprisoned in the United States for operating websites devoted to fraud and computer hacking has reportedly been deported to Russia.  Aleksei Burkov was 30 years old when a senior district judge in the Eastern District of Virginia sentenced him, in June 2020, to nine years in prison. Russian native Burkov was placed under lock and key after he admitted running an illegal online marketplace that sold payment card numbers, most of which had been stolen through computer intrusions.  Stolen credit card data sold via Burkov’s Cardplanet site enabled fraudulent purchases of more than $20m to be made using thousands of compromised US credit card accounts.”

Title: Federal Lawsuit Filed Against Paxton Media Group Over Data Breach
Date Published: September 25, 2021

https://www.wkdzradio.com/2021/09/25/federal-lawsuit-filed-against-paxton-media-group-targets-data-breach/news-edge/

Excerpt: “A federal lawsuit has been filed against Paxton Media Group, claiming the company had a cyber attack and massive data breach earlier this year, yet waited three or more months to tell more than 20,000 current and former employees that their private information was hacked — many of whom reside in west Kentucky. PMG owns more than 100 news outlets nationwide — but locally handles the Paducah Sun, the Kentucky New Era, the Times Leader in Princeton, the Cadiz Record, WPSD Local 6 and several other organizations in west Kentucky. Jason Riley, a criminal justice reporter for WDRB in Louisville, first broke the news Friday evening.”

Recent Posts

September 16, 2022

Title: Uber hacked, internal systems breached and vulnerability reports stolen Date Published: September 16, 2022 https://www.bleepingcomputer.com/news/security/uber-hacked-internal-systems-breached-and-vulnerability-reports-stolen/ Excerpt: “Uber suffered a...

September 15, 2022

Title: Webworm hackers modify old malware in new attacks to evade attribution Date Published: September 15, 2022 https://www.bleepingcomputer.com/news/security/webworm-hackers-modify-old-malware-in-new-attacks-to-evade-attribution/ Excerpt: “The Chinese 'Webworm'...

September 14, 2022

Title: Chinese hackers create Linux version of the SideWalk Windows malware Date Published: September 14, 2022 https://www.bleepingcomputer.com/news/security/chinese-hackers-create-linux-version-of-the-sidewalk-windows-malware/ Excerpt: “State-backed Chinese hackers...

Critical Patches Issued for Microsoft Products – September 2022

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs;...

September 13, 2022

Title: Cyberspies drop new infostealer malware on govt networks in Asia Date Published: September 13, 2022 https://www.bleepingcomputer.com/news/security/cyberspies-drop-new-infostealer-malware-on-govt-networks-in-asia/ Excerpt: “Security researchers have identified...

Vulnerabilities in Apple Products Allow Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution. Safari is a graphical web browser developed by Apple. macOS Monterey is the 18th and current major release of macOS. macOS Big Sur is...